Oort Knowledge Base
  • Home
  • Glossary
  • šŸ“ŠDashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • šŸ‘„Understanding your users
    • šŸ“‡Users
      • šŸ’¾Saved Filters
      • ā“Basic Search & Advanced Query Mode
    • 🩻User 360
      • šŸ—ŗļøOverview Tab
      • šŸ”¬Activity Tab
      • šŸ“¶Networks Tab
      • šŸ’»Devices Tab
      • 🪺Applications and Groups Tabs
      • āœ…Checks Tab
    • šŸ› ļøTriaging Alerts and Remediation Actions
    • šŸ”—Linking User Accounts
    • 🤷User Statuses
  • šŸ—ƒļøApplications
  • šŸ’»Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ā˜‘ļøUnderstanding Check failures
    • šŸ”Reviewing Check Results
    • 🧹Customizing Checks
    • šŸ“–Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • āš™ļøTenant Settings
    • šŸ‘Øā€šŸ’¼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • šŸ„Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • šŸ”Accessing and Securing your Cisco Identity Intelligence Tenant
    • šŸŽļøCan Identity Intelligence analyze behavior and fail checks more frequently?
    • šŸ›‚Importing Known IP Address Lists
    • šŸ”ŽNetworks Tab & User Investigations
    • šŸ”Okta Workflows Webhook Example
    • šŸ—ƒļøUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • šŸ›£ļøWhat’s Next? How to use Identity Intelligence effectively
    • šŸ“šIdentity Security Reading List
    • āœļøKPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerĀ® 2023 Hype Cycle Reportsā„¢
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex ā€œSashaā€ Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Why Attackers Target GitHub Repositories
  • What Are Attackers Looking For?
  • Securing your Organization in GitHub
  • Seven Tips For Securing Your GitHub
  • Identity Security in 2023 and Beyond
  1. Blogs

Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It

PreviousMonitoring MFA Usage and Adoption: Strengthening Your Security StrategyNextOkta Security

Yesterday Okta announced a that involved an attacker gaining access to their source code hosted in GitHub. This isn’t the first time, and it certainly won’t be the last time we see attackers targeting GitHub repositories. In this blog, I wanted to address why it’s such a popular target, and offer advice for protecting your own repositories.

Why Attackers Target GitHub Repositories

GitHub is awesome - community-driven and open-source focused. It truly made open source collaboration accessible to a wider audience from the moment it was launched in 2008.

Now, with , GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It’s a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world. Let that sink in.

It’s no wonder that an attacker went after Okta’s source code. They’re just the latest example in a long string of attacks gaining access to company source code in GitHub. , , and have all had their GitHub accounts targeted before. The attacker behind the Microsoft attack, , was known to specifically target private GitHub repositories. Shiny Hunters would go on to breach tens of companies using this technique, selling their data across various dark web marketplaces.

What Are Attackers Looking For?

It’s not hard to understand why attackers target organizations’ GitHub accounts. In some cases, such as Okta, they might be able to gain access to source code. However, more often, there is sensitive information that can be used in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Securing your Organization in GitHub

So if GitHub is so important, why haven’t these enterprise companies who host their most sensitive code in GitHub, done a better job of locking it down?

It’s a more complex and challenging problem than you might think. It’s a story about identity security. The beauty of the GitHub model allows for unfettered collaboration but also creates one of the biggest headaches in modern IT security.

Just think about it… Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and for our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the ā€œSign in with GitHubā€ feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there’s more: GitHub is unique in that you don’t just sign in to their website, you also pull, push, and clone code from GitHub’s servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Seven Tips For Securing Your GitHub

GitHub provides the tools we need to lock down the environment, you just need to know how to use them (and, in some cases, you need to be able to afford to pay for them). Unfortunately, some of the most important security capabilities require GitHub Enterprise.

Let’s unpack some of this to lay out the common issues with securing your organization in GitHub:

  • 1. Don’t allow personal accounts for work - we get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today. They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There’s just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.

  • 3. Require 2FA on all accounts - even if you enforce second factor authentication (2FA aka MFA) via your SSO and even if you are enforcing SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.

  • 4. Use SSH Keys for git operations - while GitHub has introduced fine-grained permissions control with Personal Access Tokens (PAT) they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned and also tie this to your company’s device management and your own certificate authority (CA).

  • 7. Audit, analyze, and audit again - no organization is perfect, even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations (such as a user who is somehow still authenticating outside of your SSO or not using 2FA).

Proper identity and access management is just one part of securing GitHub. How you maintain a secure software development code lifecycle (SDLC) is an entirely different, yet equally important, topic that must build upon this solid IAM foundation.

Identity Security in 2023 and Beyond

The breach of Okta’s GitHub repository is a powerful example of just how hard it is to protect identities within enterprises–but it isn’t a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches heading into 2023. Expect more to come.

Marketplace listings from Shiny Hunters. Source:

Clearly GitHub picked up on these security implications when they last year. A step in the right direction.

2. Require authentication via company SSO - unfortunately GitHub shows up prominently on the . That’s right - you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO such as Okta or Azure AD or Google Workspace and you can lock down your organization to .

5. Restrict repository member privileges using roles - GitHub offers several different that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don’t make everyone an admin.

6. Don’t allow outside collaborators - working with contractors is a normal part of managing large software projects. However, the governance surrounding in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO and do not allow repository admins to invite them directly to your organization’s repositories.

https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
announced the deprecation of usernames and passwords for git operations
SSO Wall of Shame
only allow authentication via SSO
repository roles
outside collaborators
security breach
90 million active users
Dropbox
Gentoo Linux
Microsoft
Shiny Hunters