OktaFest – From Your Identity to Your Repository

Thu, 27 Jun 2024 @ 15:20:00


You’ve just been notified that some of your company’s product code and proprietary information were leaked online. Aware that your code repository is stored on your SaaS GitLab instance, you focus on GitLab SaaS logs and triage to find the nefarious actions and succeed. You want to investigate the root cause of this attack; early investigation concludes the initial attack vector was Okta (of course). So, where do you begin?

Step into our session and immerse yourself in the art of decoding Okta and GitLab logs, hunting threats in real-world environments, and avoiding misconfigurations in your organization like never before.

Session Detail

Okta’s log is enormous, comprising 900 event types and 90 fields per log, all within a single system log file where all the magic happens. Besides that, GitLab, often seen as a straightforward SAAS, has a wide attack surface and abusable features across its platform.

In this talk, we are going to teach how to perform a threat hunt on Okta and GitLab services via a story about an attack, step by step. We’ll also discuss common misconfigurations and key features that you must use for a secure organization.

This lecture consists of 3 parts: an Okta and Gitlab log introduction for investigation purposes, an example of a full attack path, and a summary that includes security recommendations.

Starting with Effective Log Analysis, we’ll explore Okta log structure and content, including the relevant fields and events critical for threat detection, like DetailEntry, DebugData, IPChain, and more. We’ll understand the limitations of Okta logs and discover crucial insights into actions that are not logged by default log configuration, such as API token usage and Okta Admin console access.

Moving on to GitLab, we’ll delve into GitLab’s logging, understand the different logs and actions, and additionally explore what visibility gaps are in the logs (such as authentication logs in SaaS, GET operations, MFA configuration and more).

In the second part, we’ll walk through a real-world attack story. We’ll learn to detect and respond to sophisticated threats in Okta environments through real-world examples and advanced threat hunting methods. We’ll present relevant concrete TTPs to help security personnel level up SecOps security monitoring, such as Okta MFA fatigue, Okta impossible travel, an unusual spike in GitLab bot user activity, GitLab permissive access token creation and an unusual GitLab repo download. Furthermore, we’ll explain what measures defenders and investigators can take when writing detections, and what mitigations they can perform.

Finishing with the third part, we’ll elaborate on the most common misconfigurations or scenarios that can enable attackers to pivot from Okta to breach GitLab. Additionally, we’ll discuss which GitLab features can be abused to exfiltrate secrets. We’ll finish with dos and don’ts when creating a secure environment that consists of Okta and GitLab

Session Takeaways:

Participants will learn to analyze Okta and GitLab logs effectively for rapid threat detection, recognize the potential damage of an Okta breach and how to mitigate such risks through real-world cases, gain in-depth knowledge of GitLab threat hunting techniques, and enhance your organization’s security posture with recommendations for concrete hardening actions.

Submitter’s Comments

This session leverages insights gathered from analyzing many customer Okta instances and threats like 0ktapus.

An example of such knowledge is available in our relevant blog posts: