In light of the recent revelations from Okta highlighting social engineering tactics aimed at super administrators in IT help desks, we decided to address the security measures recommended by Okta and explain how Secfense caters to each of these concerns. But before we do, here’s a quick recap of the story.
Okta Reveals IT Help Desks Exploited for Super Admin Access
Okta warned of social engineering attacks on U.S. IT service desks aiming to reset MFA for high-privileged users, especially super administrator accounts. Attackers, active between July 29 and August 19, compromised admin accounts to impersonate users within the targeted organization. They manipulated the Active Directory, used new IPs and devices, and set up a secondary Identity Provider to access applications via Single-Sign-On (SSO). Okta prepared a series of recommendations on how to avoid these types of attacks. Below, we list all of Okta’s recommendations and explain how you can introduce each of them in your organization with the use of Secfense User Access Security Broker.
How to Prevent Helpdesk-Facilitated MFA Breaches
1. Enforce phishing-resistant authentication with FIDO2
FIDO2 is a modern, phishing-resistant authentication standard that uses cryptographic security to enable passwordless and multi-factor authentication. Secfense enables the deployment of FIDO2 WebAuthn across all applications. This means that all applications, including modern apps and legacy apps, customer-facing apps, and workforce apps, can be equipped with FIDO2 authentication in the same easy way that doesn’t require any coding and is highly scalable. For large organizations, this means finally grasping the entire organization’s security and coming up with unified user access policies shaped by the organization. That ensures application integrity and doesn’t require extensive IT resources or application downtime.
2. Require re-authentication for privileged access
Requiring re-authentication for privileged app access, including the Admin Console, adds an additional layer of security, ensuring that even if a session is hijacked or credentials are compromised, unauthorized users cannot access or make changes to critical systems without verifying their identity again, thereby significantly reducing the risk of breaches and unauthorized actions. Microauthorizations by Secfense ensure reauthentication for specific actions or resources. Microauthorizations aim to enhance security by requiring users to re-authenticate at various stages of their interaction with an application, ensuring that access to specific resources or actions is granted only after verifying the user’s identity. They offer protection against threats like active session attacks, real-time phishing, malware, automatic data exports, and uncontrolled data leakage. Furthermore, the ease of use is ensured by leveraging standards like FIDO2, allowing users to authenticate effortlessly using cryptographic keys or local authenticators.
3. Use strong authenticators for self-service recovery
In the case described by Okta, attackers aimed to exploit vulnerabilities to hijack privileged accounts. By using strong authenticators like FIDO2-based authentication, organizations can ensure that even if attackers attempt to exploit the recovery process, they will face a formidable barrier. Limiting this process to trusted networks further reduces the attack surface, ensuring that potential attackers can’t exploit the recovery process from untrusted or potentially malicious networks.
Secfense’s Full Site Protection, a User Access Security Broker component, distinguishes between trusted and untrusted networks, offering VPN-like benefits without the associated costs. When activated, users outside trusted networks must first activate a second authentication factor within a trusted location, like an office. This not only enhances login security but shields the entire application.
4. Streamline Remote Management and Monitoring (RMM)
Remote Management and Monitoring (RMM) tools are software solutions that allow IT professionals to manage and monitor IT systems remotely. These tools can be used to perform updates, detect issues, and generally ensure that systems are running smoothly, even if they’re not physically present at the location. The Okta case highlighted the vulnerabilities that can arise when attackers exploit IT service desks, aiming to trick them into resetting multi-factor authentication (MFA) for high-privileged users. If attackers can access RMM tools, they could have a direct line to manipulate, monitor, or even control IT systems remotely. This could give them the ability to further their attack, bypass security measures, or gather information to aid in their social engineering attempts.
While Secfense’s primary focus is on enhancing authentication security, its features can be applied to the context of RMM tools by adding FIDO2 authentication and microauthorizations on top of these tools, ensuring that remote management and monitoring are conducted securely and only by authorized personnel.
5. Enhance help desk verification
In the incident described by Okta, attackers specifically targeted IT help desks, attempting to deceive them into resetting multi-factor authentication (MFA) for high-privileged users. Given the tactics used by the attackers, enhancing help desk verification processes becomes a critical defense mechanism. By adding multiple layers of verification, organizations can significantly reduce the risk of social engineering attacks succeeding, ensuring that attackers can’t exploit help desks as easily to gain unauthorized access.
Secfense’s microauthorizations, as part of their User Access Security Broker, directly address the recommendations of implementing MFA challenges and manager approvals to enhance help desk verification.
