Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • đŸ‘„Understanding your users
    • 📇Users
      • đŸ’ŸSaved Filters
      • ❓Basic Search & Advanced Query Mode
    • đŸ©»User 360
      • đŸ—șOverview Tab
      • 🔬Activity Tab
      • đŸ“¶Networks Tab
      • đŸ’»Devices Tab
      • đŸȘșApplications and Groups Tabs
      • ✅Checks Tab
    • đŸ› ïžTriaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • đŸ€·User Statuses
  • đŸ—ƒïžApplications
  • đŸ’»Devices
  • đŸ§©Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑Understanding Check failures
    • 🔍Reviewing Check Results
    • đŸ§čCustomizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙Tenant Settings
    • đŸ‘šâ€đŸ’ŒRole-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • đŸ„Identity Posture Score
  • 🚹User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • đŸŽïžCan Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • đŸ—ƒïžUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • đŸ›ŁïžWhat’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍KPIs for‹ IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerÂź 2023 Hype Cycle Reportsℱ
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Seven Identity Attacks to Bypass MFA
  • Detection versus Prevention
  • Infrastructure Needs Security
  • The Need for Identity Security
  • Oort’s Approach to Identity Security
  1. Blogs

Identity security is bigger than just ITDR

Previous5 Identity Security Questions Every IAM Leader Needs to AnswerNextIdentity is the apex threat vector, so why is identity security still a mess?

Identity Threat Detection and Response () is a hot topic in 2022, with Gartner having published multiple pieces of research on the subject (see and ).

Given how many breaches take advantage of identity weaknesses, it’s great to see that such serious research is taking place. However, for every security team weighing whether they should invest in these capabilities for 2023, it’s also important to remember that ITDR is just one part of an overall Identity Security strategy.

Seven Identity Attacks to Bypass MFA

It’s no surprise that identity is at the forefront of the conversation given the number of major security breaches in 2022 that have featured identity at their core.

Identity-based attacks range in their sophistication, but it doesn’t take much to get started. Using a combination of social engineering and phishing has enabled attackers to steal username/password credentials and then try one of many techniques get past MFA:

1. MFA Fatigue. The attacker simply relies on victims being conditioned to always press the “allow” button on their phone when a push notification comes up.

2. MFA Flooding. The attacker keeps hitting the “push” notification until sometime around 3:23 AM the victim finally gets tired of it and hits the allow button so they can sleep.

3. MFA Reset. The attacker calls into the victim’s IT Helpdesk and says “I lost my phone, can you please reset my account so I can sign-in and get my work done?” This then allows the attacker to either enroll a new factor upon sign-in or to persist during generous “grace” periods allowed by MFA policy.

4. Asking nicely. The attacker impersonates someone from the victim’s IT department (potentially after spamming them with MFA push notifications) and suggests that the victim either press the “allow” button or share the one-time passcode so the MFA flooding issue with their account can be resolved (or some other excuse). Phishing, smishing, vishing - the idea is the same.

MITM Proxy. The attacker sets up a login page that looks and feels like the real single sign on (SSO) and the victim unwittingly enters not only their username/password (common for phishing attacks) but also their one-time passcode. Or perhaps a push notification comes through at around the same time as they enter their credentials into the phishing site and they hit “allow” on their phone thinking that the request originated from their own device when in fact the attacker simply entered the stolen credentials into the real login page either via swivel chair or automation.

SIM Swapping. The attacker calls up the victim’s mobile carrier to switch the phone number of the victim to a new SIM card in the attacker’s possession. Now any 6-digit SMS codes will arrive on the attacker’s device.

0ktapus style. Finally, if you’re really committed, go compromise the Twilio account of your victim’s messaging app (e.g. Signal) to sniff SMS messages on their way to the victim’s device.

Detection versus Prevention

Can ITDR detect some of these techniques? Yes.

A good ITDR solution will detect and sometimes even block these types of attacks before they get very far.

Can ITDR prevent them? No.

That’s where proactive identity security comes in. A complete and comprehensive identity security platform must include the following three capabilities:

Identity Attack Surface Mapping - ingests identity data from across your entire architecture to discover the swirling mass of identities that orbit your enterprise. Identity attack surface mapping gives your team an understanding of what’s out there - how many identities you have in your population, the demographics of the population, and how it might be changing over time. The attack surface changes day-to-day as identities join and leave your organization, so this must be a continuous process.

