Attack Chain

1. An attacker gains unauthorized access to an Okta administrator account through compromised credentials or other means.
2. The attacker authenticates to the Okta admin dashboard.
3. The attacker navigates to the “Security” section and then to “Authentication Policies”.
4. The attacker identifies the target application sign-on policy to modify or delete.
5. To modify, the attacker changes the policy rules, such as disabling MFA requirements or allowing access from untrusted locations.
6. Alternatively, to delete, the attacker selects the policy and confirms its removal.
7. The attacker’s actions are logged as “application.policy.sign_on.update” or “application.policy.sign_on.rule.delete” events in the Okta system log.
8. Unauthorized users can now access applications protected by the modified or deleted policy, potentially leading to data exfiltration or other malicious activities.

Impact

Successful modification or deletion of Okta application sign-on policies can severely compromise an organization’s security posture. This can lead to unauthorized access to sensitive applications and data, resulting in data breaches, financial losses, and reputational damage. The number of affected users and applications depends on the scope of the compromised policies.

Recommendation

• Deploy the Sigma rule “Okta Application Sign-On Policy Modified or Deleted” to your SIEM and tune for your environment to detect changes to sign-on policies (rule reference).
• Monitor the Okta system log for “application.policy.sign_on.update” and “application.policy.sign_on.rule.delete” events to identify suspicious activity (log source reference).
• Implement strong access controls and MFA for Okta administrator accounts to prevent unauthorized policy modifications (best practice).
• Regularly review Okta application sign-on policies to ensure they are properly configured and meet security requirements (best practice).