Understanding the Okta Compromise

SecPro #43:Understanding the Okta Compromise, Running Digital Forensics in DLP, and Masquerading Like the Adversary

This week has brought an attack from mid-January to light that seems to show a company doing everything right.

After an attempted data breach at the hands of the hacking group LAPSUS$, a potentially catastrophic event for Okta has turned out to actually be a relatively small blip on the radar of the identity management company.

Where industry giants like Microsoft are now facing the task of dealing with leaked data, Okta is only dealing with the slightly embarrassing note that a hacker got in through a human error.

Something to bear in mind for all security professionals is that no security system is perfect or even close to it. This week’s incidents should make it clear that even when we do everything right, the media might try to paint us as failing in some way.

All we can do is look at incident response and post-breach behavior to find out if we could be facing the same issue soon and if we need to improve.

On that note, we are also looking at how to play with digital forensics in the case of DLP and how to battle the adversary who is masquerading as an ally.


  • Understanding the Okta Compromise
  • How to do Digital Forensics in DLP
  • MITRE ATT&CK – Masquerading
  • News Bytes: Anonymous hacks Nestle and other news
  • Secret Knowledge: DLP and Cloud Access Management

Attack Analysis: Okta Compromised by LAPSUS$ 

By Austin Miller

It’s every security company’s worst nightmare – a serious breach. But that’s exactly what has happened to cloud access management software provider Okta this week.

Although some details are still hazy, it seems like a lapse in the judgement of a third-party customer support engineer lead to credentials being leaked onto the internet. 

What has Okta said about the incident?

Despite the leak occurring in January, it wasn’t until March 22nd that Okta made the announcement that the breach had happened at all.

After the incident, a series of posts by David Bradbury, Okta CSO, was put on the Okta blog, stating that the breach had been minor and that the reported superuser rights gained by the adversary only gave them access to resetting password functionality and rights to prompt MFA setups.

Want to read the rest of Understanding the Okta Compromise? Click the button below to find the full article.

Threat Hunting: How to do Digital Forensic in DLP

By Ricoh Danielson

Today’s data landscape is vastly different than it was just several years ago. The proliferation of public cloud platforms, mobile devices, and new applications such as Dropbox have changed the way organizations store, transfer, and share their data. 

Digital forensics is an evidence-gathering process used to collect digital artifacts from computers, storage devices, and networks.

Computer Forensics is a subset of Digital Detective and involves using specialized tools to acquire and analyze data to reconstruct or prove a certain set of events.

Because of the highly confidential nature of digital assets in corporate data centers, it is important for Data Loss Prevention (DLP) solutions to integrate robust digital forensic analysis capabilities. 

Want to read the rest? Click the button below to find the full article.

Threat Hunting: MITRE ATT&CK – T1036: Masquerading

By Austin Miller 

Onto number eight in our Top 10 MITRE ATT&CK procedures used by the adversary – masquerading. Found in 9% of samples analyzed by Picus in their recent Red Report research, this is an example of defense evasion that involves spoofing artifacts to make it appear like the infection and breach were legitimate.

Masquerading is a major reason why malware sits dormant and unnoticed in systems for long periods of time despite otherwise effective cybersecurity measures.  

What is masquerading?

Masquerading is any kind of evasive action that involves the manipulation of their artifacts to cover their trail. This is done to appear legitimate and benign to security professionals and security tools.

Any time that a file, metadata, task or service is edited to hide the adversaries’ tracks, we’re talking about masquerading. 

Want to read the rest? Click the button below to find the full article.

Cybersecurity News: News Bytes

Anonymous leaks Nestle 10GB database

In a continued protest against the Russian-Ukrainian conflict, hackers working under the Anonymous name have turned their attention to organizations that are refusing to stop trading in the Russian Federation. This includes the controversial confectionary company Nestlé, who have found a 10GB database leaked. 

Up until Thursday 25th March, Nestlé had refused to leave Russia and Anonymous stated that they would take down the corporate giant. As to be expected from a company of that size, government direction was ignored. 

Nestlé’s reaction so far has been to deny that a hack has happened at all, instead stating that the data leak was an accidental data dump on their behalf.

Still, they have decided to stop selling their biggest products in the region. It seems that hacktivism seems to be working in this conflict. 

Want to read the rest of this week’s news? Click the button below.

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting. 

Data Loss Prevention 

  • googleapis/nodejs-dlp: Node.js client for Google Cloud Data Loss Prevention: Understand and manage sensitive data. 
  • nightfallai/nightfall-python-sdk: This SDK provides Python functions for interacting with the Nightfall API. It allows you to add functionality to your applications to scan plain text and files in order to detect different categories of information. 
  • insightlake/Data-Security: Insight Lake Security Manager solves this problem by allowing companies to manage security and monitoring of data assets (files, databases), which are present in cloud or on-premise centrally. 

Cloud Access Management 

  • hortonworks/cloudbreak: CDP Public Cloud is an integrated analytics and data management platform deployed on cloud services. It offers broad data analytics and artificial intelligence functionality along with secure user access and data governance features. 
  • saltstack/salt: Built on python, Salt uses simple and human-readable YAML combined with event-driven automation to deploy and configure complex IT systems. In addition to leveling-up vRealize Automation SaltStack Config, Salt can be found under the hood of products from Juniper, Cisco, Cloudflare, Nutanix, SUSE, and Tieto, to name a few. 
  • common-fate/iamzero: IAM Zero detects identity and access management issues and automatically suggests least-privilege policies. It does this by capturing errors in applications you build or commands that you run which use.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.