{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user-lifecycle/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","okta","user-lifecycle"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert detects potential privileged access activity within an Okta environment. The detection is triggered by a machine learning job that identifies anomalous spikes in user lifecycle management change events. Threat actors may target user accounts to escalate their privileges or to establish persistence within the environment. This is achieved by manipulating user accounts, such as modifying roles, permissions, or other attributes. The prebuilt ML job \u0026ldquo;pad_okta_spike_in_user_lifecycle_management_changes_ea\u0026rdquo; is used to detect these anomalies. The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. The rule looks for activity within a 3-hour window, checking every 15 minutes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta account, possibly through compromised credentials or other means. (T1078)\u003c/li\u003e\n\u003cli\u003eThe attacker begins enumerating user accounts and their associated roles and permissions within the Okta environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account with elevated privileges or a role that would grant them desired access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the target user account\u0026rsquo;s attributes, such as adding the attacker\u0026rsquo;s account to a privileged group or changing the user\u0026rsquo;s role. (T1098)\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly acquired privileges to access sensitive resources or perform unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may create new user accounts with elevated privileges to maintain persistent access to the environment. (T1098)\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting logs or modifying audit trails to conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in privilege escalation, allowing unauthorized access to sensitive data and systems. Depending on the level of access gained, attackers may be able to compromise critical infrastructure, steal confidential information, or disrupt business operations. The impact can range from minor data breaches to significant financial losses and reputational damage. Early detection of anomalous user lifecycle changes is crucial to mitigating these risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection job \u0026ldquo;pad_okta_spike_in_user_lifecycle_management_changes_ea\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by following the investigation steps outlined in the rule\u0026rsquo;s note section within the Kibana UI.\u003c/li\u003e\n\u003cli\u003eReview and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor Okta logs for any unusual or unauthorized activity, focusing on user account changes, as described in the setup documentation.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access as mentioned in the response and remediation guidelines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-okta-user-lifecycle-spike/","summary":"A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity where threat actors may manipulate user accounts to gain higher access rights or persist within the environment.","title":"Unusual Spike in Okta User Lifecycle Management Change Events","url":"https://feed.craftedsignal.io/briefs/2024-11-okta-user-lifecycle-spike/"}],"language":"en","title":"CraftedSignal Threat Feed — User-Lifecycle","version":"https://jsonfeed.org/version/1.1"}