Although it does not quite have the same gravitas as the astrophysical and philosophical ponderings regarding if the universe has a perimeter, it is often questioned if the modern data network no longer has a perimeter. The reality is that the typical corporate network doesn’t have a single perimeter but rather it has many perimeters. If you’re an Okta customer, you probably have recently experienced an unusually high volume of malicious login attempts on that specific perimeter. Hopefully you have noticed these attacks already with proactive monitoring for this type of malicious activity.
Okta has defensive features collectively known as ThreatInsight to protect customers from credential-based attacks like these. By aggregating data about potentially malicious sign-in activity across the all Okta customers, ThreatInsight helps prevent attacks such as password spraying, credential stuffing, and brute-force cryptographic attacks. Fortunately for cybersecurity practitioners, ThreatInsight is available for every Okta customer at no additional cost.
Credential-based attacks rely on common, weak, or stolen identity information to impersonate legitimate users to take control of valid accounts. Typically, these identity-oriented attacks rely on usernames and passwords that have been stolen in data breaches, captured in phishing campaigns, or traded in dark web forums. Since Internet facing applications can be accessed from anywhere, attackers across the globe use simple automated tools to test these captured login credentials across a vast multitude of online services. Attackers conduct these brute force and password spray attacks which rely on the systematic or automated use of weak and common passwords, often along with a known set of usernames. These attacks are simple to develop and deploy against any number of targets. The enormous size and simplicity of this attack benefits the attacker since only a few will ever be successful.
ThreatInsight is used to detect malicious activity prior to login. It evaluates login requests to identify potential threats before authentication occurs by analyzing the source IP address. If a sign-in request comes from a potentially malicious IP address, the user is denied access. Malicious IP addresses used in these attacks are collected from and shared with all Okta customers with ThreatInsight enabled to prevent successful logins from attackers.
Often organizations only realize they are the target of a credential-based attack when a user’s account becomes locked out. Brute force identity attacks can also take on the form a denial-of-service attack by the continual and systematic purposeful locking out of accounts. ThreatInsight works to eliminate this issue since blocked requests aren't treated as failed user sign-in attempts. When ThreatInsight is fully enabled, it does not count blocked requests as failed authentication attempts. This produces fewer account lockouts for users and allows ThreatInsight to learn from the attacks for the future shared defenses.
Okta’s ThreatInsight helps organizations proactively defend against identity attacks by leveraging data analysis, machine learning, and collective insights from across the Okta customer community. In the future, we are going to take a further look into the various cybersecurity features of Okta and ThreatInsight. If you have any further questions or need assistance, contact us. Click here to read more of our blog posts.