Enjoyed talking about phishing resistance at Gartner’s APAC InfoSec shindig. This quote from @boblord started some great conversations.

CISA’s fact sheet here:
https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

I’ve seen a lot written about Reddit’s incident disclosure, especially the crucial role a user report played in identifying and remediating a phishing incident.

It’s a timely reminder that #okta customers can maximise the opportunities for users to identify and report suspicious activity by:

- Enabling “End User Notifications” for sign-ins from new devices and locations or factor resets/adds, and also
- Enabling “Suspicious Activity Reports” to turn those notifications into actionable, one-click reporting mechanisms for users.

The Recent Activity section of the end user dashboard also gives users insight into use of their account.

Okta Workflows provides numerous orchestration opportunities for when users report suspicious activity: from turning the report into a ticket for SOC analysts through to revoking a session or a factor.

Quick and dirty @okta win: deny authentication to workforce apps from anonymising proxies. If you don’t have network-based controls for this, the blunt way is to add a dynamic network zone in Okta (pictured) that blocks these requests pre-authentication.

The cons: some loss of visibility into adversary behaviors, and it’s tricky to make exceptions.
The pros: adding friction and risk to the sort of adversary whose MO is buying access to stolen session tokens.

In my experience there are relatively few orgs with staff that have a genuine need to authenticate using anonymizing services. More often the admin didn’t know it was this easy to do.