Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.
So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.
Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta's (former) outsourced customer service provider – attempted to reset a password to Okta's systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker's own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel's MS365.
Okta therefore suspended the user and inquired about any issues at Sitel, which admitted to compromise of an Active Directory account.