Okta and the Lapsus$ breach: 5 big questions

We actually have extra particulars on the Lapsus$ breach of a third-party Okta assist supplier than we did yesterday presently. However some main unanswered questions nonetheless stay.

David Bradbury, CSO on the distinguished id and entry administration vendor, launched two extra updates and gave a webinar presentation in the course of the previous 24 hours. Microsoft additionally launched its personal findings on the Lapsus$ hacker group, providing some clues in regards to the menace actor’s ways and motives.

However quite a few questions stay, together with in regards to the timing for the disclosure of the incident; the primary few days of the hacker group’s entry; the potential affect on clients; the “blast radius” of the assault; and the motives of the Lapsus$ hacker group.

I’ve compiled particulars on these 5 questions beneath, after connecting in the present day with a Forrester analyst and a variety of safety vendor executives who’ve been following the state of affairs intently.

Okta didn’t have a response to those questions, saying that its public statements on the Lapsus$ breach are contained in its weblog posts.

On Tuesday, Okta acknowledged that Lapsus$ — a gaggle that has additionally hacked Microsoft, Nvidia and Samsung —had accessed the account of a buyer assist engineer, who labored for a third-party supplier, in January.

“The Okta service has not been breached and stays absolutely operational,” Bradbury stated in one of many posts.

Okta has recognized the breached third-party supplier as Sitel, which supplies Okta with contract employees for buyer assist. Sitel, in its personal assertion, stated the breach was contained to “elements of the Sykes community” — referring to Sykes Enterprises, which was acquired by Sitel final yr.

What follows are particulars on 5 of the largest remaining questions on Okta and the Lapsus$ breach.

1. Why didn’t Okta disclose the incident sooner?

The precise reply, after all, is that Okta didn’t need to disclose something (although that is probably not the case for for much longer, if the U.S. Securities and Alternate Fee adopts proposed guidelines for cyber incident disclosure).

However that doesn’t imply that Okta couldn’t have disclosed that one thing had occurred, says Andras Cser, vp and principal analyst for safety and threat administration at Forrester.

Okta’s timeline of occasions reveals that on January 20, the corporate investigated an alert associated to the cyber incident. (The alert was prompted by a brand new issue being added to the Okta account of a Sitel worker in a brand new location.) Okta escalated it to a safety incident that very same day, and the following day, Sitel reported that it retained “a number one forensic agency” to do a full investigation of the incident.

Okta, nonetheless, didn’t disclose something in regards to the incident till Tuesday, after Lapsus$ posted screenshots on Telegram as proof of the breach.

“The ethical of the story is that you probably have an issue [of this magnitude], you would possibly need to simply disclose this when it’s contemporary — and never wait two months,” Cser stated.

For Okta, “that [delay in disclosure] is why that is that is unhealthy, proper?” he stated. “It’s not as a result of they acquired breached — that occurs. The very fact is that they didn’t make any kind of disclosure.”

And whereas firms on this place will not be at all times legally required to reveal something, “lots of firms really select to take action,” Cser stated.

The underside line is that “you probably have a safety incident, perhaps it’s price disclosing it to the general public and getting it over with. As a result of in any other case, one thing like this will occur,” he stated.

Bradbury has stated he was “vastly dissatisfied” by how lengthy it took for Okta to obtain a report on the incident, however has not indicated he believes Okta ought to have disclosed the incident sooner. The closest he got here was to say that after Okta acquired a abstract report in regards to the assault on March 17, “we should always have moved extra swiftly to grasp its implications.”

Cser stated that a lot of the backlash about Okta’s lack of disclosure stems from the truth that the corporate is a distinguished vendor within the cybersecurity trade, and thus is being held to the next normal than another firms may be. Okta’s inventory value plunged 10.8%, or $17.88 a share, in the present day.

A disclosure doesn’t should be substantial, Cser famous. It may be so simple as saying, “We noticed this downside, we’re investigating — and as soon as we all know extra, we’ll let everyone know what occurred,” he stated.

Safety researcher Runa Sandvik stated on Twitter that some could also be “confused about Okta saying the ‘service has not been breached.’”

“The assertion is solely a authorized phrase soup,” Sandvik stated. “Truth is {that a} third-party was breached; that breach affected Okta; failure to reveal it affected Okta’s clients.”

2. What occurred from January 16-20?

In Bradbury’s unique weblog put up Tuesday on the Lapsus$ breach, he stated that the menace actor was in a position to entry the third-party assist engineer’s laptop computer for 5 days in January. This five-day window occurred from January 16-21, he stated.

This data was based mostly on the report from the cyber forensic agency, based on Bradbury.

Subsequently, Bradbury shared the Okta post that includes a timeline of occasions surrounding the incident. The timeline begins at January 20 (at 23:18 UTC), which is when Okta acquired the alert in regards to the new issue being added the Sitel worker’s Okta account.

Nonetheless, that leaves a number of days unaccounted for, famous Ronen Slavin, cofounder and CTO at software program provide chain safety agency Cycode. Maybe the timeline doesn’t begin till January 20 as a result of that’s when Okta first acquired concerned — however regardless, the forensic agency presumably has gathered data on what occurred previous to January 20.

When it comes to what occurred earlier than that time, “we do hope to study extra from Okta,” Slavin stated. “We’re wanting to study what occurred in the course of the days prior.”

Okta specified that it “acquired the whole investigation report” on the breach from Sitel on Tuesday.

