Okta’s security chief on the company’s own cyberattack and how the ‘battleground’ has shifted
Okta is one of the largest security companies in the world, helping big-name clients in the public and private sector protect themselves. But the company has had several of its own security incidents, including the most recent last October.
That’s when unidentified nation-state attackers used stolen Okta credentials to access customers' files that had been uploaded to the company’s support case management system. The stolen files replicated browser activity and contained “sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”
The incident affected several large Okta customers, like password manager 1Password and cybersecurity and networking giant Cloudflare, which did not hold back in its criticism, urging Okta to “take any report of compromise seriously and act immediately to limit damage.”
At the RSA Conference in San Francisco this week, Okta Chief Security Officer David Bradbury sat down with Recorded Future News to discuss that incident, how nation-state threats are evolving, and how AI is already influencing identity-based attacks.
This interview has been edited for length and clarity.
Recorded Future News: Since the October intrusions, what lessons were learned and what changes were made?
David Bradbury: Let me tackle them in two parts. If I look at the last 12 months, I see a real shift in the battleground where threat actors are coming after our customers. We have a front row seat into identity-based attacks.
What we've seen over the last year is that the traditional attack is always pre-authentication. They're going after your password. They're coming after you directly. What we're seeing now is a shift away from that and actually more into post-authentication. So the idea that they’re not going to try and target your login page anymore or your passwords or your credentials.
They’re actually just gonna go straight to your browser and steal that little session token cookie that's in your browser. And they’re just gonna copy it and paste it into their own browser and access all your applications. This is a post-authentication attack.
So I think about our incident that we had in October, where they came after our customer support system where customers had uploaded those exact little tokens. Or think about the Microsoft incident, where threat actors got access to the emails and went searching through their email for exactly the same things.
And so this is where threat actors are starting to shift to, so I think there's a positive and a negative. The positive I think is as an industry we’ve done a pretty good job with multifactor. Everyone knows what it is. My parents know what it is. My daughters know what it is. But that means that threat actors are going to focus on what works, and if that's hard now what's easy is going after your web browser.
So it could be malware on your [device], which just lifts the cookie straight off [your device], or phishing, which still works. And AI has a role to play here too. For example, it makes the wording that's on pages more grammatically perfect. There are tools that are out there, which [replicate] pixel perfect representations of an Okta login page.
So whether it's phishing, whether it's malware, going straight after these session cookies, that's where we're seeing the battleground shift over the last 12 months.
When it comes to session tokens, we're doing our part. We’ve implemented some features where if you're an admin, you're logging in to Okta and your IP address changes, so if someone's stolen your cookie and put it in a different browser we immediately log you out. So every button click that you make in the Okta platform, if we see your IP address change, you’re gone.
We implemented that straight after the incident in October and we analyzed all the different incidents that have targeted our customers over the past couple of years. And that one change impacts almost all of them. It's a really big, really impactful change.
Because the way I think about the Okta superadmin is the same as the Microsoft domain admin, which is the butt of so many security jokes. I do not want Okta’s superadmin to be the butt of jokes. So I've been working nonstop for the last six months trying to figure out how we secure that account. It’s all very much focused on ‘How have we seen threat actors try to use or abuse Okta? How do we make sure that we can break the chain at every part of that attack?’
RFN: What advice would you give to large companies going through an incident similar to what Okta experienced in the fall?
DB: There's been a shift in the perspective of the CISO community and the InfoSec community, which is that transparency creates trust. But it can't just be a small amount of transparency. We're expecting extreme rawness. And so every moment that we've had over the past couple of years to sort of reflect on how we can tell a deeper story, we've leaned more into that.
Culturally, at any company, that is hard because it's not built into anyone's DNA of every time you have a mistake, let's go and advertise that in big detail. And so it's been a really big influence campaign for me internally to approach the people who are largely not leaning into that sort of culture immediately. And I think we've got there as a company.
But there are shining beacons in the industry. Whether it was Cisco's response to their incident about a year ago. Hugely detailed. They addressed the CISO, executive side with big amounts of information and then Talos blogs gave the technical side.
And I use them as an example because whether it's those guys, whether it's Cloudflare and others, we're seeing that everyone's moving to that as the de facto standard.
But it's only becoming that standard because of peer pressure. And that's where I think we can influence [Cybersecurity and Infrastructure Security Agency head] Jen Easterly and the CISA team to sort of bring a bit more rigor to this and actually templatize and standardize. We're doing our bit and I see other people in the industry trying to drive this but I like the fact that there's now an expectation.
RFN: As we have seen from the incidents announced by your company, Microsoft and others, nation-state attacks are getting more sophisticated and highly targeted. From your vantage point, how are nation-state attacks evolving?
DB: It's a really, really interesting point in time right now where we have an election year. We also have the Olympics happening, we have multiple wars, we have universities that are having challenges at the moment. And Okta has customers all around this ecosystem or touching up on all of these elements in some way. So particularly in the last six- to 12 months, there's been a huge spike in nation-state interest. Other companies have attributed our incident in October back to nation-state activity. We see that Microsoft's recent incidents have been attributed in the same way.
Nation-state actors are spending far more energy than they have in previous years, analyzing burning zero-days. And it's very interesting that it's happening in a very compressed time period. It's just been in the last 12 months and so given everything that's happening domestically, internationally, I do see a linkage between these two that there is a spike here.
And as we think about the U.S. federal customers that we protect, it's particularly an area of concern for them and we're stepping up our game in ensuring that we're protecting them as things start to ramp up.
But the bit that I find most tricky from a federal and sort of a nation-state perspective is that we've applied a threat model to our platforms that I think covers all the bases, and then we come across an incident like the one we had in October where it was our customer support system. And a customer had uploaded a file containing a session token to that system. And we failed to protect that, and it was separate to our production [platform].
We have always focused on the Okta service as where we need to protect the most. That's not the right threat model. We need to protect the same threat model we put on production and apply it to everything. And that is a different way of thinking and if you talk to CISOs they'll tell you ‘I can't do everything. So I have to use a risk-based approach. I target the critical things more than the less critical things.’
If you're a critical infrastructure provider, we can't do that. I think that's what you're seeing with Microsoft right now in the same camp. We've all had to make trade-offs over the last decade as to where we put more energy or less energy. And for folks like us, we can't do that. We have got to put the same energy everywhere.
We've got a massive election year ahead of us here in the US. I'm worried about the media outlets that we protect, I'm worried about the political parties we protect. It's going to be a fascinating six months as we build up to the day when the U.S. election happens.
RFN: What are the ways that threat actors are actually using AI right now?
DB: Threat actors, just like the vendors here at RSA, are still figuring out how to use AI most effectively. We have seen that the quality has improved of phishing pages and phishing emails. It’s usually a tip-off if you see poor language — you're not seeing that anymore.
So whether that's AI or whether they’re just using better products, there's just an improvement in quality that we've seen. We're seeing our own CEO get targeted with a fake voicemail, where that was sent via WhatsApp to one of our sales executives. They forwarded it on and it was a pitch-perfect rendition of his voice, asking them to contact them. We're seeing that type of generative AI technology being used by threat actors.
I think that Microsoft and us are two examples of companies that are really focused on security because the threat landscape around us both, while it's always been bad, over the last 12 months it's gotten worse. The next six months I think are critical for both our companies to protect the world, because we're going through some really tough times. So it's going to be a fascinating era.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.