Accelerate Okta investigations – sample account takeover analysis

Introduction

This is the second blog post in our blog series focused on cyber investigations for identity and access management providers. You can read the first blog post on this series here: Investigate Microsoft EntraID identities in minutes.

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations.

In the previous blog post, we initiated our identity investigation from known leads (two user names on an HR watch list). In this post, we’ll follow a similar investigation flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.

Act 1: Reviewing Okta alerts & kicking off the investigation

Command Zero presents alerts from connected data sources for analysts to review and investigate interesting patterns. For this example, let’s take a look at the recent Okta alerts:

*Analysts can review Okta alerts and initiate investigations for a single alert or multiple alerts.*

*Analysts can review high level information about these user reports on suspicious activity.*

*In this case, threat actors (IP addresses) and targets (Okta usernames) on these alerts seem related, so the analyst selects two alerts and starts an investigation to dig deeper.*

*Command Zero automatically extracted relevant leads from these alerts, in this case we have two Okta transaction IDs, two Okta usernames, an IP address and a domain name in our investigation.*

As an investigation is initiated from these two alerts, Command Zero starts interrogating relevant data sources to gather more information about these initial leads. The purpose of these initial questions is to save analysts time and incorporate some of the best practices by asking the right questions for every investigation.

Once the answers to initial questions are received, Command Zero renames this investigation to “Suspicious Activity Reports from Multiple Users in Winnipeg, Canada”. The platform also generates an initial analysis of the investigation too:

*The initial analysis and summary provide valuable information about the alerts, helping the analyst understand where to focus during the investigation.*

*The analysis also highlights suspected threat patterns, in this case a targeted attack or compromised network.*

Act 2: Getting more answers from Okta

Understanding the current and historical context of leads is key to prioritize the right cases and to focus on the right paths within investigations. As we dive into this investigation, we can quickly review the user information on Okta, past investigations, notes and tags for this lead to get up to speed.

*User overview reveals high level information about the investigated user, along with related investigations, notes and tags for this lead.*

*Within this view, the analyst can ask preliminary questions to better understand the lead. These questions include viewing password changes, failed logins, failed MFAs and sign-in activities.*

Once we understand the details about the lead, it is easier to determine how to continue the investigation. In this case, we’d like to dig deeper into successful sign-ins for Kiki:

*Reviewing the answers to ”What Okta login events exist for this user?” is a great place to start.*

The answer contains 22 distinct login events, so this dataset will be reviewed more easily on the table view. The analyst switches to the table view to filter and sort results to uncover patterns.

As the analyst reviews client IP addresses used in Okta login events, four addresses are found: 104.x.x.137, 24.x.x.81, 185.x.x.164 and 172.x.x.71. It is odd for a user to login from four IP addresses in a short period of time, so the analyst decides to look into these IPs by adding them to the investigation.

Each event record contains detailed information and potential leads that can be added to the investigation. The events also indicate that the user logged in from IPs that belong to separate domains. This raises the suspicion this may be an account compromise.

After reviewing Okta login events, the analyst doubles down on the four distinct IPs that the user used to login. Understanding the geolocation, ownership and additional insights for these IPs will help determine the nature of these logins, as well as prove or disprove an account compromise for Kiki, the user under investigation.

Act 3: Investigating suspicious IPs

The investigation tab shows promoted leads in the branch they got promoted in, making it easy to dig into rabbit holes as needed, without drifting from the main focus of the investigation. In this example, one of the newly promoted IPs (104.x.x.137) was already a part of this investigation, along with the domain name and Okta username. The other three IPs are presented in blue, indicating they are new leads for this investigation.

For every lead in an investigation, the analyst is presented with two main options:

Ask individual questions from the pre-built knowledge base on Command Zero,

Run a facet (a dynamic playbook with a pre-built sequence of questions).

For this example, the analyst wants to kickstart the analysis by running facets:

*The password spray facet reviews failed and successful logins from an IP, and if it finds successful logins it retrieves usernames, registered devices and other behaviors for this user.*

*The analyst runs the Sign-in investigation facet for the other IP to uncover additional behavior patterns.*

Individual questions provide a user-led approach to interrogating leads. In this example, questions covering security threats (detected by Okta), password change activities or MFA can be added to the investigation.

In addition to Okta, the analyst queries IP Info as an enrichment source for these IPs. IP Info delivers important information including known malicious IPs and the type of IPs.

Digging into these suspicious IPs, the analyst finds that they are all tor exit nodes from different countries, logging into the same username at the same time. These behaviors confirm the suspicion, Kiki’s account has been compromised!

*The investigation tab highlights connections between objects and helps find additional links.*

The analyst reviews additional sign-in activity from these IP addresses. And finds that a second user, Patti was also likely compromised by the same actors. This lead is added to the investigation for further analysis:

*The analyst kickstarts the analysis for Patti by running an Okta sign-in investigation facet. Although Patti looks like a regular user at first glance, there’s more to this user than meets the eye.*

As the investigation expands to cover Patti, the analyst finds out that this was a user created by the attacker using Kiki’s administrative privileges. While it’s hard to pinpoint the reason why, Patti was likely a means to persistent access to the environment in case the initial access gets discovered.

The user creation date coincides with the initial Okta admin access from suspicious IPs, and the same IPs have been used for login activities for this account.

Act 4: Building the case narrative, timeline and reporting

In the short span of a couple of minutes, Okta alerts led to an interesting investigation and discovery of a password spray attack that resulted in account takeover. Here’s the high-level narrative:

An attacker using a tor exit node started a password spray attack targeting Kiki, one of the Okta administrators.

The attacker gained access to Kiki’s account, using administrator privileges to create a new account: Patti.

The attacker kept logging into these two accounts using three distinct IP addresses (all tor exit nodes) over the course of a month.

By selecting the noteworthy items, the analyst quickly builds the event timeline on Command Zero:

The timeline includes initial access, password spray attacks and login activities over the course of the incident. Command Zero delivers LLM-generated summaries for each question on the timeline, along with the overview summary of this incident.

*Question summaries are a great resource for reporting and reviewing all relevant leads, assuring that no lead gets overlooked during an investigation.*

Once the investigation is complete, the analyst can generate an automated investigation report:

The analyst can pick the relevant sections of the auto-generated report and save valuable cycles with the reporting capabilities of Command Zero.

Conclusion

Tier-2 and tier-3 analysts, threat hunters and incident responders can investigate Okta identities by interrogating Okta and other data sources easily with Command Zero. In this investigation flow, the analyst started an investigation from multiple Okta alerts, expanded the investigation to additional suspicious leads and completed the investigation after determining the complete narrative, building the timeline and the report for this incident.

Please check out our identity-based investigations page and use case demo to learn more.