Okta user's MFA factors reset followed by access to the administrative console

okta

Classification:

attack

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset followed by that user accessing the administrative console.

Strategy

This rule lets you monitor the following Okta events to determine when a user’s MFA factors are reset and they access the administrative console:

  • user.mfa.factor.reset_all
  • user.session.access_admin_app

Okta’s security team reported a series of social engineering attacks in which attackers would convince service desk staff to reset the MFA factors of highly-privileged users, and leverage this to access administrative features within an Okta tenant.

Triage and response

  1. Contact the user {{@usr.email}} to ensure the change to their MFA factors was authorized and it was them accessing the administrative console.
  2. If the user was unaware of the activity:
    • Determine if any other activity occurred from this user. Look for deviations in user agents, IP addresses, and network metadata.
    • Begin your organization’s incident response process and investigate for any account takeovers.
PREVIEWING: rtrieu/product-analytics-ui-changes