Okta breach leads to questions on disclosure, reliance on third-party vendors
Criticism of the identity authentication company Okta intensified Thursday in the wake of the company’s announcement that 366 customer accounts were potentially compromised in a security breach via an attack on a third-party contractor’s laptop.
Security experts called the attack a significant event in the history of cybercrime; questioned what can be done to strengthen screening of third-party contractors and prepare for more malicious insiders; and criticized Okta for failing to disclose the breach to customers or the public for more than two months. The cybercrime group Lapsus$ had access to the contractor’s laptop for five days in January, Okta said Wednesday in addressing the fallout from a leak by the gang about the incident.
News reports Thursday about the alleged makeup of Lapsus$ only added to the questions. British police said they had arrested 7 teenagers in connection with the cybercrime gang, and Bloomberg News reported that the group could be traced to one specific teenage suspect.
Dan Tentler, co-founder of cybersecurity company Phobos Group, called the Okta hack potentially “SolarWinds 2.0,” referring to the 2020 breach of a major U.S. information technology firm whose clients were ultimately affected as the attack cascaded.
Tentler questioned Okta’s assertion that the attackers were gone in five days and said it is possible that other recent Lapsus$ attacks on Microsoft, Nvidia and Samsung could have been made possible by the Okta breach.
“Almost 400 customers are now probably starting big, feverish internal incident response campaigns,” Tentler said. “The chances are non-zero that several other companies will come forward and say, ‘They got into us too,’ because they have used Okta. And when that news breaks it will be pandemonium.”
The episode is emblematic of what Tentler called a tendency among many corporations to focus disproportionately on stopping attacks from state-level actors while devoting insufficient resources to stopping attacks from what he derisively called “children with tools.”
“Right now the path of least resistance is attacking these third-party vendors, and abusing the fact that companies don’t seem to do much, if any, actual real security review on third-party contractors.”
— Dan Tentler, Co-Founder of Phobos GrouP
Basic cyberdefense work is too often ignored, Tentler said. He cautioned companies working with third-party contractors to scour logs to find anomalies and do far more rigorous checks of third-party security practices. He said other basic security practices like turning on multi-factor authentication and patching systems too often slip through the cracks even at sophisticated companies.
“Right now the path of least resistance is attacking these third-party vendors, and abusing the fact that companies don’t seem to do much, if any, actual real security review on third-party contractors,” Tentler said. He said third-party vendors are often merely asked to answer spreadsheet questions that are largely pro forma and compliance-based.
Other experts said they were astonished by the time lapse between when Okta advised its Miami-based subcontractor Sitel of suspicious activity and when Okta disclosed the problem, which occurred only after the incident was made public on the Lapsus$ page on the Telegram chat app.
A spokesperson for Sitel said via email that after the breach impacting their Sykes network, the company took “swift action to contain the incident and to protect any potentially impacted clients.”
‘You had two months’
The fact that Okta did not demand an incident response report from Sitel more quickly stunned Jake Williams, an information security consultant on the IANS faculty.
Williams scoffed at Okta executives’ saying they should have acted more quickly upon receiving the initial report from Sitel on March 17, nearly two months after Okta notified Sitel it had detected suspicious activity.
“You had two months in the interim here,” Williams said. He called the delay extremely uncommon and expressed shock that Okta apparently didn’t notify customers in the interim. He said the episode is a case study for how to integrate with third-party vendors and that anyone in that position should be looking at third-party services’ contractual obligations to provide incident response information in real time.
Many industry leaders echoed Williams’ bewilderment at how Okta handled the breach. John Shier, senior security adviser at Sophos, said via email that while Okta has since released more information about the attack, and “specifically what capabilities the attackers had while controlling the compromised account, there was a protracted delay and a lack of transparency at the outset.”
“Identity providers hold a very privileged position in an organization’s supply chain, and the initial lack of information coming out of Okta left many customers uncertain about what to do,” Shier said.
The third-party trap
Rick Holland, the chief information security officer at the threat intelligence firm Digital Shadows, said that working with third-party service providers is unavoidable these days. He recalled one CEO of a blue chip cybersecurity company telling him his firm worked with at least 35,000 third parties.
“It’s almost a status quo business model for most companies to have all of these interrelated dependencies on these other companies,” Holland said. “The key thing is, who’s got access to what?”
Holland said the biggest takeaway for him is that even so-called zero trust environments can’t be trusted. Zero trust refers to the idea that all users of a system must be authenticated by a system using software like Okta’s.
“Zero trust is the biggest buzzword in our space right now and identity is a core component of zero trust,” Holland said. “If you can’t get identity right here than your whole zero trust program is going to fall down. So, you know, this is the worst space of vendors that you could have to have a problem like this because you own the identities. You [hackers] can do all kinds of stuff.”
