[Meta] Expand Okta Rule Coverage - SAMLjacking

terrancedejesus commented 9 months ago

Parent Epic (If Applicable)

Meta Summary

This meta will be used to track expanded Okta detection rule coverage specifically for SAML-related events. SAML is an authentication standard/protocol commonly used in SaaS platforms. SAML is web-based and implemented on both the service provider (SP) and identity provider (IdP) for authentication. SAML data visibility is reliant on URI patterns, HTTP(s) request and response bodies and more, however, Okta system logs include all most of this information. This research is likely to carry-over to other SaaS integrations (Google Workspace, GitHub, Slack) where similar detections can be created.

Plan:

Setup Okta lab and 3rd-party applications.
Establish SAML for authentication between IdP and SP.
Use the Okta integration for IdP log collection
Use Network Packet Capture (NPC) for network traffic log collection (This is only necessary if we need visibility into the web browser for redirections)
Emulate malicious behavior, capture telemetry and write detection logic

Estimated Time to Complete

4-Weeks

Potential Blockers

Full SAML request/response visibility relies heavily on insight into the end-user browser, IdP and SP. Okta, being the IdP may only provide partial insight into these request/response communications.
Depending on logic requirements, ES|Ql may be important for comparative analysis of the SAML requests and responses. At the time of this issue, ES|QL is in technical preview

Tasklist

### Meta Tasks
- [x] Provide Week 1 Update Comment
- [ ] Provide Week 2 Update or Closeout Comment
- [ ] SAML Enumeration (ACS endpoint identification)
- [ ] SAMLjacking
- [ ] SAMLbackdoor
- [ ] XML Signature Wrapping (SAML Raider)
- [ ] Certificate Faking (Self-Signed Certificate - Relies on trust between SP and IdP)

#### Detection Rules

Resources / References

terrancedejesus commented 8 months ago

Update 01-16-2023

This meta will be started today, starting with setting up SAML authentication with 1-2 third party integrations in Okta and ensure monitoring is still established. The following is tasked for this week. There may need to be separate meta's to tackle the other SAML abuse techniques originally listed. Therefore, I have renamed this to SAMLjacking and put the others as a stretch.

Setup SAML authentication in Okta lab
Ensure monitoring still exists for Okta
Establish 1-2 third party integrations in Okta with SAML access only
Follow authentication workflow with MFA and review telemetry to understand visibility
Review SAMLjacking techniques and how to execute in our environment
Attempt to emulate SAMLjacking and capture telemetry
Review potential rules and begin rule development.

botelastic[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 6 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 4 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 1 month ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

elastic / detection-rules