Okta Alert Details
Alert ID: OKTA-EXTERNAL-REMOTE-7842
Alert Time: 2024-02-11 07:30:45 EST
Severity: HIGH (88/100)
Source: Okta Identity Cloud
Rule: “Suspicious VPN Login – New Location + Impossible Travel”
MITRE ATT&CK: T1133 – External Remote Services
Alert Details:
User: awilson@company.com (Alex Wilson, IT Administrator)
Application: Palo Alto GlobalProtect VPN
Time: 07:28 EST
Risk Signals:
1. New Location:
– City: Moscow, Russia
– IP: 89.248.165[.]23
– ISP: Digital Energy LLC
– First time this user has logged in from Russia
2. Impossible Travel:
– Previous login: 07:00 EST from New York, USA
– Current login: 07:28 EST from Moscow, Russia
– Travel time required: 10+ hours
– Actual time elapsed: 28 minutes
– Score: 99/100 (impossible)
3. Device Profile:
– Device: Windows 10 (unrecognized)
– Browser: Chrome 121
– User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
– No previous authentication from this device
4. Authentication Method:
– Username/Password + Okta Verify (MFA)
– MFA push accepted from Moscow location
– User’s registered device is in New York
Additional Context:
– User has privileged access (IT Administrator)
– Can access critical systems via VPN
– No travel plans to Russia
– MFA push suggests attacker may have compromised device or SIM-swapped?
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Okta risk signals | Okta Admin Console | Confirmed impossible travel + new location |
| 2. User Contact | Reach user immediately | Phone, Teams, In-person | User confirmed in New York; did not approve MFA |
| 3. Immediate Containment | Disable user account | Okta, Active Directory | Account disabled within 5 minutes |
| 4. Session Termination | Revoke all active sessions | Okta, VPN | All sessions terminated |
| 5. Investigation | Determine MFA bypass method | Okta Logs, Mobile Device | User’s Okta Verify push was accepted; likely MFA fatigue attack |
| 6. Credential Reset | Force password reset | Okta, AD | Password reset; MFA re-enrolled |
Jira Incident Report
Ticket: SOC-2024-059
Summary: T1133 – External Remote Services – Compromised VPN Access via MFA Fatigue
Status: RESOLVED
Resolution: MALICIOUS – Account Takeover Attempt
Priority: P1 – CRITICAL
Labels: T1133, external-remote-services, vpn, okta, mfa-fatigue, privileged-account
Components: Identity-Management, Remote-Access
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Okta Identity Cloud.
- Alert: “Suspicious VPN Login – New Location + Impossible Travel”.
- User: awilson@company.com (IT Administrator).
- Time: 2024-02-11 07:30 EST.
- Technique: MITRE ATT&CK T1133 – External Remote Services.
2. Technical Analysis:
- Attack Details:
- Initial Access: Attacker obtained user credentials (likely via phishing).
- MFA Bypass: MFA fatigue attack – user received repeated push notifications until they accidentally accepted.
- Source IP: 89.248.165[.]23 (Moscow, Russia)
- Target: Palo Alto GlobalProtect VPN
- Timeline:
07:00 – Legitimate login from New York (user starts work)
07:25 – Attacker attempts login from Moscow
07:25-07:27 – 12 MFA push notifications sent to user’s phone
07:28 – User finally accepts push (MFA fatigue)
07:28 – Attacker gains VPN access
07:30 – Okta impossible travel alert triggers
07:31 – SOC begins investigation
07:32 – User contacted; confirms no travel
07:33 – Account disabled; sessions terminated
- Attacker Activity During Access (2 minutes):
- Connected to VPN
- Attempted RDP to IT jump box (blocked by firewall)
- No other actions logged (account disabled quickly)
- Privileges:
- IT Administrator access to servers, network devices
- No access to financial systems
3. Investigation Findings:
- User Interview:
- User reported receiving multiple Okta Verify push notifications.
- Thought it was a glitch; accidentally approved one.
- Confirmed no travel; phone still in possession.
- MFA Fatigue Attack:
- Attacker bombarded user with pushes until approval.
- No SIM swap; user’s device secure.
- Indicators of Compromise (IoCs):
Network:
– Attacker IP: 89.248.165[.]23 (Russia)
– VPN session logs (terminated)
Account:
– User: awilson@company.com
4. Containment Actions:
- Immediate Actions (07:31-07:35 EST):
- Disabled user account in Okta and Active Directory.
- Revoked all active VPN sessions.
- Blocked attacker IP at firewall.
- Remediation (07:35-08:30 EST):
- Forced password reset for user.
- Re-enrolled MFA (Okta Verify only, no SMS).
- Reviewed account activity logs for any changes (none).
- User Communication:
- User briefed on MFA fatigue attacks.
- Reinforced never to approve unexpected pushes.
5. Root Cause Analysis:
- Primary Cause: MFA fatigue attack – user overwhelmed and approved malicious push.
- Contributing Factors:
- Credentials compromised via prior phishing.
- No number matching in Okta Verify (pushed approval only).
- User not trained on MFA fatigue attacks.
6. Business Impact:
- Operational Impact: IT admin offline for 1 hour.
- Data Exposure: None (account disabled quickly).
- Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Account secured.
MFA re-enrolled.
User educated.
Technical Controls Enhanced:
Enabled number matching in Okta Verify (user must enter number from screen).
Implemented conditional access policy blocking impossible travel logins.
Reduced MFA push timeout and maximum attempts.
Added alerting for excessive MFA push rejections.
8. Conclusion:
This incident involved an MFA fatigue attack leading to VPN access by an attacker. Rapid detection via Okta’s impossible travel rule and immediate containment prevented any malicious activity. Enhanced MFA controls will prevent similar attacks.
Closure Rationale: Account secured; attacker blocked; enhanced MFA controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 09:00 EST