惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Simon Willison's Weblog
Simon Willison's Weblog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
About on SuperTechFans
Last Week in AI
Last Week in AI
月光博客
月光博客
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Check Point Blog
U
Unit 42
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
小众软件
小众软件
P
Palo Alto Networks Blog
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
S
Secure Thoughts
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
Recorded Future
Recorded Future
O
OpenAI News
S
Securelist
云风的 BLOG
云风的 BLOG
H
Help Net Security
T
Troy Hunt's Blog

Okta Security RSS Feed

Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Protecting Administrative Sessions in Okta
Brett Winterford · 2024-03-21 · via Okta Security RSS Feed

Privileged users have always been and should always expect to be under constant attack from motivated adversaries.

Over the last 90 days, Okta has devoted many of our most skilled resources into a program of work that dramatically hardens the Okta Admin Console, resulting in a number of new features, a subset of which are listed below.

New Feature

Description

Availability

ASN Session Binding

Okta automatically revokes an administrative session if the ASN (Autonomous System Number) observed during an API or web request differs from the ASN recorded when the session was established.

GA, on by default in Okta Admin Console from October 23, 2023

IP Session Binding

Customer administrators can automatically revoke an administrative session if the IP address observed during an API or web request differs from the IP address recorded when the session was established.

EA in Okta Admin Console from February 7, 2024

EA in Okta Workflows Admin, Okta Access Requests and Okta Privileged Access (OPA) in March 1, 2024

New Default Maximum and Idle Session Duration 

Default session timeouts in Okta Admin apps have been set to a 12-hour session lifetime and a 15-minute idle time.

GA from January 8, 2024

Protected Actions

Okta admins are prompted for re-authentication when they perform critical tasks in the Admin Console.

EA in Okta Admin Console from February 7, 2024

Govern Okta Admin Roles

Customers can govern Okta Admin Roles via time-bound access requests and automated access reviews

Gradual rollout in Okta Admin Console begins April 2024

Require MFA for access to Admin Console

Okta will prevent administrators from creating authentication policies that only require a single factor.

EA in Okta Admin Console from May 2024.

The purpose of this blog post is to zoom out and think holistically about how to use these features to:

  • Reduce the attack surface of your Okta org,

  • Prevent account takeovers, and

  • Limit the blast radius of a stolen session

Reducing the Attack Surface

The first step to preventing unauthorized access to privileged applications is to reduce the number of accounts with privileged roles.

Okta’s standard administrative roles offer the fastest path to value for new workforce deployments. Over time, the most security conscious organizations migrate to Custom Admin Roles in pursuit of least privilege access.

This journey starts with:

  • Assigning administrative permissions by Group, and avoiding assigning them individually. This greatly simplifies the administration and governance of policies.

  • Identifying tactical ways to minimize the number of accounts with highly privileged roles (Super Administrators, Org Administrators, App Administrators). Delegated Flows, for example, offers opportunities to reduce the number of Workflows users that require administrative access.

  • Breaking down common administrative functions (such as assigning users to apps, or factor lifecycle operations) into Custom Admin Roles, and assigning them to specific resources (groups, apps, workflows etc), to further promote least privilege.

The target state is to move as close as possible to “zero standing privileges”.

Zero standing privileges is a model in which an administrator gets access to the resources and permissions they require on a just-in-time basis to complete a specified task, after which time the access is automatically revoked.

Okta Privileged Access Management (OPA) uses this principle to secure access to servers, databases, apps and other targets. When OPA is combined with the Access Requests feature in Okta Identity Governance (OIG), organizations can be confident that all access to privileged resources is authorized, ephemeral (temporary), and recorded for easy auditing.

However, we want zero standing privileges to be a design pattern in reach for even the smallest of Okta’s customers. Okta is committed to ensuring that every workforce customer can achieve zero standing permissions for access to the functions they require to administer Okta.

Okta’s product team has subsequently lifted a subset of premium Okta Privileged Access and Identity Governance features and built them directly into the Okta Admin Console to make this essential protection available to all Okta Workforce customers at no cost.

Using this configuration, the journey to zero standing privileges in Okta is simpler again:

  1. Assign all administrators with custom roles designed for the minimum resources and permissions required to complete day-to-day work;

  2. Create a Request Approval process for administrators that require temporary (“just-in-time”) elevated permissions for administrative tasks that are performed less often,

  3. Require dual authorization (approvals) from two or more fellow administrators for access to roles with elevated permissions.

  4. Create an action in the Access Request that adds a user to a group assigned the elevated permissions after authorization and removes them from the group after the specified time period expires.

The only exceptions you might need to make to this process are:

  1. A break-glass account with a super administrator role.

    Depending on your deployment, you may require an account for emergency access. This “break glass account” needs to be protected by policies that assume your trusted network or PAM solution is not available. We suggest limiting access by network location (using secondary or tertiary IP ranges for redundancy), and also requiring multi factor authentication. A common approach is to require one of several physical FIDO2 security keys enrolled for the account, plus a machine-generated string as a password. Access to this account should be monitored with absolute vigilance: any use should set off alarm bells in the SOC.

