Unusual Spike in Okta User Lifecycle Management Change Events

This alert detects potential privileged access activity within an Okta environment. The detection is triggered by a machine learning job that identifies anomalous spikes in user lifecycle management change events. Threat actors may target user accounts to escalate their privileges or to establish persistence within the environment. This is achieved by manipulating user accounts, such as modifying roles, permissions, or other attributes. The prebuilt ML job “pad_okta_spike_in_user_lifecycle_management_changes_ea” is used to detect these anomalies. The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. The rule looks for activity within a 3-hour window, checking every 15 minutes.

Attack Chain

1. An attacker gains initial access to an Okta account, possibly through compromised credentials or other means. (T1078)
2. The attacker begins enumerating user accounts and their associated roles and permissions within the Okta environment.
3. The attacker identifies a target user account with elevated privileges or a role that would grant them desired access.
4. The attacker modifies the target user account’s attributes, such as adding the attacker’s account to a privileged group or changing the user’s role. (T1098)
5. The attacker leverages the newly acquired privileges to access sensitive resources or perform unauthorized actions.
6. The attacker may create new user accounts with elevated privileges to maintain persistent access to the environment. (T1098)
7. The attacker covers their tracks by deleting logs or modifying audit trails to conceal their activity.
8. The attacker achieves their objective, such as data exfiltration or system compromise.

Impact

A successful attack can result in privilege escalation, allowing unauthorized access to sensitive data and systems. Depending on the level of access gained, attackers may be able to compromise critical infrastructure, steal confidential information, or disrupt business operations. The impact can range from minor data breaches to significant financial losses and reputational damage. Early detection of anomalous user lifecycle changes is crucial to mitigating these risks.

Recommendation

• Ensure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection job “pad_okta_spike_in_user_lifecycle_management_changes_ea”.
• Investigate any alerts generated by this rule by following the investigation steps outlined in the rule’s note section within the Kibana UI.
• Review and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed as described in the rule’s documentation.
• Monitor Okta logs for any unusual or unauthorized activity, focusing on user account changes, as described in the setup documentation.
• Implement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access as mentioned in the response and remediation guidelines.