{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-lockout/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["identity","account-lockout","okta"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis brief describes detection measures for Okta user account lockouts. An account lockout occurs when a user exceeds the maximum number of permitted failed login attempts, potentially indicating a brute-force attack or other unauthorized access attempts against user accounts. Monitoring for account lockouts is crucial for identifying and mitigating potential security breaches. The rule detects the \u0026ldquo;Max sign in attempts exceeded\u0026rdquo; message in Okta logs, which signifies that an account has been locked. Detecting this activity can alert security teams to potential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker attempts to authenticate to Okta with a valid or guessed username.\u003c/li\u003e\n\u003cli\u003eAttacker provides an incorrect password.\u003c/li\u003e\n\u003cli\u003eOkta logs the failed authentication attempt.\u003c/li\u003e\n\u003cli\u003eAttacker repeats steps 2 and 3 multiple times within a defined timeframe.\u003c/li\u003e\n\u003cli\u003eOkta\u0026rsquo;s account lockout policy is triggered when the maximum number of failed attempts is reached.\u003c/li\u003e\n\u003cli\u003eOkta logs an event with the \u003ccode\u003edisplayMessage\u003c/code\u003e \u0026ldquo;Max sign in attempts exceeded\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe user account is locked, preventing further login attempts.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the lockout event to determine the root cause and potential impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account lockout can disrupt legitimate user access and indicate potential malicious activity. Multiple lockouts within a short period may signify a brute-force attack aimed at gaining unauthorized access to sensitive resources. While the lockout itself prevents immediate unauthorized access, it can lead to denial of service and requires investigation to rule out successful credential compromise. The number of impacted users depends on the scope and sophistication of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOkta User Account Locked Out\u003c/code\u003e to your SIEM to detect account lockout events in Okta logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts to determine the cause of the lockout, potentially indicating a brute-force attack (reference: \u003ccode\u003edisplayMessage: Max sign in attempts exceeded\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and adjust Okta\u0026rsquo;s account lockout policies to balance security and usability based on your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing multi-factor authentication (MFA) to mitigate the risk of brute-force attacks and credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-okta-account-lockout/","summary":"Detection of an Okta user account lockout, which may indicate brute-force attempts or other malicious activity targeting user accounts.","title":"Okta User Account Lockout Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-okta-account-lockout/"}],"language":"en","title":"CraftedSignal Threat Feed — Account-Lockout","version":"https://jsonfeed.org/version/1.1"}