Okta user session hijacking behaviors

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an active Okta session exhibits unusual changes in device information or geo-location, potentially indicating session hijacking. An attacker may attempt to import a stolen Okta cookie into their own device in order to access the account.

Strategy

This rule alerts on significant behavioral changes within one active session.

Monitoring successful policy.evaluate_sign_on events for session and device information, various cases are evaluated.

For a user email and session ID, stored in @authenticationContext.externalSessionId, the rule matches on the following cases where the device hash is different.

An alert is generated with varying severity when two distinct devices are observed and:

  • Managed and unmanaged devices are used.
  • Okta has flagged a new device for the user.
  • Okta has flagged a new location for the user.
  • The user agent changed.
  • The ASN changed.
  • The IP address changed.
  • Either the OS or browser changed.

This detection, Okta user session hijacking behaviors, is an improved version of the previous detection Okta session hijacking.

The detection expands on logic provided by Okta’s team within the [Customer Detections repository][1].

Triage and response

  1. Check the specific Okta session events to confirm behavioral changes for the affected session. Verify if the changes align with known travel or user activity patterns.
  2. Inspect the geo-location information in the logs to identify unusual locations or ASNs associated with the user. Determine if these IP addresses are from suspicious or untrusted regions, proxies, or VPNs.
  3. If the user did not make the observed authentication attempts:
    • Rotate user credentials.
    • Confirm that no additional authentication attempts have succeeded.
    • Initiate your security incident response plan.

1: https://github.com/okta/customer-detections/blob/master/detections/suspicious_use_of_an_Okta_Session_Cookie.yml