Identity Security Posture Management - examines the identity attack surface to find vulnerabilities. Specifically, accounts that are vulnerable to account takeover. An inactive account that no one has used in months is no different than an unused, unpatched server sitting in a forgotten closet somewhere. It’s an easy entrypoint, made even easier for the attacker if that account has not had a password rotated in years and has no second factor configured. Posture management not only finds these vulnerabilities, but recommends and even implements campaigns to clean them up - effectively “patching” your identities.

Identity Threat Detection & Response - finally ITDR picks up where the others leave off. No matter how perfect your IAM architecture might be and how many proactive and preventative measures you might take, something will always get through. ITDR is the last line of defense, to detect techniques and behaviors that might indicate a successful account takeover has taken place (or is in progress).

Identity is the new perimeter and only this combination of capabilities can offer an end-to-end approach to securing that perimeter. A mature identity security program includes all three and, for organizations large enough, an identity security expert who ensures that they’re implemented properly.

Infrastructure Needs Security

Can’t I do this with my existing IAM stack? Not really.

Can you configure your router to act like a firewall? Maybe. Should you? Probably not.

Can you rely on OS-packaged endpoint protection? Sure. Should you? It depends.

Oftentimes IT infrastructure vendors will package basic security capabilities in their products to serve the majority of small and mid-size businesses that don’t require a full-blown Palo Alto or Cisco firewall or a Crowdstrike EDR. IAM infrastructure includes some security features too.

IAM infrastructure is typically comprised of some combination of the following technologies:

  • Directory - the database of identities and their profiles, group membership, etc. Typically a reflection of your HR system and your vendor management system. Microsoft Active Directory is the most common directory solution for large organizations.

  • SSO - single sign-on enables users who are defined in your directory to sign in to multiple applications with a single account. Implements protocols like SAML and OIDC. Okta and Microsoft Azure AD dominate this market today.

  • MFA - augments your SSO infrastructure with additional authentication factors (including but not limited to passwordless, push notifications, and device trust). Cisco Duo is a prime example of an MFA provider.

  • IGA - identity governance and administration comes into play when companies need to audit and automate how roles and permissions are assigned within the organization and to solve the joiner-mover-leaver lifecycle for identities. IGA traditionally also provisioned accounts in applications that did not support SCIM-based provisioning, but that is less of a need today other than for legacy applications. Well-known players include SailPoint and Saviynt.

  • PAM - privileged access management helps to protect accounts that don’t fit neatly into the SSO system such as root and admin accounts for applications and devices. These are highly privileged accounts that require an extra layer of protection, usually in the form of a password vault, to prevent them from falling into the wrong hands. CyberArk and Delinea (merger of Thycotic and Centrify) are common examples.

Every one of these technologies is infrastructure - just as much as your company devices and your company network are infrastructure, so too are your Directory, SSO, MFA, IGA, and PAM solutions part of your IAM infrastructure. They’re the plumbing of the identity world.

Infrastructure needs security. You can’t rely on your devices, your networks, your applications, or your data to secure themselves. Identity is no different. Relying on IAM infrastructure to secure itself invariably leads to your SSO vendor as a single point of failure in your enterprise security architecture. This mistake has led to the rise of identity-based attacks. Attackers are effectively taking the path of least resistance by going after unprotected accounts.

The Need for Identity Security

An identity security platform, which unifies proactive identity attack surface mapping and posture management with continuous identity threat detection and response, must sit as a layer on top of your IAM infrastructure.

Oort’s Approach to Identity Security

Oort is that platform. A comprehensive solution for identity security that spans identity attack surface mapping, identity security posture management, and, of course, Identity Threat Detection and Response.

As we reflect back on the major breaches of 2022 and look toward the year ahead, the most mature security teams we encounter realize that comprehensive identity security is table stakes and a fundamental component of your modern security architecture.

I’ve always loved the that created as a mental model. For every cell of the matrix, you need coverage. The user / identity row is no different. Slotting in a few examples, application security (like AppOmni) has only recently reached a level of maturity that comes anywhere close to device security (like Crowdstrike) and network security (like Palo Alto Networks or Cisco or Zscaler). Identity security and data security are just getting started.

Oort-Identify-Protect-Detect-Respond-Recover
ITDR
Top Trends in Cybersecurity 2022
Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response
cyber defense matrix
Sounil Yu