{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1078.001/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Okta Identity Management"],"_cs_severities":["high"],"_cs_tags":["okta","account-takeover","t1078.001"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis brief addresses the scenario where an Okta user reports a login attempt as suspicious. The detection leverages Okta Identity Management logs, specifically the \u003ccode\u003euser.account.report_suspicious_activity_by_enduser\u003c/code\u003e event type. This event signifies that the user has actively identified and flagged a login attempt as potentially malicious. The alert is based on the assumption the user is correctly identifying anomalous activity. This event is critical as it suggests an attacker may have gained access to, or is attempting to gain access to, the user's account. The scope of targeting includes any organization utilizing Okta for identity management. Failure to address reported suspicious activity can lead to data breaches, privilege escalation, and further compromise of the organization's resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access Attempt:\u003c/strong\u003e An attacker attempts to log in to a user's Okta account, potentially using compromised credentials or a brute-force attack (T1110).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Activity Detection (User):\u003c/strong\u003e The user notices a login attempt from an unfamiliar location, device, or at an unusual time.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Activity Reporting:\u003c/strong\u003e The user utilizes Okta's built-in functionality to report the login attempt as suspicious, generating a \u003ccode\u003euser.account.report_suspicious_activity_by_enduser\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAlert Triggered:\u003c/strong\u003e This event triggers a security alert within the security monitoring system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvestigation:\u003c/strong\u003e Security analysts investigate the reported suspicious activity, examining login logs, user activity, and other relevant data to determine the validity of the report and the extent of any potential compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eContainment and Remediation:\u003c/strong\u003e If the suspicious activity is confirmed as malicious, the security team takes steps to contain the incident. This may include disabling the user's account, forcing a password reset, and reviewing access privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Review:\u003c/strong\u003e The security team reviews other user accounts for similar suspicious activity, implements stronger authentication measures (e.g., MFA), and updates security policies to prevent future incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf a reported suspicious activity is not promptly and effectively addressed, an attacker can successfully compromise an Okta user account. This can lead to unauthorized access to sensitive systems and data, potentially resulting in data theft, privilege escalation, lateral movement within the network, and further compromise of the environment. The impact can vary from limited access to a single user's resources to a widespread breach affecting multiple users and systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and actively monitor Okta logs for the \u003ccode\u003euser.account.report_suspicious_activity_by_enduser\u003c/code\u003e event type.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect reported suspicious activity in your Okta environment. Tune the rule based on your specific environment and user behavior.\u003c/li\u003e\n\u003cli\u003eImplement training programs for associates to effectively recognize and report suspicious activity through Okta's reporting mechanisms.\u003c/li\u003e\n\u003cli\u003eReview Okta's Suspicious Activity Reporting documentation (\u003ca href=\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"\u003ehttps://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\u003c/a\u003e) to fully leverage Okta's security features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-okta-suspicious-activity/","summary":"A user reporting a suspicious login attempt via Okta's reporting mechanism indicates potential unauthorized access and possible account compromise.","title":"Okta User Reports Suspicious Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-03-okta-suspicious-activity/"}],"language":"en","title":"CraftedSignal Threat Feed - T1078.001","version":"https://jsonfeed.org/version/1.1"}