Okta ThreatInsight Whitepaper

Introduction

As identity related attacks have increased in recent years, organisations are continuously evaluating how to optimise the security policies in their environment. In this whitepaper, we cover Okta ThreatInsight, a baseline security feature of the Okta Identity Cloud which helps organisations secure their organisation against large scale identity attacks. We start by identifying common identity attacks organisations face today, then introduce ThreatInsight as a method of mitigating account takeover and account lockout, and end with the technical details on how ThreatInsight works.

Today’s challenges in securing logins

Identity attacks continue to be a common pain point for organisations. This should not come as a surprise, as broken authentication sits at #2 in the OWASP Top 10 Web Application Security Risks as well as the API Security Top 10. While attack methods have evolved through the decades, threat actors continue to use basic identity attacks to takeover accounts.

Password threats are a common form of identity attacks. These attacks are successful for a variety of reasons. First, passwords are easy to compromise - users tend to reuse the same password, use easy-to-guess passwords, and write passwords down. And, many organisations do not enforce multi-factor authentication or do not build multi-factor authentication into their apps. Additionally, in an effort to focus on app functionality, many app developers do not focus on building secure auth practices.

To set the context for this whitepaper, let’s first break down the common identity attacks organisations are susceptible to -

Phishing

A threat actor targets either a large group (broad-based phishing) or specific individuals (spear-phishing). The threat actor will usually compromise a legitimate website or create a fake domain. From there, they craft a message that encourages receivers to follow a link to that site. Once a receiver clicks on the link, they are either requested to input their credentials into the site, or the site will download malware that gathers credentials stored on the device or browser memory. The attacker then uses these credentials to steal sensitive data from the individual or their employer.

 

phishing diagram

Password Spray

A threat actor identifies valid usernames against various online services. From there, the threat actor attempts common passwords against the usernames, aiming for multiple successful logins across various accounts and online services.

 

password spray diagram

Credential Stuffing

A threat actor acquires credentials from a breach/password dump site (targeted attack on specific uses). The threat actor then (usually) uses automated tools to test credentials across different sites. Once a successful login occurs, the threat actor can execute the next stage of attack.

 

credential stuffing diagram

Brute Force Attacks

A threat actor uses the trial-and-error method to take over accounts. Brute force attacks are typically slow (and can be ongoing), with the final goal being takeover of a large number of accounts. Brute force attacks typically do not involve a specific strategy, threat actors simply use automation to attempt different password combinations until they find one that works. Brute force attacks can also include dictionary attacks, where a threat actor guesses passwords by entering common words and phrases - in some cases, every word in the dictionary. The hacker validates some of the username and password combinations which are identified by the brute force tool, and uses these credentials to carry out the next phase of attack.

 

Brute Force Attacks

Man-in-the-middle

A highly targeted attack which can result in a full take of credentials and data-in-transit. A threat actor first intercepts a network connection that compromises a user’s web session. For skilled attackers, this can be done easily on public wifi connections. Or, take Evilginx for example, an attack framework for setting up phishing pages and capturing all data being transmitted between a user and a legitimate website. If data is encrypted, the threat actor may attempt to decrypt it by tricking the user into installing a malicious certificate. From there, the threat actor will attempt to hijack the user session before initial authentication by stealing credentials, as the threat actor monitors all user inputs. Alternatively, the threat actor may steal a session token after authentication, and is able to authenticate into the account and execute the next state of the attack.

 

Man-in-the-middle diagram

DDoS (Distributed Denial-of-Service)

This type of attack is slightly different from the previously mentioned attacks as the primary goal for the threat actor is to disrupt a web service, while the aforementioned attacks are focused on account takeover. However, the method of attack is very similar (in some cases, the exact same) as a brute force attack. A threat actor uses and/or develops automated tools to generate a large number of guesses with various username and password combinations. Many times, this causes high resource usage on the web application, causing it to become unusable. Automated DDoS and brute force attacks continue to rise - in 2019, bad bot traffic comprised 24.1% of all website traffic.

 

DDoS diagram

Concerns related to identity attacks

The concerns that enterprises have today as a result of the aforementioned identity attacks are typically -

Account takeover

The primary goal of these identity attacks is for the threat actor to steal some form of data or personal information/ assets - whether it is confidential business information, bank account details, credit card info etc, when a threat actor is able to take over an account, they have full access to execute the next stage(s) of the attack. The aforementioned identity attacks continue to be successful because users use the same password on multiple applications (both corporate and personal), many users are not able to identify phishing emails, and, ultimately, the numbers are in the threat actor’s favor as many users choose to set common passwords on their account. Furthermore, multi-factor authentication, a critical security measure, is not always enabled by default. In fact, a survey conducted by Ponemon tells us that 67% of respondents do not use any form of two-factor authentication on their personal accounts. And, the same study tells us that 55% of employees do not use multi-factor authentication