- MFA Challenges – Addressed by Microauthorizations in the Owner Scenario:
- In the Owner scenario, microauthorizations act as an additional layer of security for users who are already logged in. By adhering to the principle of least privilege, this scenario ensures that even if a user is authenticated, they must re-authenticate or confirm their identity when accessing specific resources or performing certain actions. This is especially crucial for defending against threats like real-time phishing or malware attacks that might target an active session.
- Manager Approvals – Addressed by the Microauthorizations in the Owner Supervisor Scenario:
- The Supervisor scenario of microauthorizations introduces a human verification element into the process. When a user attempts to access a compassionate resource or perform a high-risk action, a request is sent to selected and trusted individuals (like managers or supervisors). These trusted individuals then decide whether to grant or deny the request. This approach ensures that even if an attacker manages to deceive one layer of security, they will face another hurdle in the form of human verification.
In essence, Secfense’s microauthorizations, which can be seamlessly integrated at any stage of the user journey due to the invisible security layer of the User Access Security Broker, offer a robust solution to the challenges highlighted in the Okta case. By requiring both automated (MFA) and human (supervisor microauthorization) verification processes, they significantly enhance security against various threats, including unauthorized data exports and data leaks.
6. Activate and test alerts for new devices and suspicious activity.
This recommendation is crucial because by implementing it, organizations can quickly detect and respond to such unauthorized access attempts by activating alerts for new devices and suspicious activities. Immediate alerts mean that even if an attacker bypasses one security layer, their unfamiliar activity or device can trigger a warning, allowing for rapid response and mitigation.
Secfense’s User Access Security Broker operates at the HTTP protocol level, a pivotal point in web traffic. Being positioned here allows it to monitor all incoming and outgoing traffic meticulously. This strategic placement means that Secfense can swiftly detect anomalies in traffic patterns, such as unfamiliar devices trying to access the system or unusual request patterns that might indicate malicious activity. The system can instantly trigger an alarm when such anomalies are detected, notifying the security admin. This real-time monitoring and alerting capability ensures that potential threats are identified and addressed promptly, further enhancing the organization’s security posture.
7. Limit Super Administrator roles and implement PAM
Attackers who gain control of super admin accounts can inflict significant damage, access sensitive data, or manipulate system configurations. By limiting the number of super administrator roles, implementing privileged access management (PAM), and delegating high-risk tasks, organizations reduce the potential attack surface and ensure that the damage can be contained even if one account is compromised.
While PAM solutions focus on a select group of privileged users, they often leave out the vast majority of regular users in an organization, creating a potential vulnerability. Secfense’s User Access Security Broker addresses this gap. Instead of focusing solely on the privileged few, Secfense offers protection to all users, ensuring that every account, regardless of its privilege level, is secured. This comprehensive approach ensures that while PAM solutions guard the “crown jewels” of an organization, Secfense acts as a protective shield for the broader user base. In essence, while PAM solutions are like specialized security for the vault in a bank, Secfense ensures that the entire bank, from the front door to the teller counters, is also secure. Combining both gives an organization a holistic security approach, covering its most privileged and regular users.
8. Mandate admins to sign in from trusted devices with phishing-resistant MFA
By ensuring that admins sign in only from managed devices, organizations can ensure that the devices used have the necessary security configurations and are free from malware or other threats. Implementing phishing-resistant MFA adds another layer of security, ensuring that even if credentials are stolen, they alone are not enough for access. Limiting access to trusted zones further ensures that even if attackers have the right credentials and device, they can’t access the system from just any location, adding another hurdle for potential attackers.
Secfense directly addresses the recommendation of mandating admin sign-ins from managed devices with enhanced security measures. Through its microauthorizations, Secfense enforces additional verification steps during sign-ins or specific actions, acting as a fortified multi-factor authentication. The Full Site Protection feature ensures that users, especially admins, can only authenticate from trusted networks, aligning with the principle of restricting access to trusted zones.
Secfense’s Answer to Help Desk MFA Bypass
Recent revelations from Okta have spotlighted a sophisticated social engineering tactic targeting IT help desks and super administrators. Attackers have been manipulating these desks to reset Multi-factor Authentication (MFA) for high-privileged users, particularly super administrator accounts. This breach has allowed them to impersonate users within organizations, compromising security. Okta has since provided a series of recommendations to counteract these threats. At Secfense, we’ve taken a keen interest in these recommendations and wish to demonstrate how our User Access Security Broker (UASB) can be a pivotal tool in implementing these security measures. By testing Secfense UASB, organizations can benefit from comprehensive MFA protection for their apps, introduce microauthorizations for an added layer of security, and enjoy full site protection that offers VPN functionalities without the associated costs. We also provide a checklist for a seamless transition to a passwordless environment. Dive in to understand how Secfense can fortify your organization’s defenses.
