Attack Chain

1. Attacker attempts to authenticate to Okta with a valid or guessed username.
2. Attacker provides an incorrect password.
3. Okta logs the failed authentication attempt.
4. Attacker repeats steps 2 and 3 multiple times within a defined timeframe.
5. Okta’s account lockout policy is triggered when the maximum number of failed attempts is reached.
6. Okta logs an event with the displayMessage “Max sign in attempts exceeded”.
7. The user account is locked, preventing further login attempts.
8. Security team investigates the lockout event to determine the root cause and potential impact.

Impact

A successful account lockout can disrupt legitimate user access and indicate potential malicious activity. Multiple lockouts within a short period may signify a brute-force attack aimed at gaining unauthorized access to sensitive resources. While the lockout itself prevents immediate unauthorized access, it can lead to denial of service and requires investigation to rule out successful credential compromise. The number of impacted users depends on the scope and sophistication of the attack.

Recommendation

• Deploy the Sigma rule Okta User Account Locked Out to your SIEM to detect account lockout events in Okta logs.
• Investigate any triggered alerts to determine the cause of the lockout, potentially indicating a brute-force attack (reference: displayMessage: Max sign in attempts exceeded).
• Review and adjust Okta’s account lockout policies to balance security and usability based on your organization’s risk tolerance.
• Consider implementing multi-factor authentication (MFA) to mitigate the risk of brute-force attacks and credential compromise.