Lapsus$ Breach of Okta: Third-Party Incident Response

This week’s announcement by Okta that an attacker gained access to its internal systems serves as the latest reminder that organizations must maintain an up-to-date view of the technologies utilized by their third parties and supply chain partners. Lacking such a view would leave companies exposed to exploitation if one of their vendors is part of the 2.5% of Okta customers impacted by the Lapsus$ breach. What’s worse, if this breach is wider than Okta has acknowledged it could impact more than 15,000 customers and put millions of end-users at risk of compromise.

Four Questions to Answer

Determining your organization’s exposure starts with an understanding of which third-party vendors and suppliers are using the Okta solution, requires an impact assessment and remediation steps, and leverages continuous monitoring of third parties for validation. Start with answering these four questions.

1. Do you have a centralized inventory of all suppliers?

All third parties represent some level of risk to your enterprise, but unmanaged, rogue vendor usage can be even riskier if a proper security evaluation hasn’t been performed. After all, you can’t manage what you can’t see. Inventorying your vendors should be done in a centralized platform – not spreadsheets – so that multiple internal teams can participate in vendor management, and the process can be automated for everyone’s benefit. Then, conduct inherent risk scoring to help you determine how to assess your suppliers on an ongoing basis according to the risks they pose to your business.

2. Can you identify technology concentration risk among your suppliers?

As part of the inventorying process, build a comprehensive profile for every vendor that includes industry and business insights, demographics, 4th-party technology relationships, and other important information. Collecting 4th-party technologies deployed in your supplier ecosystem helps to identify relationships between your organization and third parties based on Okta usage and will help you visualize attack paths into your enterprise and take proactive mitigation steps.

3. Are you assessing impacted third parties for their business resilience and continuity plans?

Proactively engage impacted vendors with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.

4. Are you continuously monitoring impacted vendors and suppliers for cyber-attacks?

Centrally managing vendors, understanding concentration risk, and being more proactive about assessing vendor business resilience plans is a great start. However, you have to be continuously vigilant for the next attack. That’s why you should look for signals of an impending security incident by monitoring the Internet and dark web for your vendor’s cyber threats and vulnerabilities.

Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.