How Okta MFA Stopped a Phishing Attack in its Tracks
days to roll out MFA for VPN
- Identity shake-up
- Deployment in progress
- Breach battle
- Finishing move
When a major R&D organization started re-working its app infrastructure, identity was a key consideration. After assessing a range of options, the company decided to centralize access and add a common identity layer to all its apps using Okta’s Single Sign-On (SSO), Universal Directory (UD), and Multi-Factor Authentication (MFA).
The company has a lot of long-time employees who were used to a certain way of doing things, so it decided to ease users into MFA. While this was happening, however, an employee fell for a phishing attack, resulting in attackers obtaining 19 user’s passwords. After noticing some unusual activity in its logs, the company acted fast, reaching out to Okta—and the FBI—for help.
Okta responded as soon as it heard about the breach. As the attack was happening, Okta Support got all users up and running with MFA and supported a mass password change. The hackers countered, attacking users by hi-jacking accounts that hadn’t been set up for Okta Verify yet.
Okta and the company successfully fought back by having all users change their passwords three times, and then integrating YubiKey with Okta MFA. The breach was successfully halted, and the company’s data remained secure. In the end, the company gave Okta high marks for support, and Okta had gained real-world experience that helped it enhance its MFA guidelines.
A new approach
Even the most technologically advanced organizations need to be proactive when it comes to building a strong identity infrastructure. These enterprises are at the core of Okta’s customer base. Many of the companies that rely on Okta’s identity solutions also share a few common characteristics: they’re tech-savvy and security-focused, earnest, creative, and collaborative. Simply put, they know their stuff when it comes to security.
About a year ago, one of these enterprises, a major research and development company, decided to restructure its application architecture. Ultimately, the company wanted to centralize access, which would not only increase administrative visibility, but also secure and simplify the sign-on process for its 2000+ employees and contractors. In order to do this, it needed a strong, reliable identity provider that would satisfy a few key considerations. Its new identity partner would need to:
- Value human elements like networking, have a strong ability to think critically, and base decisions on real data and facts
- Meet all primary use cases
- Support the organization’s migration to the cloud and Office 365
- Provide an excellent user experience, especially in urgent situations
After carefully considering its options, the organization decided to partner with Okta. Okta offered a range of products that work together seamlessly, providing a holistic solution that met most of the organization’s goals.
Ultimately, the organization decided to adopt Okta’s Single Sign-On (SSO), Universal Directory (UD), and Adaptive Multi-Factor Authentication (MFA). Together, these products would centralize access and form a common identity layer for all application access.
As the implementation process began, it quickly became clear that the organization’s employees have an extremely high level of education and technological expertise across the board. The company began rolling out SSO, UD, and MFA, with the goal of enabling strong authentication with Okta Verify. The company was extremely cautious:
- It avoided using SMS as a factor due to vulnerabilities and risk of SMS being redirected or intercepted
- It didn’t allow mobile devices in certain secure areas
- It required employees to use Yubikey, a hard-to-phish possession factor, in sensitive scenarios
Always concerned with user experience, the company was taking it slow when it came to rolling out MFA, since the company has a lot of long-time employees, and it thought it best to ease them into the new processes.
A shock to the system
Unfortunately, attackers were able to take advantage of the small window of time before MFA was completely deployed. It was a shock when the organization’s vigilant IT team spotted suspicious logs, so they notified the CISO and network teams. Together, these teams examined the company’s Splunk logs, and confirmed that its IT infrastructure was under attack.
The attacker performed a password spray attack, brute-forcing just over 2000 accounts. They attacked each account, on average 42 times. After this effort the attackers had 19 user’s passwords.
They gained access to the network by VPN, using the newly gained access.
Armed with a strong incident response plan, the company acted fast, reporting the incident to the FBI, logging a service ticket with Okta, and calling in various experts to both analyze and attempt to halt the attack. This is when Okta Customer Support demonstrated its commitment to providing fast, effective, and human support whenever the company needed help.
Upon investigation, these teams realized the initial breach was likely the result of a successful phishing attack. Once the attacker gained access, they moved laterally within the network, and ultimately gained access to a test system with admin privileges. From there, the breach unfolded quickly.
The attacker gained access to a file server, and used the company’s own admin tools to gather as many credentials as they could. Then the attacker trained their sight on the Active Directory (AD) infrastructure. By exporting a credential database, they were able to acquire a set of legitimate username and password combinations.
Mitigating a second attack
Once the company understood exactly what was going on, it imposed a network blackout at night and over the weekend to regain control of its infrastructure. During that time, it worked with Okta to completely rollout Multi-Factor Authentication (MFA) to all employees. The company also directed users to change their passwords in an attempt to render the attacker’s stolen credentials useless. Okta played a major role in both of these initiatives--earning high marks from the company for customer support during a particularly trying time.
The organization had gained some ground, but the attackers weren’t finished yet. While MFA was being rolled out, the hackers launched a second, highly sophisticated, credential phishing attack that prompted employees to enter their AD credentials.
Along with the email, the attackers also sent out an automated phone call to employees, advising them to complete the request in the email.
Luckily, the more advanced users saw what was happening and flagged these new attempts, and Okta Support was able to escalate the issue to its security team, preventing further breaches.
Although MFA was rolled out, not all users registered for Okta Verify with Push, a high assurance factor available through Okta MFA. After averting this new attack, the organization worked with Okta to get all users immediately set up with Okta Verify. They also had users change their passwords three times, and rebuilt Active Directory completely from scratch.
The organization’s IT team was incredibly pleased with the support it received from Okta during this fast-paced and critical time. Okta’s fast response and support was a critical factor in minimizing damage and reinforcing defense systems against future attacks.
Once the crisis was averted, the organization and Okta took the time to look at the situation with clear eyes. To make future rollouts even more secure, they’ll:
- Add a self-service password reset to ease the process in future
- Make MFA with Yubikey mandatory
- Add MFA to VPN
- Place strong emphasis on choosing Okta Verify as a factor
- Advise employees to pause before approving access on Okta Verify, rather than automatically clicking when prompted
- Customize education based on the employee’s role
- Deliver live in-person training and maintain an ongoing dialogue throughout the rollout
With this incident behind it, the organization is now better protected against advanced, sophisticated attacks. And together, the organization and Okta have benefitted from valuable takeaways that will only enhance future services and deployments.