{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/policy-tampering/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["identity","okta","policy-tampering"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eOkta application sign-on policies control how users authenticate to applications integrated with Okta. An attacker who gains administrative access to an Okta tenant can modify or delete these policies, effectively weakening or bypassing multi-factor authentication (MFA) requirements and other security controls. This allows unauthorized access to sensitive applications and data. While this activity itself is not initial access, it represents a significant escalation of privileges and a deliberate attempt to subvert existing security measures within the Okta environment. Detection of these changes is critical to identify potential breaches early and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Okta administrator account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta admin dashboard.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Security\u0026rdquo; section and then to \u0026ldquo;Authentication Policies\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target application sign-on policy to modify or delete.\u003c/li\u003e\n\u003cli\u003eTo modify, the attacker changes the policy rules, such as disabling MFA requirements or allowing access from untrusted locations.\u003c/li\u003e\n\u003cli\u003eAlternatively, to delete, the attacker selects the policy and confirms its removal.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s actions are logged as \u0026ldquo;application.policy.sign_on.update\u0026rdquo; or \u0026ldquo;application.policy.sign_on.rule.delete\u0026rdquo; events in the Okta system log.\u003c/li\u003e\n\u003cli\u003eUnauthorized users can now access applications protected by the modified or deleted policy, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Okta application sign-on policies can severely compromise an organization\u0026rsquo;s security posture. This can lead to unauthorized access to sensitive applications and data, resulting in data breaches, financial losses, and reputational damage. The number of affected users and applications depends on the scope of the compromised policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Okta Application Sign-On Policy Modified or Deleted\u0026rdquo; to your SIEM and tune for your environment to detect changes to sign-on policies (rule reference).\u003c/li\u003e\n\u003cli\u003eMonitor the Okta system log for \u0026ldquo;application.policy.sign_on.update\u0026rdquo; and \u0026ldquo;application.policy.sign_on.rule.delete\u0026rdquo; events to identify suspicious activity (log source reference).\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and MFA for Okta administrator accounts to prevent unauthorized policy modifications (best practice).\u003c/li\u003e\n\u003cli\u003eRegularly review Okta application sign-on policies to ensure they are properly configured and meet security requirements (best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-sign-on-policy-changes/","summary":"Attackers may modify or delete Okta application sign-on policies to weaken security controls, potentially leading to unauthorized access and data breaches.","title":"Okta Application Sign-On Policy Modified or Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-sign-on-policy-changes/"}],"language":"en","title":"CraftedSignal Threat Feed — Policy-Tampering","version":"https://jsonfeed.org/version/1.1"}