Okta User Risk Threshold Exceeded via Aggregated Suspicious Activities

This detection identifies instances where an Okta user surpasses a predefined risk threshold by correlating multiple suspicious activities. It leverages the Risk Framework within Splunk Enterprise Security, specifically aggregating risk events originating from the “Suspicious Okta Activity,” “Okta Account Takeover,” and “Okta MFA Exhaustion” analytic stories. This approach is crucial as it flags user accounts exhibiting a combination of malicious behaviors within a 24-hour window. A high risk score suggests a potential compromise, indicating that attackers may be attempting unauthorized access, privilege escalation, or establishing persistence within the Okta environment. Successfully compromised Okta accounts can lead to widespread access to sensitive applications and data.

Attack Chain

1. Initial Access: An attacker gains initial access through methods like phishing or credential stuffing, targeting a valid Okta user account.
2. Suspicious Activity Trigger: The compromised account exhibits unusual behavior, such as login attempts from unfamiliar locations or devices, triggering the “Suspicious Okta Activity” analytic story.
3. Account Takeover Attempt: The attacker attempts to assume control of the Okta account, potentially bypassing multi-factor authentication (MFA) through social engineering or other techniques, which feeds into the “Okta Account Takeover” analytic story.
4. MFA Exhaustion: The attacker initiates multiple MFA requests in a short period, attempting to overwhelm the user or exploit vulnerabilities in the MFA implementation, triggering the “Okta MFA Exhaustion” analytic story.
5. Risk Score Aggregation: Splunk Enterprise Security aggregates the risk scores associated with these individual events, elevating the user’s overall risk score above a predefined threshold.
6. Alert Trigger: The “Okta Risk Threshold Exceeded” correlation triggers, indicating a high likelihood of account compromise.
7. Lateral Movement: The attacker leverages the compromised Okta account to access other applications and resources within the organization’s environment.
8. Data Exfiltration/Privilege Escalation: The attacker exfiltrates sensitive data or escalates their privileges within the compromised applications, achieving their ultimate objective.

Impact

A successful attack can result in significant damage, including unauthorized access to sensitive data, financial loss, and reputational damage. The number of affected users and the scope of the breach depend on the attacker’s objectives and the extent of their access within the Okta environment. Organizations in all sectors that rely on Okta for identity and access management are potentially at risk. Failure to detect and respond to these attacks promptly can lead to widespread compromise and long-term damage.

Recommendation

• Enable the “Suspicious Okta Activity”, “Okta Account Takeover”, and “Okta MFA Exhaustion” analytic stories in Splunk Enterprise Security to populate the Risk Framework, as mentioned in the description.
• Deploy the provided Sigma rule Okta Risk Threshold Exceeded to detect users exceeding the risk threshold based on aggregated Okta security events.
• Tune the risk threshold and individual analytic scores based on your organization’s risk tolerance and observed false positive rates, as mentioned in the known_false_positives section.
• Investigate triggered alerts by using the drilldown searches provided in the finding to view the detection results and risk events for the affected user (View the detection results for - "$risk_object$", View risk events for the last 7 days for - "$risk_object$").