Okta and the Lapsus$ breach: 5 big questions

Did you miss the session at the Data Summit? See on-demand here.


We certainly have more details at this time than yesterday about the third-party Okta support provider’s Lapsus $ breach. But some major unanswered questions still remain.

David Bradbury, CSO of a leading identity and access management vendor, released two more updates over the last 24 hours and gave a webinar presentation. Microsoft also released its own findings on the Lapsus 3 hacker group, which provided some clues about the threatening actor’s tactics and motives.

But a number of questions remain, including the timing of the event’s disclosure; The first few days of hacker group access; Potential impact on customers; The “explosion radius” of the attack; And the objectives of the Lapsus $ hacker group.

After connecting today with Forrester Analyst and numerous security vendor executives who are closely following the situation, I have compiled the details of these five questions below.

Octa did not have the answers to these questions, saying that her public statements about Lapsus $ breach were contained in her blog posts.

On Tuesday, Octa acknowledged that Lapsus $ – a group that also hacked Microsoft, Nvidia and Samsung એક્ had access to the account of a customer support engineer in January who worked for a third-party provider.

“The Octa service has not been breached and is fully operational,” Bradbury said in a post.

Okta has identified the infringing third-party provider as Sitel, which provides Okta with contract workers for customer support. Sitel, in its own statement, said the breach was contained in “parts of the Sykes network” – referring to Sykes Enterprises, which was acquired by Sitel last year.

Following are the details of the five biggest remaining questions about Okta and Lapsus $ breaches.

1. Why didn’t Okta announce this incident earlier?

The real answer, of course, is that Octa does not need to disclose anything (although the US Securities and Exchange Commission would not be able to do so for the time being if it adopts the proposed rules for announcing cyber incidents).

But that doesn’t mean octa Could not Andreas Caesar, Forrester’s vice president and principal analyst at Security and Risk Management, says something has happened.

The Octa incident timeline shows that on January 20, the company investigated a cyber incident warning. (A new location signaled a warning that a new factor would be added to the Sitel employee’s Octa account.) Firm ”to fully investigate the incident.

However, after Lapsus પોસ્ટ posted a screenshot on Telegram as evidence of the violation, Octa did not disclose anything about the incident until Tuesday.

“The moral of the story is if you have a problem [of this magnitude]You want to announce this only when it’s fresh – and don’t wait two months, “said Cser.

For Octa, “that [delay in disclosure] Why is this bad, right? “He said.” It’s not because they violated – it happens. The fact is that they have not made any disclosure. “

And while companies in this position aren’t always required to disclose anything legally, “a lot of companies really like to do that,” Cser said.

The bottom line is that “if you have a security incident, it’s probably best to declare it and terminate it. Because otherwise, something like this could happen,” he said.

Bradbury said he was “very disappointed” with how long it took Octa to receive a report on the incident, but did not indicate that he believed Octa should have disclosed the incident sooner. Those closest to him came to say that after Octa received a summary report on the March 17 attack, “we should have moved faster to understand its effects.”

Cser said much of the response to Okta’s lack of disclosure stems from the fact that the company is a leading vendor in the cybersecurity industry, and thus ranked higher than some other companies. Octa’s share price fell 10.8% today or 17.88 per share.

As Cser notes, the ad doesn’t have to be significant. It could be as simple as saying, “We see this problem, we’re investigating – and once we know more, we’ll tell everyone what happened,” he said.

Said security researcher Runa Sandwick Twitter Some may be confused about “the service has not been breached.”

“The statement is a completely legal word soup,” Sandwick said. “The fact that the third-party was violated; Who violated Octa; The failure to disclose it has affected Octa’s customers. “

“The moral of the story is if you have a problem [of this magnitude]You want to make it public when it’s fresh – and don’t wait two months. “

Andreas Caesar, Chief Analyst for Security and Risk Management, Forrester

2. What happened during January 16-20?

In Bradbury’s original blog post on Tuesday on the Lapsus $ breach, he said the threatening actor was able to access a third-party support engineer’s laptop for five days in January. The five-day window took place between January 16-21, he said.

According to Bradbury, the information was based on a report from a cyber forensic firm.

Subsequently, Bradbury shared an octa post showing the timeline of events surrounding the event. The timeline starts on January 20 (at 23:18 UTC), when Okta received a warning about adding a new factor to the Sitel employee’s Okta account.

However, Ronen Slavin, co-founder and CTO of software supply chain security firm Sycode, noted that it leaves unaccounted for for several days. The timeline may not start until January 20, at which time Octa was first involved – but regardless, the forensic firm may have gathered information about what happened before January 20.

“We hope to learn more from Octa,” Slavin said of what happened before that point. “We look forward to seeing what happened during the previous days.”

