From the Trenches: How BeyondTrust Detected a Breach at Okta and Lessons We Keep Learning from This Story

This is the story of how an attacker gains access to an identity provider’s support case portal, harvests a key piece of data from a file uploaded to the case by a customer and within minutes uses that data to gain access to the systems at that customer.

But it’s also a story of victory and a real-world demonstration of the power of monitoring, policy and defense-in-depth.

The Okta/BeyondTrust/Cloudflare incident happened a while back, but it remains the most valuable breach account we have to understand today’s threats in this multi-cloud, distributed and hybrid environment in which we currently fight the good fight. And last week I met Fletcher Davis at BeyondTrust. Fletcher is the Senior Manager of the Research Team at BeyondTrust and has an inside view of this breach. Before BeyondTrust, he was a red teamer at CrowdStrike and Mandiant, so I’m excited that he agreed to join me for this real training for free / anatomy of an attack session.

We will postmortem this breach step-by-step and it includes a bit of everything:

• The crucial role of MFA and the difference between weak and strong MFA
• Endpoint security
• Web API security
• Tokens, session cookies
• HAR files
• Security dependencies between systems and partners
• Alerting on changes in privileged accounts and entitlements
• Detecting unusual patterns in web authentication
• The importance of communication between business partners and the sometimes frustrating process of escalation and getting people to take you seriously
• Implementing non-default policies specific to your organization
• Service account management

This fascinating story provides a wealth of lessons we can apply. We will finish up with a list of actionable recommendations that every organization can put to work in any environment.

BeyondTrust was able to detect and immediately respond thanks to their practice of dogfooding their products to protect their own network and Fletcher Davis will briefly show you a demo of the Insights platform and walk through some of the detections that caught the breach, as well as some recent additions that give customers visibility into their Okta privileges and application assignments.