Skip to main content
Applies to BloodHound Enterprise and CE OktaHound is an OpenGraph extension and data collector for Okta Platform (also known as Okta Workforce Identity Cloud) environments that helps security professionals visualize and analyze their Okta configurations in BloodHound. It collects data about users, groups, applications, roles, and other entities within an Okta organization and represents them as nodes and edges in BloodHound’s graph database.
The other main product in Okta’s portfolio is Auth0 (previously known as Customer Identity Cloud). OktaHound does not currently support Auth0.

Okta Attack Paths

Okta is an interesting target for attackers because it is widely used by organizations to manage access to their cloud and on-premises applications. Compromising an Okta organization can provide attackers with access to a wide range of resources and data. Okta organizations seem to be secure by default. Multi-factor authentication (MFA) is enforced for all users and re-authentication is required for sensitive administrative tasks. Default Catch-All rule Okta also uses role-based access control (RBAC) to mitigate privilege escalation paths. For example, only Super Administrators can manage groups that have administrative roles. As a result, most attack paths stem from misconfigurations, including excessive role assignments, weak authentication policies, insecure application integrations, and exposure of sensitive credentials. You should also account for users who are non-privileged in Okta but hold administrative access in connected applications, such as GitHub Enterprise Cloud or Amazon Web Services (AWS). Hybrid attack paths between on-premises Active Directory and Okta are also possible. Okta role assignments displayed in BloodHound
Our research on Okta attack paths is still ongoing. Interesting mappings to MITRE ATT&CK are available from Elastic.

Okta Free Trial

Okta provides a free trial plan that you can use to test the majority of OktaHound features.

References

The following blog posts provide insights into Okta attack vectors and techniques:

Research Tools

Here are some interesting GitHub repositories related to Okta security research:

Community

Please join us in the #okta channel of the BloodHound Community Slack workspace if you want to chat about attack paths in Okta or the usage of OktaHound. You are also welcome to open an issue or pull request on GitHub.