OKTA Short & Cybersecurity Risk Frameworks
Co-Authored with Matt Suiche, L/S Trade
On October 20, 2023, a significant breach transpired within the infrastructure of Okta, a pivotal entity in the domain of identity and access management (IAM). This intrusion was orchestrated through a compromise of Okta's customer support unit, utilizing a stolen credential to gain unauthorized access to the support case management system. The accessed data encompassed files containing customer cookies and session tokens, which are integral components for user authentication and session management, and allowed the attacker to steal session cookies belonging to Okta’s customers who requested assistance through the support platform.
Upon gaining unauthorized access to the customer’s Okta platform, the attacker was permitted the creation of backdoor accounts. This process was described by an affected Okta customer, BeyondTrust, a cybersecurity company who was able to investigate the incident as it was happening.
This breach underscores a potential vector for escalated unauthorized access, leveraging the compromised session tokens to impersonate valid users across the myriad services tethered to Okta's IAM infrastructure, and a significant concern for Okta customers going forward.
This is not the first time that Okta has been in the news in a negative light this year. In fact, the last time they were I was relatively adamant on Twitter that shorting OKTA was the right move.
The stock is down a little more than 10% since then, with the bulk coming from the selloff today surrounding the revelation that in addition to Okta’s environment being compromised for the ALPHV-related hacks, Okta itself was hacked.
The cybersecurity landscape has been witnessing orchestrated attacks by the Ransomware as a Service (RaaS) operator ALPHV and the financially motivated criminal group Scattered Spider. These actors have showcased adeptness in exploiting vulnerabilities within Okta’s IAM and Multi-Factor Authentication (MFA) using social engineering & other additional vectors which may very likely be related to the announcement made on on October 20 by Okta’s CISO, as evidenced in the notable breaches of MGM Resorts (MGM) and Caesars Entertainment Corp. (CZR) more than a month ago.
The MGM and Caesars incidents, in particular, unveil a critical examination of the existing IAM and MFA architectures, highlighting potential weaknesses in device-centric authentication paradigms. The attacks orchestrated by ALPHV and Scattered Spider serve as real-world demonstrations of how MFA mechanisms can be bypassed through various strategies, thereby gaining unauthorized access to protected resources.
The juxtaposition of these incidents tells a compelling narrative regarding the evolving challenges within the cybersecurity domain. The inherent design issues within IAM and MFA implementations, as demonstrated by these incidents, seem to prompt a thorough examination of current security protocols in the face of evolving adversarial tactics.
In light of these events, I have pulled forward the publication date of this article, which I (someone definitively not an expert in cybersecurity) have been writing since the MGM hacks with Matt Suiche, an entrepreneur & hacker who is considered an expert in incident response. Matt founded CloudVolumes, which was acquired by VMWare in 2014, and Comae, which was acquired by Magnet Forensics in 2022. He is, definitively, an expert in cybersecurity. You can follow him on twitter here.
We’ve gone into the inherent weaknesses of MFA/IAM and what investors should look for when a company they are exposed to experiences a breach or compromised data, and worked together on a framework for evaluating such. Additionally, I highlight a long/short equity play that I believe takes advantage of recent developments in the sector.