惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
The Human Factor in Phishing Resistance
Brett Winterford · 2022-10-05 · via Okta Security RSS Feed

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. In this second part of our series on phishing resistance, we consider the human element.

All organizations should aspire to a state in which technical and operational controls reduce the burden on end users to identify and respond appropriately to social engineering.

Large numbers of Okta customers are pivoting toward phishing resistant authenticators, as we discussed in part one of this series. Many Okta customers have chosen to limit all user authentication to phishing resistant factors. Typically these are leading edge organizations, “born in the cloud”, that are not locked into legacy technologies.

Okta’s mission is to enable anyone to use any technology. So we recognize that, by necessity, organizations encumbered by legacy apps will need to support a mix of authenticators for some time into the future. Our policy engine is designed such that these organizations can enforce phishing resistance where it matters most, and only allow weaker (less phishing resistant) authenticators by exception.

So for most organizations, there remains a need to empower users in the fight against phishing. User empowerment can take many forms, including:

  • Providing users with sufficient context whenever they sign-in

  • Ensuring users are aware of common social engineering techniques

  • Providing users with the tools to report suspicious requests

The power of context

The Scatter Swine attacks of July and August 2022 demonstrated one of the critical limitations in authentication flows that use passwords and OTP (one time password) authenticators. An authentication flow that requires an OTP doesn’t provide opportunities for the user to assess context about the origin of a request.

A push request can provide this context. Depending on your configuration, an Okta Verify Push request displays a range of information including:

  • The recorded location of the browser making the request

  • The recorded device making the request

Okta Identity Engine admins can also add further context to each request using a feature now available in Early Access. This adds to each Push request:

  • the name of the application requested, and

  • the sign-in URL.

Crucially, if the organization enables Number Challenge (which can be applied to all Push notifications, or only for risky sign-ins), the user also has to verify a random number presented on the sign-in widget.

Okta Verify Push with Number Challenge

All of this context can help users identify when an attacker attempts to use stolen credentials to access their account.

The power of training

To be effective, users need to be aware of what this context means. That’s where security awareness training comes in. As I’ve previously opined, learners are more likely to retain and apply advice if it is provided in the context of their daily work, and where opportunities are provided for strong, positive habits to form.

Historically, security awareness training has appropriately focused on the areas of the most heightened risk: password hygiene. Given the increasing prevalence and effectiveness of multi-factor authentication, there is also value in training users about the methods an attacker armed with stolen credentials might employ when attempting to bypass MFA challenges.

The most common social engineering techniques we have observed, and some corresponding learning outcomes to target for your security awareness training, are included in the table below:

Sample Learning Outcomes

Introducing "Push Bomb"

Push Bomb is an example of a learning experience that can be used to raise user awareness about Push Fatigue attacks and teaches them how to assess the context of a Push notification.

Push Bomb is a proof of concept Okta Workflow developed by Solution Engineer Marc Miller that schedules unsolicited push notifications to a defined group of users to test whether they accept, reject or ignore the request. It provides users a first-hand experience of an MFA Fatigue attack, just as phishing simulations do for credential phishing campaigns.

Marc's Workflow (which is not an Okta supported product) does all of the following at the push of a button:

  • Selects a random percentage of users from a defined Okta Group(s) to test according to an admin-defined schedule;

  • Leverages the Okta Factors API to check whether each user is enrolled in Push MFA

  • Sends a Verify push notification to users and polls for the results at admin-defined intervals, logging whether the user accepts, rejects or ignores the request.

  • Sends the user a message on Slack, Teams or email (customer configurable) to confirm they were subject to the test, and offers further guidance based on user actions.

  • Prepares a detailed summary report of results for the admin.

An End User Notification delivered by the Push Bomb Workflow

The power of positive reporting

The most important learning outcome, irrespective of the attacker’s methods, is that users are well practiced in alerting the security team about suspicious behavior via channels that are well monitored.

One way for users to develop this muscle memory is via phishing simulations. While the focus of these drills can often lean too heavily into identifying “at-risk” users, the most crucial learning outcome is for users to learn how to quickly report suspicious activity to the right place in both simulated and real-world attacks.

Creating easy methods of reporting suspicious activity is critical. Suspicious Activity Reporting allows Okta admins to configure their org to email a user whenever their account is accessed from a new device, when a new authenticator (factor) is enrolled or when an existing one is reset. Admins can optionally provide the user a one-click path to reporting a suspicious event from the body of the same email.

Just as training and awareness programs need to anticipate the potential bypass of technical controls, your detection and response capability needs to anticipate that users will fail to recognize or act on social engineering attacks.

The next post in this series on phishing resistance will focus on how to use Okta System Log to detect phishing-related events.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.