Learn how Swimlane’s own SOC utilized low-code security automation to react to a potential supply chain attack.
What was 0ktapus?
0ktapus was a massive phishing campaign that was discovered by the Group-IB research team, which targeted customers of Okta to receive text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, which harvested Okta credentials and two-factor authentication (2-FA) codes.
This attack which was used by the malicious actors is not a new technique but more recently has been used at scale. Once the malicious actors obtain credentials and two-factor codes they are able to pivot to the targeted business. A majority of affected organizations that these malicious actors targeted were software companies followed by those belonging to telecom, business services, finances, education, retail and logistics sectors.
According to Dark Reading, about 10,000 Okta credentials and 2-FA were compromised in this phishing campaign. The Group-IB research team found a total of 169 unique domains which were used as part of this phishing attack and all associated Indicators of Compromise (IOCs), can be found here.
Timeline of Events
On August 26, 2022, with the help of low-code security automation, our security operations center (SOC) team was able to quickly react to a notification from our managed detection and response (MDR) partner about this supply chain phishing attack being used.
Below is a timeline of how quickly our teams – security, IT, and HR – were able to react to this phishing campaign with the use of the Swimlane platform.
At 13:08 MDT – The Swimlane SOC received a Slack notification from our MDR partner about the supply chain attack.
At 13:13 – The Swimlane SOC reviewed all closed cases and used open source intelligence to assess any risk.
At 13:49 – The Swimlane SOC created a new Incident Response (IR) case to track all ongoing efforts to include any pending and completed actions. We blocked all attributed IOCs on our infrastructure which included Web Application Firewalls (WAF), Network Firewalls (NFW), and also all of our endpoints.
At 14:07 – With the help of automation, the security team initiated an IOC hunt utilizing all Swimlane SOC, SIEM, cloud resources, and endpoint entities. This effort led to no positive hits or compromises.
At 14:19 – Utilizing Swimlane automation, we updated rules and policies for all Enterprise IT & Cloud environments to isolate & contain any activity linked to known IOCs confirmed to be associated with this attack.
At 14:48 – The SOC concluded its investigation and no impact was observed on our organization.
Ongoing Steps to Mitigate Risk
As part of our response to this phishing campaign, our security and HR teams conducted smishing training for employees to keep everyone informed about threats being used.
Organizations should also consider disabling one-time passwords such as SMS and push notifications as they are less secure, and as we learned, can be used in a malicious way to target an organization. Enterprises can also utilize FIDO-2 compliant security keys for multi-factor authentication, as this would reduce the attack surface of the targeted companies.
How Low-Code Security Automation Helped
Low-code security automation and proper case management are important tools that help to quickly respond to any threat. If it wasn’t for Swimlane’s threat detection and incident response use cases, our SOC team would need to individually log into every security tool to be able to search for and block IOCs that were used as part of this phishing campaign.
With the use of Swimlane’s platform, we were able to quickly leverage automation and bring down our mean time to resolution (MTTR). We turn to our security automation, orchestration and response platform to help us:
- Automate the manual steps of the IOC process
- Automatically flag and dismiss false positives
- Gather context to enrich IOCs at machine-speeds
The Swimlane security operations team relies on low-code security automation to reduce errors and false positives during the investigation process. It handles mundane and time-consuming tasks so that our analysts can allocate their time to make more strategic decisions. This positioned us to instantly react to the 0ktapus phishing campaign and reinforce the value of security.
Featured Reading: Gartner 2022 Market Guide for SOAR
Low-code security automation is the future of SOAR. Unlock free access to the Gartner: 2022 Market Guide for Security Orchestration, Automation and Response Solutions, compliments of Swimlane.