  2. Service accounts used in machine-to-machine authentication

    Don’t neglect accounts used for non-human (machine-to-machine) access. Use OAuth 2.0-based API Service Applications, wherever available, with the least required account permissions and scopes applied. If you are using legacy static API tokens for any integrations, make use of Okta’s IP allowlisting feature: this ensures that Okta APIs will only accept requests using these tokens from trusted locations. Vault all static API tokens, maintain an inventory of their purpose, and audit and rotate regularly. Once configured, service accounts should be members of an Okta Group, and a global session policy should be applied to that group that denies interactive access (NB: this won’t restrict API access). Maintenance tasks should require a formal access request process that temporarily subjects the account to a different policy. Service accounts should otherwise be closely monitored for detection of unauthorized interactive and/or shared access.

Preventing Account Takeovers

As discussed, Okta has built best-in-class features to prevent unauthorized access to the Okta Admin Console. Many of these features are enabled by default.

The resilience of your environment largely depends on sound configuration of policies and supporting controls. At minimum, Okta Security recommends protecting administrative users by configuring the following:

  • Enable ThreatInsight in log and enforce mode. This will detect and prevent high-volume credential based attacks on any account that still requires a password.

  • Apply strong authentication policies to groups with administrative permissions.

  • Require administrative users to sign-in using passwordless, phishing resistant authenticators (Okta FastPass, FIDO2 WebAuthn, Smart Cards).

    • Enforce phishing resistance in policy.

    • Require users to verify their identity via a biometric challenge (preferred) or PIN.

    • Deny the use of discoverable FIDO2 credentials (Passkeys) for access to the administrative console and require use of device-bound FIDO2 credentials instead. Passkeys may otherwise be susceptible to theft from unmanaged devices or cloud service accounts.

  • Require access via trusted, managed devices for administrative access.

  • Require access via managed browsers (i.e. do not allow administrators to sign-in to personal accounts from the browser).

  • Use endpoint security integrations to deny access to devices exhibiting poor posture.

  • Deny all requests to administrative apps from anonymizing proxies and other untrusted networks using Dynamic Network Zones.

  • Evaluate user behavior and risk in policy, and alert on anomalous authentication requests (such as new device + new IP).

  • Apply an explicit, catch-all deny rule for any access to the Okta Admin Console that doesn’t meet the above conditions.

Reducing the Blast Radius of a Stolen Session

Irrespective of the strength of your protective controls, your threat model must also account for the theft and replay of an administrator’s session token using malware or other means.

Okta’s revised default session duration for the Admin Console is designed to limit the opportunities for adversaries to exploit a stolen session token.

ASN Session Binding, which is enabled for all Okta orgs by default, limits the ability to replay a stolen session outside of an expected context. Security teams can optionally insist on enforcing IP Session Binding for the Okta Admin Console, which binds all requests during an administrative session to the same IP used during authentication. IP Session Binding is on by default for all new Okta orgs.

We also recommend the following:

  • Enable Protected Actions in the Okta Admin Console. This forces step-up authentication before an administrative user can modify critical settings, such as enabling a third-party Identity Provider or resetting all factors of an administrative user, greatly reducing what actions an adversary can perform with a stolen session token.

  • Configure a Re-authentication Frequency of “Every Sign-In Attempt” to all administrative applications. This greatly diminishes access to applications using a stolen user session.

  • Choose FastPass as your primary authenticator. FastPass provides a fast, consistent user experience on all OS/browser platforms, prevents and detects real-time AiTM phishing campaigns, and offers an ability to constrain credentials to approved devices. It can also play a role in mitigating the theft of session tokens: FastPass can be configured to evaluate device signals on managed and unmanaged devices prior to allowing access. Okta can subsequently use these device signals to assess device context every time a user requests a new application during a session, and require re-authentication if device context is assessed to have changed.

Finally, it’s important to audit the use of administrative roles and to monitor for suspicious administrative activity. As we’ve said in previous posts, the monitoring and oversight of actions performed by users with administrative roles is a cornerstone of any well-designed security program.

We recommend the use of Log Streaming for the fastest access to Okta System Log events in the SIEM of your choice. You can find a sample of common detections we have published in collaboration with Splunk and Google Chronicle.

A new event relevant to organizations that have deployed ASN and IP Session binding is provided below.

Event

System Log Query

User Denied Access due to ASN/IP Session Binding (T1539)

eventType eq "security.session.detect_client_roaming"

Okta’s engineering teams have worked tirelessly over the last 90 days to provide the guardrails and additional features required to protect access to administrative functions in Okta.

Over 9000 Okta orgs adopted ASN Session Binding within three months of its release, giving us the confidence to turn the feature on for all Workforce customers by default. Over 95% of Workforce orgs have maintained the default maximum and idle session duration configuration we switched on for all customers in January.

We remain committed to prioritizing the features that protect privileged users under the Okta Secure Identity Commitment.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.