3. How had been clients impacted?

On Tuesday, Bradbury stated that as many as 366 clients could have been impacted by the Lapsus$ breach (roughly 2.5% of Okta’s 15,000 clients).

Within the webinar on Wednesday, the Okta CSO clarified that the corporate has, in reality, “recognized 366 clients … whose Okta tenant was accessed by Sitel throughout that interval” of January 16-21.

These clients’ knowledge “could have been considered or acted upon,” Bradbury stated in one of many weblog posts, with out providing additional specifics.

The statements by Okta to date haven’t defined how clients have been affected by the breach, based on Emsisoft menace analyst Brett Callow. “The affect is just not but clear,” Callow stated in a message to VentureBeat on Wednesday.

And whereas Sitel says it has not discovered proof of a knowledge breach of buyer programs, “absence of proof is just not proof of absence,” Callow stated.

Up to now, clients disclosed by Okta have included JetBlue, Nordstrom, Siemens, Slack and T-Cell. In 2017, Okta stated that the U.S. Division of Justice was a buyer.

4. Why is Okta defining the “blast radius” on this approach?

In cybersecurity parlance, the time period “blast radius” refers back to the affect {that a} sure cyberattack has delivered. Okta has contended the the blast radius of the Lapsus$ breach was restricted to a “small proportion of consumers.”

“In making an attempt to scope the blast radius for this incident, our workforce assumed the worst-case state of affairs and examined all the entry carried out by all Sitel staff to the SuperUser utility for the five-day interval in query,” Bradbury stated in a weblog put up.

Thus, the 366 clients that will have been impacted by the Lapsus$ breach signify all the Okta clients that Sitel had entry to in the course of the five-day interval in January.

What isn’t clear, nonetheless, is why Okta has chosen to outline the “blast radius” on this approach.

“If the incident was remoted to at least one assist engineer at Sitel, we’d like to grasp why the blast radius is just not restricted to what that particular person accessed,” Slavin stated.

Okta has particularly said that their “SuperUser” app for assist engineers didn’t have “god-like” performance — couldn’t entry all customers — and was constructed with least-privilege as a core precept, Slavin famous. Primarily based on what’s now recognized, it is smart that the blast radius needs to be remoted simply to what Sitel might presumably have accessed, he stated.

And but, least privilege is an idea for particular person customers, not groups. “This begs the query of why Okta’s scope [included] the whole lot the workforce might entry, relatively than the whole lot the person did entry,” Slavin stated.

Okta’s statements that it has performed this out of “an abundance of warning” — and in an curiosity in conveying the worst-case state of affairs — are “completely legitimate solutions,” Slavin stated. Nonetheless, “we’re merely hoping to see extra clarification because the investigation unfolds.”

5. What was Lapsus$ making an attempt to perform?

Maybe most perplexing of all is the query of the menace actor’s motive within the Okta assault. Not like cybercriminals targeted on breaching a system to ultimately solicit a ransomware cost, as an illustration, the actions taken by Lapsus$ to breach Okta’s service supplier didn’t have an apparent monetary angle.

If the hacker group was making an attempt to realize entry to Okta clients, as a way to monetize that down the street, publicly disclosing the assault wouldn’t make any sense, stated Stel Valavanis, founder and CEO of managed safety companies agency OnShore Safety.

When it comes to the aim of the assault, “I’d say it was a technique to acquire a foothold into different organizations. However then why be so vocal about it?” Valavanis stated.

It’s additionally noteworthy that Lapsus$ didn’t make any calls for in any respect — a minimum of not on its Telegram channel — previous to posting the screenshots this week.

The closest factor to a clue on motive is the group’s assertion, within the Telegram put up about Okta, that “for a service that powers authentication programs to most of the largest firms (and FEDRAMP authorized) I believe these safety measures are fairly poor.”

Lapsus$ adopted up with one other put up on Tuesday, criticizing Okta for a variety of its safety measures.

Cser stated these statements recommend that, a minimum of within the Okta incident, Lapsus$ has been aiming to ship reputational harm to Okta for some motive.

“It might be that they need to attempt to weaken Okta’s place available in the market, and attempt to tarnish their model picture,” he stated.

That, after all, simply results in one other query: Why? And at their very own behest, or another person’s?

The attainable reply to these questions would require some wilder hypothesis, so I received’t go there. However the truth that some within the trade are even speculating about these kinds of prospects is proof that Lapsus$, to date, is proving very tough to learn.

Throughout the group’s sequence of current assaults, there was “a mixture of monetary focusing on and a few hacking of IP,” stated Oliver Pinson-Roxburgh, CEO at cybersecurity companies agency Bulletproof. “There isn’t any one clear route or motive for the group.”

Researchers at Microsoft — which confirmed this week that it has been among the many Lapsus$ victims — imagine that Lapsus$ is “motivated by theft and destruction.” The group has in some instances extorted victims to stop the discharge of information, however in others has leaked knowledge with out making any calls for, the researchers stated.

Primarily based on the proof to date, there’s additionally one other chance, stated Demi Ben-Ari, cofounder and CTO at third-party safety administration agency Panorays.

The strategy by the group appears to indicate that, a minimum of partly, “their ways listed below are for enjoyable,” Ben-Ari stated.

Although any “enjoyable” — linked to a sequence of incidents that has now impacted a minimum of 4 world tech powerhouses, within the span of a month — has most positively been one-sided.