Okta ThreatInsight Detection of Credential Access Attempts
Okta ThreatInsight detected events indicating password spraying, login failures, and high counts of unknown user login attempts, potentially leading to unauthorized access and credential compromise.
This brief focuses on threats detected by Okta ThreatInsight, a security feature within the Okta Identity Cloud platform. These threats include, but are not limited to, password spraying attacks, excessive login failures, and a high frequency of login attempts from previously unknown users. The activity is detected through Okta Identity Management logs and is flagged when the security.threat.detected event type is triggered. The alerts generated from these detections can indicate active credential compromise attempts targeting an organization's Okta-managed accounts. This activity matters to defenders as successful credential attacks can lead to unauthorized access, data breaches, and further lateral movement within the organization's network.
Attack Chain
- The attacker attempts to gain initial access using compromised or guessed credentials.
- Okta ThreatInsight monitors login attempts and identifies suspicious patterns (e.g., password spraying) based on the frequency of login failures and source IPs.
- When a threat threshold is met, Okta generates a
security.threat.detectedevent. - The event includes details about the source IP (
src_ip), the application being accessed (app), and the reason for the threat detection (outcome.reason). - The event is logged and ingested into the SIEM for analysis.
- The SOC analyst investigates the
src_ipto determine if the activity is malicious. - If the activity is malicious, the analyst takes action to block the
src_ipand reset the compromised user's password. - Successful compromise enables lateral movement, data exfiltration, or other malicious actions within the target environment.
Impact
Successful exploitation of Okta credentials can lead to widespread unauthorized access to applications and data protected by Okta. This can result in data breaches, financial loss, and reputational damage. The number of affected users and systems depends on the scope of the attacker's access. Organizations in all sectors that rely on Okta for identity management are at risk.
Recommendation
- Deploy the Sigma rule
Okta ThreatInsight Threat Detectedto your SIEM using Okta logs to detect potentially malicious login attempts. - Investigate any alerts generated by the
Okta ThreatInsight Threat Detectedrule and block any malicious source IPs (src_ip) identified. - Monitor Okta logs for
security.threat.detectedevents and correlate them with other security events to identify potential breaches. - Review and fine-tune Okta ThreatInsight settings to reduce false positives and ensure accurate threat detection, based on the documentation available at https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected.
- Implement multi-factor authentication (MFA) for all Okta users to reduce the risk of credential compromise.
Detection coverage 2
Okta ThreatInsight Threat Detected
highDetects threats identified by Okta ThreatInsight, such as password spraying and login failures.
Okta ThreatInsight - High Number of Failed Logins from Single IP
mediumDetects a high number of failed login attempts from a single IP address, as reported by Okta ThreatInsight.
Detection queries are available on the platform. Get full rules →