By Lior Tenne – Senior Security Researcher
At Nagomi, we’ve seen that 80% of breaches could have been prevented with the tools customers already have. And the recent Okta warning of unprecedented credential stuffing attacks is a great example: with the right configurations in place, our existing tools can minimize the threat, making us more proactive.
Why is This in the News?
Okta’s Identity Threat Research team identified a worrying trend: a sharp rise in credential stuffing attacks between April 19th and 26th. This coincided with the release of Cisco’s Talos security team’s report.
What is Credential Stuffing and How Do Threat Actors Compromise User Accounts?
Imagine a thief attempting to open your door with a million different keys that they stole in advance, hoping that one of them will fit. That’s essentially what credential stuffing attacks do. Cybercriminals exploit this method by automating the process of testing vast lists of usernames and passwords, usually acquired from previous data breaches or underground markets, in an attempt to gain unauthorized access to user accounts. What makes credential stuffing particularly tricky is its simplicity; with the aid of tools like the TOR anonymization network and residential proxies, attackers can hide their origin and automate large-scale login attempts on unsuspecting users.
How to Protect Your Organization from Credential Stuffing
Credential stuffing attacks exploit vulnerabilities in common user practices. Many companies aren’t using Multi-Factor Authentication (MFA), rely on weak passwords, and reuse login credentials across multiple services. This creates a prime target for attackers.
Here are two key steps you can take to significantly improve your defense against this threat.
Credential Stuffing Prevention Step One: Enforce Multi-Factor Authentication (MFA) on Sign-On
MFA requires an additional verification step beyond your password, such as a code sent to your phone or a fingerprint scan. Even if an attacker steals your password, they wouldn’t have this additional factor needed for access. This significantly strengthens your account security.
Credential Stuffing Prevention Step Two: Set a Strong Password Policy
Preventing users from making poor password choices is a success. But let’s face it, sometimes convenience wins, and users end up setting weak passwords that are easy to guess or crack. Forcing them to set a strong password is the key. By setting clear password requirements that include minimum length, character variety, and disallowing common phrases, you significantly bolster your defenses against credential stuffing attempts.
How to Strengthen Your Okta Configuration to Mitigate Credential Stuffing Attacks
While enforcing MFA and setting a strong password policy apply to any organization, the following is specific to Okta customers.
Disable Weaker MFA Factors
To truly strengthen your organization’s security posture, consider disabling weaker MFA factors within your Okta factor enrollment policies. A severe, high profile cybersecurity incident recently was reportedly facilitated by a social engineering attack involving SMS and voice calls aimed at harvesting credentials.
Strong Factors | Weak Factors |
Okta Verify OTP (one-time password) | Security Questions |
Okta Verify Push | SMS |
Google Authenticator | |
WebAuthn – FIDO2 | Voice |
physical USB key – U2F, YubiKey and Google’s Titan | Password |
Biometric Factors |
To implement this security measure in the Okta platform, navigate to Security → Multifactor → Factor Enrollment → Choose your policy → Edit → Set the factors of your choice as Required, Optional or Disabled.
Blocking Malicious Connection Attempts
Recent Credential Stuffing Attacks are hiding their origin using anonymizing services like TOR. This makes it harder to track them. Blocking access from these services can help prevent these hidden attacks.
To implement this security measure in the Okta platform, navigate to Settings → Features → turn on Block all requests from anonymizers.
Enable Okta ThreatInsight Feature
Okta ThreatInsight aggregates data on sign-in activity across its customer base to analyze and detect potentially malicious or reputationally challenged IP addresses. Consequently, Okta denies access to the organization for users associated with such IPs.
Blocked requests are handled differently from failed user sign-in attempts, as Okta treats them as distinct from authentication failures.
To implement this security measure in the Okta platform, navigate to Security → General → Okta ThreatInsight settings → Edit → choose Log and enforce security based on threat level
Setting a Strong Password Policy
While Okta’s built-in password policies offer a solid foundation by enforcing strong password creation (including length, complexity, and the exclusion of common phrases), customizing these policies is crucial for maximum protection.
Before proceeding with implementation, it’s important to note that our recommendations are designed to adhere to the strictest standards of security. By following our best practices and cyber knowledge, you’re taking proactive steps to fortify your defenses.
Our recommendations also emphasize the importance of tailoring complexity requirements for different user groups, such as administrators and standard users, to further enhance your organization’s security posture.
To implement this security measure in the Okta platform, navigate to Security → Authentication → choose your policy → Edit → fill according to the screenshot below:
Implementing Effective Self-Recovery Procedures
Traditional account recovery methods often rely on factors like SMS or phone calls, which can be vulnerable to SIM-swapping attacks or social engineering tactics. In contrast, email offers a more secure alternative. While email accounts can also be compromised, implementing email-based self-recovery provides a stronger layer of security compared to SMS or phone calls.
To implement this security measure in the Okta platform, navigate to Security → Authentication → choose your policy → Edit → Account Recovery → choose Email and set ‘Reset/Unlock recovery emails are valid for’ 1 hours.
The recent storm in credential stuffing attacks highlights the critical role proactive security measures play in today’s digital landscape. By implementing the strategies discussed and leveraging best practices like Okta’s advanced security features, you can significantly fortify your defenses. But remember, security is an ongoing journey, not a destination.
Compensating Controls
But what if I can’t deploy everything? Sometimes the world is not ideal, and our business constraints such as business continuity or technical limitations prevent us from deploying the most aggressive preventive capabilities. Nagomi helps organizations by analyzing threat actors and the techniques they are using, and identifying relevant compensating controls that could reduce the residual risk caused by the limitation of our deployment.
About Nagomi Security
At Nagomi Security, we’re passionate about empowering security teams to navigate this ever-evolving threat landscape. We equip them with the insights and plans needed to make informed decisions, optimize defenses, maximize existing tools’ features and strengthen their cybersecurity posture. Nagomi automatically assesses your defenses and provides you with prescriptive remediation on how to fix them.