Okta clarified that he had received a “full investigation report” from Sitel on Tuesday regarding the violation.

3. How did it affect the customers?

On Tuesday, Bradbury said 366 customers could be affected by Lapsus $ breaches (approximately 2.5% of Okta’s 15,000 customers).

In a webinar on Wednesday, Okta CSO clarified that the company had in fact identified “366 customers … whose Okta tenants were accessed by Sitel during that period” as of January 16-21.

These customer data may have been “viewed or acted upon,” Bradbury said in a blog post, without elaborating further.

According to Emsisoft threat analyst Brett Calloway, statements by Okta so far have not clarified how consumers have been affected by the breach. “The impact is not yet clear,” Kello said in a message to VentureBeat on Wednesday.

And while Sitel says it has not found evidence of data breaches of customer systems, “the absence of evidence is not evidence of absence,” Kello said.

In the past, customers announced by Okta include JetBlue, Nordstrom, Siemens, Slack and T-Mobile. In 2017, Octa stated that the US Department of Justice is a customer.

4. Why does octa define “blast radius” in this way?

In the language of cyber security, the term “blast radius” denotes the effect of a specific cyber attack. Octa argues that the explosion radius of the Lapsus $ breach was limited to a “small percentage of customers”.

Bradbury said in a blog post, “While trying to give the scope of the explosion a scope for this incident, our team assumed the worst case scenario and examined all access to the superuser application by Sitel employees for a period of five days.” Post

Thus, the 366 customers who may be affected by the Lapsus $ breach represent all the Okta customers that Sitel accessed during the five-day period in January.

What is not clear, however, is why Octa chose to define “blast radius” in this way.

“If the incident had been set aside for an assistant engineer at Sitel, we would like to understand why the radius of the blast is not limited to what the person had access to,” Slavin said.

Octa specifically stated that their “super user” application for support engineers does not have “God-like” functionality – not all users can access it – and was built with minimal privilege as the main principle, Slavin noted. Based on what is now known, it makes sense that the radius of the explosion should vary as much as Seattle could possibly access, he said.

And yet, at least privilege is a concept for individual users, not for teams. “It simply came to our notice then [included] Everything that the team can access, rather than anything the person accessed, “Slavin said.

Okta’s statements that he did so “in the interest of caution” – and in the worst case scenario – are “perfectly valid answers,” Slavin said. However, “we hope to see more clarification as the investigation comes out.”

5. What was Lapsus પ્રયાસ trying to accomplish?

Perhaps most confusing is the question of the motive of the actor who threatened in the Octa attack. Unlike cybercriminals eventually focusing on breaching the system to solicit ransomware payments, for example, the actions taken by Lapsus માટે to breach Okta’s service providers do not have a clear financial angle.

If the hacker group was trying to reach octa customers, it would make no sense to monetize the road, to publicly declare the attack, said Stale Valavanis, founder and CEO of managed security services firm Onshore Security.

Regarding the target of the attack, “I would say it was a way to gain a foothold in other organizations. But then why all the fuss about it? Valvanis said.

It is also worth noting that Lapsus પહેલાં did not make any demands before posting screenshots this week – at least not on its telegram channel.

The closest thing to the purpose is the group’s statement, in a telegram post about Octa, that “for a service that authorizes the authentication system to many large corporations (and FEDRAMP approved), I think these security measures are very weak.”

Lapsus 2 followed up with another post on Tuesday, criticizing Octa for its number of security measures.

Cser said the statements indicate that, at least in the Octa case, Lapsus $ aims to inflict dignified damage on Okta for some reason.

“It could be that they want to try to undermine Octa’s position in the market, and try to tarnish their brand image,” he said.

That, of course, only leads to another question: why? And at his own behest or at the behest of others?

Possible answers to those questions will require some unexpected speculation, so I won’t go there. But the fact that some people in the industry are even speculating about such possibilities is evidence that Lapsus $, so far, is proving to be very difficult to read.

Oliver Pinson-Roxberg, CEO of cybersecurity services firm Bulletproof, said in a series of recent attacks by the group, “there is a combination of financial targeting and some hacking of IP.” “There is no clear direction or purpose for the group.”

Researchers at Microsoft – who confirmed this week that they have leprosy victims – believe that leprosy $ is “driven by theft and destruction.” The researchers said that in some cases the group teased the victims to prevent the release of the data, but in others the data was leaked without any demand.

Demi Ben-Arie, co-founder and CTO of third-party security management firm Panoraz, said there was another possibility, based on the evidence so far.

Ben-Arie said the approach by the group showed that, at least in part, “their tricks here are for fun,” Ben-Arie said.

However any “fun” – linked to a series of events that have now affected at least four global tech powerhouses over a period of one month – is certainly one-sided.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.