惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
Martin Fowler
Martin Fowler
人人都是产品经理
人人都是产品经理
C
Check Point Blog
S
SegmentFault 最新的问题
腾讯CDC
IT之家
IT之家
Jina AI
Jina AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
B
Blog RSS Feed
博客园 - Franky
V
Visual Studio Blog
The Register - Security
The Register - Security
GbyAI
GbyAI
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
云风的 BLOG
云风的 BLOG
博客园 - 三生石上(FineUI控件)
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
T
Troy Hunt's Blog
小众软件
小众软件
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
C
CERT Recently Published Vulnerability Notes
aimingoo的专栏
aimingoo的专栏
T
The Exploit Database - CXSecurity.com
Know Your Adversary
Know Your Adversary
G
GRAHAM CLULEY
T
Tenable Blog
P
Palo Alto Networks Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Schneier on Security
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
WordPress大学
WordPress大学
The Cloudflare Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
Forbes - Security
Forbes - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
W
WeLiveSecurity
I
InfoQ
P
Privacy International News Feed

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Using Workflows to Respond to Anomalous Push Requests
Brett Winterford and Sean Hanrahan · 2023-04-24 · via Okta Security RSS Feed

“Push fatigue” is a noisy form of attack that generates numerous detection opportunities.

In a “push fatigue” attack (sometimes called “MFA bombing”), an attacker already in possession of a user password triggers push notifications, often in rapid succession, to trick or frustrate the legitimate user into allowing access. The attacker gains unauthorized access to the account if the user approves the request out of habit or under the assumption of system error.

The most strategic, long-term way to counter these attacks (and many others) is to migrate users to phishing-resistant authenticators such as Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards.

The next best solution - albeit a tactical one - is to apply number challenges to push requests.

If your organization isn’t in a position to make these changes, we recommend introducing detections that identify suspicious push requests, as well as workflows for automating your response to suspicious events.

Okta Security previously published logic used by our detection engineering team to identify malicious push requests. This detection, alongside others, has been added to the content libraries of security analytics tools like Splunk.

Okta Workflows, our no-code automation tool, offers opportunities to automate responses to suspicious requests in close to real-time, using the same underlying logic.

In this post, we’ll discuss two flows that evaluate the trustworthiness of a Verify Push request according to different criteria:

  1. Variations in the geolocation metadata captured by the source of the request (the Okta SignIn Widget) and the response to the request (the Okta Verify app), and

  2. Multiple rejected push challenges by a user.

Workflow 1: Detect Suspicious Push Challenges

The “Detect Suspicious Push Challenges” workflow was developed for workforce customers using Okta Identity Engine.

The logic does not rely on user identification of a suspicious request. Instead, it determines whether the source of a Push Challenge (the “source event” generated by the Okta SignIn Widget) comes from a different location than the Okta Verify client that accepts or rejects the challenge (destination event):

Engine

Source Event

Destination Event

Okta Identity Engine

eventType eq "system.push.send_factor_verify_push"

eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH"

The geolocation information (country, state, city) in each event is found in the client.geographicalContext object.

This week, a basic version of this flopack was added to Okta’s extensive Workflows template library. The templated workflow checks if the two requests described above come from the same city. If the city does not match, a message with some of the relevant metadata is prepared for security operations teams.

There are a range of other orchestrated responses available for “flogrammers” to consider, which are discussed below.

Workflow 2: Detect Repeated User Rejections

Our alternative workflow addresses the “fatigue” aspects of a push fatigue attack. Okta solution engineer Sean Hanrahan has created versions for both Okta Identity Engine and Okta Classic.

The logic works as follows:

  • The flow triggers on user rejection of a push MFA prompt (see table below)

  • The flow stores data on sequential rejection events in tables

  • If a user rejects a Push MFA request more than a configurable number of times (default: 5) in a configurable time threshold (default: 1 hour), a range of responses can be automated (see suggestions below the table).

  • The tables are purged at configurable intervals.

Engine

User Rejection Event

Okta Identity Engine

eventType eq "user.authentication.auth_via_mfa" AND outcome.result="FAILURE" and outcome.reason="INVALID_CREDENTIALS" and debugContext.debugData.factor eq "OKTA_VERIFY_PUSH"

Okta Classic Engine

eventType eq  "user.mfa.okta_verify.deny_push"

Orchestrated Responses

Both of these flows were designed to notify security operations analysts of suspicious activity in close to real-time. Okta Workflows comes with built-in connectors for messaging tools like Slack and Teams, email clients like Gmail and Office 365 Mail, or IT service management tools such as ServiceNow, Jira Service Desk, freshservice, PagerDuty, ZenDesk and more.

Okta Workflows also offers opportunities to orchestrate differentiated responses based on the metadata observed in the events.

In the template for Workflow 1, for example, security operations teams are notified when the location of push source and push response do not include the same city (client.geographicalContext.city). This is a good place for analysts to start evaluating the benign reasons why location information doesn’t match. After this analysis, you may also want to take different actions based on whether there is a mismatch in city, state or country data, or other network related information captured by these events.

With a little tuning, your workflow might end up something more like this:

  • If the city matches, end the flow and take no action.

  • If the state matches, but the events came from different cities, send a message to the SOC.

  • If the events were in a different country, immediately revoke the session (using the Clear User Session action card) and notify the SOC.

The Workflow can further be extended to:

  • Provide the SOC analyst a direct link/shortcut to the events of interest in the Okta Admin Console (Under Reports > System Log).

  • Provide the SOC analyst a history of how many times the user successfully authenticated from a given location in recent months (using the Search System Logs action card)

  • Place users into a “higher risk” group that subjects them to higher assurance requirements for access to critical applications (using the Add User to Group action card)

  • Assess if the user successfully authenticated after repeated failure events (using the Search System Logs action card), and in turn:

    • Trigger a session revocation (using the Clear User Session action card) and/or

    • Reset the user’s potentially compromised password (using the Reset Password action card)

Next Steps

If you'd like to get started with Workflow 1 (“Detect Suspicious Push Challenges”):

  • Import the flopack into your Workflows console.

  • Follow the instructions in the readme doc provided at GitHub to configure an Event Hook that triggers the flow on Verify Push MFA events.

  • Select a connector for which tool you want to use for SOC notifications.

  • Start testing!

If you’re at the RSA Conference in San Francisco this week, the “Detect Suspicious Push Challenges” flow will be showcased at the Okta booth.

For access to a pre-built template for Workflow 2 (“Detect Repeated User Rejections”), please ask your Okta Customer Success Manager.

And if you’re just getting started with Workflows, we recommend this YouTube channel for lots of great tutorials.

Thanks to Harish Chakravarthy and Bryan Barrows for testing and documenting these flows.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.

Sean Hanrahan is a Senior Solutions Engineer, helping some of Okta’s largest accounts to solve their identity and security challenges with Okta’s technology. Prior to joining Okta, Sean worked for VMware as a customer success architect, focused on device security, unified endpoint management, SASE, and Zero Trust.