DtHash (Okta)

Okta’s dtHash, also known as the “de-identified token hash,” is a cryptographic hash function that protects user identifiers within Okta sessions.
It is crucial to safeguard sensitive user information from being compromised in events like data breaches or unauthorized access to Okta’s portal or applications.
The dtHash is particularly useful in identifying stolen Okta sessions, for instance, by detecting a session being used from multiple geographic locations, which could indicate a session hijacking attempt.

In the context of threat hunting, dtHash can be employed in various scenarios to enhance security. For example, it can be used to track and analyze sign-in attempts, identifying potential malicious activity such as brute force attacks or session hijacking.
This is achieved by examining patterns in the use of dtHash across different sessions and locations. In threat hunting, analysts can use dtHash to detect unusual activities that may indicate compromised accounts or insider threats.

In addition to session hijacking, dtHash can be instrumental in detecting other types of security threats, such as MFA push notification fatigue, privilege escalation via impersonation, phishing attempts blocked by FastPass, and the “impossible traveler” scenario where a user logs in from two distant locations in an implausibly short time. These detections are facilitated by analyzing Okta event logs and looking for patterns or anomalies that suggest malicious activity.

Okta’s ThreatInsight is another feature that can be leveraged with dtHash. It aggregates sign-in activity metadata across the Okta customer base to analyze and detect potentially malicious IP addresses and prevent credential-based attacks.
This can be a starting point for identifying targeted attacks against specific identities in an organization’s directory.

For more detailed information about how dtHash and Okta’s features can be used in threat hunting, you can visit our Recent Okta Threat Hunting Guide