The recent increase in sophisticated cyberattacks highlights the vulnerabilities inherent in online platforms and identity management systems. To address the increased risk, Semperis recently expanded Purple Knight, its open-source, community-based vulnerability assessment tool, to encompass the Okta identity management platform. This strategic move is geared toward bolstering the security of organizations’ identity management infrastructure and ensuring a seamless user experience devoid of breaches.

The significance of Purple Knight’s integration of AD, Entra ID, and Okta indicators

One of the hallmark features of Purple Knight is its ability to spot security misconfigurations and vulnerabilities in Active Directory and Entra ID (formerly Azure Active Directory) environments—this capability now also covers Okta. Based on requests from users, Semperis added support for Okta in August: This expansion turned out to be timely in light of recent cybersecurity attacks where threat actors elevated privileges for certain accounts and used this highly privileged access to disable two-factor authentication (2FA) protection, thereby creating avenues for unauthorized access. One of the advantages of having a dedicated, in-house threat research team here at Semperis is that we can stay ahead of emerging threats by building indicators to detect known vulnerabilities, and we can often quickly develop indicators to address new vulnerabilities.

Regarding the recent Okta attacks, two of the Purple Knight security indicators for Okta that we released in August—”New Super Admin permission has been granted to a user” and “Users without Multi-Factor Authentication (MFA)“—are instrumental in detecting the reported malicious actions targeting Okta. (These indicators are highlighted in Figure 1.)

New Super Admin permission has been granted to a user

The “New Super Admin permission has been granted to a user” indicator is designed to determine whether a user has been granted “Super Admin” permissions within Okta in the preceding 7 days. This determination will foster a timely detection of any potentially unauthorized elevations in access privileges, facilitating an immediate response to secure the environment.

Users without Multi-Factor Authentication (MFA)

The “Users without Multi-Factor Authentication (MFA)” indicator checks all users and pinpoints those who currently lack MFA registration. This indicator is a vital tool in quickly identifying accounts that are more vulnerable to attacks because of disabled 2FA and prompting swift action to fortify these accounts before they become a target.

Figure 1: Partial list of Purple Knight’s security indicators for Okta: Highlighted indicators are ones that allow identifying the threat actors’ actions as part of the Okta SuperAdmin attack

How to run the Okta security indicators: A step-by-step guide 

In this section, we’ll delve into the specifics of running both Okta indicators using Purple Knight. I’ll provide detailed instructions, along with relevant screenshots, so you’ll have a comprehensive guide to using these indicators effectively. 

Step 1: Download Purple Knight v4.0 from the Purple Knight website (Figure 2)

Figure 2: Purple Knight download page

Step 2: Extract and launch the Purple Knight executable. 

Step 3: Integrate your Okta environment with Purple Knight. Instructions are detailed in the Purple Knight User Guide under the “Environment Page” chapter. 

Step 4: Under “Indicators,” make sure the following indicators are checked, and hit “RUN TESTS” when ready:

New Super Admin permission has been granted to a user (Figure 3)

Users without Multi-Factor Authentication (MFA) (Figure 4)

Figure 3: Purple Knight indicators screen with the Okta New Super Admin permission test checked

Figure 4: Purple Knight Okta indicators screen with Users without MFA test checked

Step 5: Review the findings in the Purple Knight report, under the “Additional IOEs Found” chapter, and the detailed information per indicator (Figure 5): 

Figure 5: Purple Knight report with Okta indicators highlighted

 

See Figure 6 below for results of the report showing that Super Admin privileges were granted to a user:

Figure 6: Results of the “New Super Admin permission has been granted to a user” scan

Figure 7 shows the Purple Knight report results highlighting users that haven’t configured MFA:

Figure 7: Purple Knight Okta results of scan for users without MFA configured

Purple Knight guards against Okta attacks that target risky permissions 

The integration of Purple Knight with the Okta identity management platform provides huge benefits for securing digital identities and proficiently managing access. By leveraging the “ New Super Admin permission has been granted to a user” and “Users without Multi-Factor Authentication (MFA)” security indicators in Purple Knight, organizations can robustly safeguard against the latest attempts at unauthorized access and potential breaches. 

As Semperis continues to innovate, leveraging its vast expertise in identity protection, organizations using the Okta platform—alone or in combination with the Microsoft identity platforms of Active Directory and Entra ID—can anticipate enhanced security measures, fostering a safer identity security posture. 

By using Purple Knight to identify and remediate security vulnerabilities, enterprises not only improve security of their identity environments but also assure stakeholders, partners, and customers of the safety of their data, building trust and reliability in the digital sphere. Our expansion of Purple Knight to encompass Okta is a pivotal step toward a safer, more secure digital future. If you have questions or you’re concerned about the vulnerability of your Active Directory, Entra ID, or Okta identity platforms, reach out to our team of security experts and we’ll be happy to help.

Related resources

Semperis Offers New Protection Against Okta Breaches – Semperis

Protecting Active Directory from Kerberoasting – Semperis

AD Security 101: AD Monitoring for Malicious Changes – Semperis

The post Using Purple Knight to Detect the Okta Super Admin Attack appeared first on Semperis.