{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.command-and-control/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["identity","okta","threat-detection","attack.command-and-control"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert focuses on identifying security threats detected by Okta\u0026rsquo;s ThreatInsight. Okta ThreatInsight analyzes traffic patterns and user behavior to identify and block malicious login attempts, brute-force attacks, and other suspicious activities. When ThreatInsight identifies a security threat, it generates a system log event with the eventType \u003ccode\u003esecurity.threat.detected\u003c/code\u003e. This event serves as a high-level indicator of potential command and control activity within the Okta environment. Defenders should investigate these alerts promptly to determine the nature and scope of the threat and take appropriate remediation steps. This detection leverages Okta system logs and is relevant for organizations using Okta as their identity provider.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker attempts to gain unauthorized access to an Okta account, possibly through credential stuffing or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eOkta\u0026rsquo;s ThreatInsight analyzes the login attempt, evaluating factors such as IP address reputation, geographical location, and login frequency.\u003c/li\u003e\n\u003cli\u003eThreatInsight identifies the login attempt as a security threat based on predefined risk factors.\u003c/li\u003e\n\u003cli\u003eOkta generates a system log event with eventType \u003ccode\u003esecurity.threat.detected\u003c/code\u003e, recording details of the suspicious activity.\u003c/li\u003e\n\u003cli\u003eThe security team receives an alert based on the Sigma rule detecting the \u003ccode\u003esecurity.threat.detected\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eThe security team investigates the alert, examining the associated IP address, user account, and other relevant log data.\u003c/li\u003e\n\u003cli\u003eBased on the investigation, the security team takes appropriate remediation steps, such as blocking the IP address, resetting the user\u0026rsquo;s password, or enabling multi-factor authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Okta could lead to unauthorized access to sensitive data, account takeover, and disruption of services. The impact of such an attack depends on the level of access granted to the compromised account and the sensitivity of the data accessible through Okta. Successful exploitation can lead to lateral movement within an organization\u0026rsquo;s cloud infrastructure and potentially compromise other critical systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003esecurity.threat.detected\u003c/code\u003e events in Okta system logs.\u003c/li\u003e\n\u003cli\u003eInvestigate all triggered alerts to determine the nature and scope of the threat.\u003c/li\u003e\n\u003cli\u003eReview Okta\u0026rsquo;s ThreatInsight configuration to ensure it is properly configured and tuned for your environment (references: Okta ThreatInsight documentation).\u003c/li\u003e\n\u003cli\u003eMonitor Okta system logs for suspicious activity, such as unusual login patterns, account lockouts, and password resets (references: Okta system log documentation).\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-okta-security-threat/","summary":"This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.","title":"Okta Security Threat Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-security-threat/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.command-and-Control","version":"https://jsonfeed.org/version/1.1"}