Articles

LastPass and Okta Follow Up

Written by Critical Insight | Sep 27, 2023 8:33:24 PM

The multiple security breaches at LastPass have been discussed at length, including our own take on this as a webinar for interested parties. What I want to share now is what you should be considering and monitoring if you believe that your account and the vault may be at risk.

 

On the surface of it, this is a lot like any account compromise. The breach and exposure would be mainly about passwords and in general credentials for systems that you would like to be safe and secure. The nature of this breach, whereby a compromised account exposes the username and password directly makes the monitoring and detection a bit more interesting though.

First, since they have no need to do any kind of password guessing or reconnaissance, the first thing you might see would be the successful use of the exposed account password. If that password has been changed since the breach, no harm done. If it has not, but there is two factor authentication for that account, the detailed log for the authentication attempt will show success for the password, and failure for the second factor (something that should always set off red flags.)

That detail is available for most systems, but generally requires either the raw logs or a bit of a dive in the admin console to see. If the password was not changed and there is no two factor authentication requirement, you would see a successful login (which may not trigger any alarm bells for you), but likely with some unusual characteristics, e.g. not a typical location for the user, outside of typical login time windows, while already logged in from a different place / computer. Again, these details are generally available from detailed log sources or a console if you know what to look for and where to look.

If someone manages to login to a compromised account, their first acts are usually focused on two areas:

Maintaining their control of the account. 

This usually means changing the password recovery details, changing the password and other account details used to get the account back if lost.

Exfiltrating data. 

This is usually characterized by sudden, broad access to EVERYTHING the account has access to, and downloads which exceed any normal usage.

All of the recommended observations are generally available in detailed logs, consoles for affected systems or (worst case) network monitoring, but these items are often not on the IT departments list of things to watch closely.