On August 7th this year an attack called #oktapus started to get uncovered by Group-IB. The attack was targeting Okta customers, but how does the sentence “9,931 accounts at more than 130 organizations were compromised by a phishing attack on Twilio and Cloudflare employees” make sense? These are just two companies and only one of them reported the attack to be successful. So how does that data make sense? Let me start with an old joke: A man is flying in a hot air balloon and realizes that he is lost. He reduces height and spots a man down below. He lowers the balloon further and shouts, “Excuse me. Can you help me? I promised a friend I would meet him half an hour ago, but I don’t know where I am.” The man below says, “Yes. You are in a hot air balloon, hovering approximately 30 feet above this field. You are between 40 and 42 degrees north latitude, and between 58 and 60 degrees west longitude.” “You must be an engineer,” says the balloonist. “I am”, replies the man. “How did you know?” “Well…” says the balloonist. “Everything you told me was technically correct, but I have no idea what to make of your information and the fact is I am still lost.”
I am going to skip the retort about the balloonist being a manager, but we get the point. #management and #engineering have a communication gap and in #security it’s even worse, as we #engineers talk jargon and details, trying to impress our peers rather than explaining what we are seeing. I am going to do what Richard Feynman did to the Challenger report, oversimplify it. I am going to make hypotheses without complete data and skip details, but give a big picture that is #ciso readable and action-oriented to help address the following:
Around August 4th a #phishing attack targeting the texting infrastructure company Twilio was launched. The attack targeted its Okta infrastructure, while trying to dig deeper at attacking Okta customers. There was also a failed attack targeting Cloudflare. We know the attackers also gained access to Signal Messenger. The attack was first reported by Group-IB and each of the companies attacked, including DoorDash, all acted in a very responsible and transparent way. They reported timelines and #iocs , provided screenshots and reversing reporting. But no one has said what it means for customers and users. So here are a few points, in order of importance to you, an Okta or #AzureAD customer.
Many customers still have SMS or phone calls as an authentication factor. This needs to go away, even as a recovery factor, unless you keep a close eye on using it for recovery. What factor should I use if my install base refuses to use anything on their personal phones? Are they willing to only access from company devices? If the answer is yes, just install Okta fastpass or Duo Security on their endpoint and use a biometric as a factor. If the answer is no, still consider pressure, mainly due to overall data security. It’s a bit complicated to want access to company data without company oversight. TOTP is not fun, but can also work. Most solutions these days support phone built-in solutions and do not mandate the client.Last solution should be a Yubico security keys, not because they are bad, but rather as the person that dealt with provisioning RSA tokens, physical tokens take forever to get to where they are going, while they are the most effective measure, just ask the person that had his kid flush one down the drain, what they can do then.
To effectively get rid of SMS, you will need to get a sense of who has SMS registered as a second factor, and who is actively using it. Also you need to know if SMS was used as a factor while accessing sensitive applications like the Okta admin console. If you have not migrated to OIE (Okta Identity Engine) yet, you might want to have a stronger policy on specific applications allowing SMS only on the lower-important ones. If you do have OIE, there is a way to allow SMS only for recovery purposes.
I attended a conference where I heard that there are phishing resistant factors. I was told the same thing at RSA in 2008. We know how that worked out for the people in question. People are phished, not technologies. People don’t look at the key on the browser or don’t read the URL. Until continuous authentication becomes a thing, phishing will continue to work. But there are steps you can take to reduce the risk:
Identity is the new firewall/endpoint and it is under attack. This was the 4th major attack in 6 months. You can chose to push #itdr lower in your priorities, but what happens if the next call you get from your IDP is because your name was among the 130 companies whose data was lost? Can you answer quickly to your management chain questions such as:
If you can’t answer these, I suggest we demo to you how this can be done quickly without commitment. If you suspect you might have been impacted, we give free assessments too.
Once a year I like going places that have no or limited internet connection and do fun things like hiking and biking. This year was the worst timing ever, between Cloudflare and Twilio attacks and Gartner IAM, I missed out on a lot, but have little regrets. Here is my take on #oktapus, but one week later.