Cyber Security.
24.07.20
Watching the news about the Twitter hack unfold with more and more information and background becoming available over time, it triggered some memories about previous cyber security news stories involving the massive social media giant.
Initially, I posted this comment on LinkedIn when I saw this article from the BBC which primarily focused on the targeted Twitter accounts (being so high profile), the outcome and the response – but the article was quite light on the ‘how’ or methods of attack employed, although it did suggest social engineering played a large role.
At the time, I suggested from that early high-level understanding that the following controls may need some improvement or implementation within Twitter:
It was also rightly pointed out to me that the following additional controls could also play an important part:
Then I came across this article from DataBreachToday which uncovered more details about the methodologies employed and also revealed that (at least declared by Twitter) that they did have ‘two-factor protections’ and the attackers were able to get past these. While circumventing MFA is technically possible, and our own Red Team has achieved this goal during Red Team Attack Simulations for our clients, it is non-trivial. This led me to wonder if perhaps the ‘social engineering’ involved here was of a different and more sinister nature. Namely, that Twitter staff had been bribed or blackmailed into helping the attackers to gain the foothold required.
The DataBreachToday article summarises this well: “So how do attackers successfully pierce a well-resourced, billion-dollar company such as Twitter? Absent exploiting a software vulnerability, the answer is that they either need to trick an insider or recruit one.”
This led me to the thought that perhaps here, the most important control to consider in this situation is actually an Insider Threat (sometimes referred to as UEBA). There are three types of important scenarios that Insider Threat technology is designed to detect extremely well:
Interestingly, this is not the first time that Twitter has allegedly had issues with their staff being ‘coerced’. Back in Nov 2019, we heard that Saudi Arabia reportedly paid Twitter employees to spy on users. This incident had led to prosecution by the US Federal Government of two former Twitter staff.
According to Shlomi Shaki, the Director of Insider Threat Management at Proofpoint for Australia and New Zealand.
“Between July and Dec 2019, the Office of the Australian Information Commissioner) reported that 69% of breaches in Australia were attributed to the human element, i.e. our people, and in particular for insider risk they saw around 32% of breaches were attributed to accidental or negligent behaviour (from employees and third parties), around 29% due to compromised and stolen credentials (phishing or other) and around 8% due to rogue employees. The remaining 31% are due to hacking, malware, ransomware, equipment or paperwork theft and system faults.
These stats we are seeing in Australia right now are also in line with the latest benchmark study from the Ponemon Institute that reported the number of insider-caused cybersecurity incidents jumped 47% since 2018 worldwide, with the average annual cost up 31% to $11.45 million and the average time to contain insider breaches taking 77 days.
The reason these threats are so prolific and take so long to deal with is that anyone with legitimate trusted access to an organisation’s systems and data – whether full-time employee, part-time contractor or strategic business partner – can be an Insider Threat.
Understanding what is driving this increase in frequency and cost of insider threats is important when organisations plan an appropriate risk management approach.”
The Missing Link has partnered with Proofpoint who acquired ObserveIT, the leading insider threat management platform, in November 2019, to help organisations in Australia identify and mitigate insider risk.
https://www.proofpoint.com/au/products/information-protection/insider-threat-management
Our Red Team can conduct a variety of assessments that can help you understand the possible attack paths from an insider (typical staff member with little to low privileges initially).
We can conduct an Insider Threat Assessment, and we can help you with a roadmap or plan to address the gaps, and if you are light on your own security staff, then our Security Operations Centre can manage the solution(s) for you.
Reach out if you would like our help or to simply have a chat about this or any other cyber security topic!
Author
Aaron Bailey
Chief Information Security Officer