- Home
- Play books
- Okta - MFA fatigue remediation
Okta - MFA fatigue remediation
In this page
Playbook Description
This playbook checks IP reputation, detects unknown devices, and analyzes MFA push denial count. If malicious, it revokes compromised sessions, enforces password resets, suspends or notifies based on user role, and blocks the ASN or malicious IPs.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | Multi-Factor Authentication Request Generation(T1621) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Isolate(D3-Isolate) | Network Isolation(D3-NI) | Inbound Traffic Filtering(D3-ITF) |
Playbook input type
Alert
Prerequisites
- VirusTotal API - Need to connect with VirusTotal API and fetch access key to check the malware IP details.
- Okta configuration - Need to connect Okta using API key.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs
Dependencies
Extensions - Okta
- okta_suspendAUser
- okta_resetPassword
- okta_endUserSession
- okta_getUserRole
- virustotal_ipReputation
- virustotal_calculateRiskScore
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Utility functions:
- utility_extractFieldFromList
- utility_getRequiredTime
- utility_convertToString
- utility_convertTimeToUTC
- utility_extractMaliciousEntitiesByRiskScore
- utility_classifyListUniformity
- utility_constructQuery okta_detectDeviceType
- utility_sendMail
- utility_parseAggregateLog
Connections
Okta connection - Need to connect Okta using API Key. VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Sub playbooks
- Okta - Block IP or ASN
Execution workflow
Investigation:
- Parses the aggregate log.
- Checks the IP reputation in batch.
- Calculates the risk score in batch.
- Identifies malicious entities based on their risk scores.
- Checks whether known device exists.
- Fetches the push denial logs.
Decision logic:
- Proceeds to remediation based on the following conditions:
- Anomalous MFA push activity or push denials detected.
- Malicious IP addresses are identified.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Detects the ASN similarity.
- Checks whether same ASN exists.
- Builds the Block ASN input.
- Executes the "Okta - Block IP or ASN" sub-playbook.
- Constructs query.
- Fetches the compromised user sessions.
- Checks the session of user and IP.
- Fetches the user IDs.
- Revokes the sessions in batch.
- Enforces password reset in batch.
- Validates if all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Review the blocked IP addresses and ASN numbers to ensure no legitimate traffic was affected.
- Investigate whether the compromised account was used to access any sensitive resources or data.
- Review Okta system logs for any signs of lateral movement or additional MFA fatigue attempts.
- Consider switching to phishing-resistant MFA methods for the affected user.
- Confirm that the affected user is notified about the account actions taken before re-enabling access.
- Audit other accounts in the organization for similar MFA fatigue attack patterns.
