Okta Multiple Account Lockouts Indicative of Password Spraying
Multiple Okta accounts locked out within a 5-minute period, detected via aggregated user.account.lock events, may indicate a password spraying attack leading to potential account takeovers.
This threat brief focuses on detecting potential password spraying attacks targeting Okta environments. The detection identifies an anomalous number of account lockouts occurring within a short timeframe. Specifically, it leverages Okta's user.account.lock event, aggregating these events over a 5-minute window. The underlying assumption is that a rapid series of lockouts is indicative of an automated password guessing attack, such as password spraying, where an attacker tries common passwords against many accounts. While the specific attacker is unknown, the technique is commonly employed by various threat actors to gain initial access to corporate networks. The scope of targeting depends on the Okta tenant's configuration and user base.
Attack Chain
- Initial Access: The attacker attempts to gain unauthorized access to Okta accounts. (T1110)
- Password Spraying: The attacker employs a password spraying technique, using a list of common passwords.
- Authentication Attempts: The attacker makes multiple authentication attempts against various Okta accounts.
- Account Lockout Events: The repeated failed login attempts trigger Okta's account lockout policy, generating user.account.lock events in the Okta logs.
- Log Aggregation: These lockout events are aggregated and analyzed over a 5-minute window.
- Detection Threshold: If the number of locked-out accounts within the window exceeds a predefined threshold (e.g., 5), the alert triggers.
- Potential Account Takeover: If the attacker successfully guesses a password before the account locks, they achieve account takeover.
- Lateral Movement/Privilege Escalation: Once inside the Okta environment, the attacker may attempt lateral movement or privilege escalation to access sensitive resources.
Impact
Successful password spraying attacks can lead to unauthorized access to sensitive Okta accounts. This can result in data breaches, financial loss, and reputational damage. The number of impacted accounts and the severity of the consequences will depend on the attacker's objectives and the level of access gained. Organizations using Okta for critical authentication services are particularly vulnerable.
Recommendation
- Deploy the Sigma rule
Okta Multiple Account Lockoutsto your SIEM and tune the threshold (count > 5) based on your organization's baseline. - Investigate any alerts generated by the
Okta Multiple Account Lockoutsrule, focusing on the source IP address (src) associated with the lockouts. - Review and enforce strong password policies to mitigate the effectiveness of password spraying attacks.
- Implement multi-factor authentication (MFA) to add an additional layer of security and prevent unauthorized access even if passwords are compromised.
- Monitor Okta logs for unusual login patterns or failed authentication attempts that may indicate ongoing password spraying activity.
Detection coverage 2
Okta Multiple Account Lockouts
highDetects multiple Okta accounts being locked out within a short period, indicative of password spraying.
Okta Account Lockout Source IP Analysis
lowIdentifies the source IP addresses triggering Okta account lockouts, helping to pinpoint potential attackers.
Detection queries are available on the platform. Get full rules →