Full Report
Wiz extends support to Okta with identity modeling on the Wiz Security Graph, visibility, risk assessment, and real-time threat detection for your Okta environment
Analysis Summary
# Tool/Technique: Okta Identity Management Security and Risk Analysis (via Wiz integration)
## Overview
This summary focuses on the capabilities added to the Wiz platform to secure organizations utilizing Okta for cloud federation and identity management. The primary purpose is to gain deep visibility into Okta identities, API tokens, cloud permissions, misconfigurations, and to detect real-time threats and attack paths originating from Okta.
## Technical Details
- Type: Tool/Framework Enhancement (Focus on Identity Governance and Threat Detection)
- Platform: Okta, Cloud Environments (AWS, Azure, GCP likely, based on context of cloud entitlements)
- Capabilities: Comprehensive visibility into Okta identities and permissions, Effective Permission Analysis (identifying high-privilege/admin/excessive permissions), Attack Path Analysis correlating Okta to cloud risks, Enforcement of secure configuration via built-in checks, Near real-time threat detection within Okta.
- First Seen: Not explicitly stated (This is a product launch/feature announcement).
## MITRE ATT&CK Mapping
Since this is a security posture management and detection capability rather than a specific adversarial tool, the mapping reflects the *risks* being addressed:
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Related to potential account takeover if credentials are compromised)
- T1552 - Unsecured Credentials
- **TA0004 - Privilege Escalation**
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts (Focus on analyzing misuse of Okta-linked cloud accounts)
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Related to detecting disabling of MFA)
- **TA0011 - Command and Control** (Indirectly, by analyzing blast radius of threats originating from Okta)
## Functionality
### Core Capabilities
- **Visibility & Modeling:** Centralized view of all Okta identities, group memberships, and their resulting cloud effective permissions, modeled on the Wiz Security Graph.
- **Least Privilege Enforcement:** Automatic identification of Okta identities holding cloud high privileges, admin roles, or excessive permissions, providing granular remediation steps.
- **Configuration Security:** Built-in checks to assess Okta security posture against best practices (e.g., hardware authenticator requirements for MFA, adherence to password policies).
### Advanced Features
- **Attack Path Analysis:** Correlation of Okta identity risks (misconfigurations, excessive permissions) with downstream cloud risks (sensitive data, vulnerabilities, exposed secrets) to map Okta-to-cloud attack paths leading to critical breaches.
- **Real-time Threat Detection:** Introduction of built-in threat detection rules for Okta, specifically noting detection for:
- Okta user MFA deactivation.
- MFA enumeration brute force attempts.
- **Contextual Response:** Graph-based context provided to understand the "blast radius" of detected Okta threats within the broader cloud environment.
## Indicators of Compromise
This section describes the indicators the *Wiz tool detects* about potential risks or threats, not the indicators left by a specific adversary tool.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on the platform configuration/behavior, not external C2 traffic analysis for this feature set)
- Behavioral Indicators:
- MFA deactivated for an Okta user.
- MFA enumeration brute force activity targeting Okta.
- Accounts with excessive or admin cloud permissions linked via Okta.
- Deviations from recommended Okta password or MFA policies.
## Associated Threat Actors
The article does not name specific threat actors, but the context implies actors who leverage compromised credentials (77% of attacks according to Verizon) or exploit identity misconfigurations to gain initial access or lateral movement within cloud environments federated via Okta.
## Detection Methods
This describes how the security platform *Wiz* detects the risks:
- Signature-based detection: Use of built-in threat detection rules for specific behavioral anomalies (e.g., MFA deactivation).
- Behavioral detection: Analysis of identity behavior patterns, permission usage, and correlation across the security graph.
- YARA rules if available: N/A (Not applicable for platform configuration monitoring).
## Mitigation Strategies
- **Prevention (Configuration/Access):** Implementing strong password policies and mandatory hardware authenticator MFA policies within Okta.
- **Hardening Recommendations:** Following guided remediation steps provided by Wiz to scope down excessive cloud permissions granted to Okta identities.
- **Proactive Risk Removal:** Utilizing attack path analysis to proactively remove Okta-to-cloud attack paths before exploitation.
- **Identity Governance:** Ensuring the principle of least privilege by regularly reviewing and adjusting effective permissions for all Okta users.
## Related Tools/Techniques
- **Identity/Access Management Solutions:** Okta, Azure AD, Ping Identity (as competitors or systems managed alongside).
- **CIEM Tools:** Cloud Infrastructure Entitlement Management tools (used for analyzing cloud permissions).
- **Security Posture Management Tools:** Cloud Security Posture Management (CSPM) solutions that integrate identity context.