kbailey: rule for phished okta session #500
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…om/panther-labs/panther-analysis into kbailey-okta-stolen-session-cookie
edyesed
suggested changes
Sep 19, 2022
…om/panther-labs/panther-analysis into kbailey-okta-stolen-session-cookie
edyesed
reviewed
Sep 21, 2022
edyesed
reviewed
Sep 21, 2022
jacknagz
reviewed
Sep 22, 2022
| [prev_ua] = [x for x in PREVIOUS_SESSION if "user_agent:" in x] or ["prev_ua_not_found"] | ||
| prev_ua = prev_ua.split("_agent:")[1] | ||
|
|
||
| diff_ratio = SequenceMatcher( |
There was a problem hiding this comment.
Is there a way to send this as alert context? It'd be super interesting and helpful for tuning.
There was a problem hiding this comment.
It may also be great to just include this as a helper function.
There was a problem hiding this comment.
Will investigate the helper function. That is a good point.
re: alert context -- It is returned. On line 78 I add the diff ratio to the PREVIOUS_SESSION set (I figured this would be relevant for adjusting the ratio when tuning false positives) and then line 93 appends the previous session info to the default Okta alert context.
egibs
approved these changes
Oct 31, 2023
There was a problem hiding this comment.
Chatted with @arielkr256 about this a bit today -- everything looks good.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
This rule detects two different devices using the same Okta session. Using tools like Evilginx2, attackers can phish session cookies, effectively bypassing non-FIDO2 MFA devices. When this occurs, the user and attacker use the same session token. This detection takes advantage of that abnormality. This attack vector has recently become one of the most popular initial access vectors for attackers.
To determine if multiple devices are using the same session, this rule uses two data points, the ASN of the request and a fuzzy string match of the user agents. We implement a fuzzing string match in this situation because it is possible in some instances for a session to persist across a browser upgrade, causing false positives. The sensitivity of the match can be adjusted in the rule.
Changes
Testing