Today, it’s rare that an attack on public figures is carried out before company defenders are able to mount a response. Typically, an announcement is made that X company experienced an incident, Y-number of identities were compromised, clean-up efforts are completed, and consult Z if you’d like to be part of the class-action suit. In other words, news typically breaks once the dust has settled. In the case of the most recent Twitter hack, the results were immediately apparent so the public were granted an immediate audience on the incident and eagerly followed how/why it happened.
From the limited confirmed information, it appears there were a number of defense-in-depth gaps. First, certain internal users fell victim to a social engineering attack which enabled an initial foothold into the environment. Additionally, attackers were able to circumvent MFA protections which should have limited unauthorized user access. Finally, the internal admin tool, typically only accessible by Twitter admins, was accessed by an attacker possessing compromised credentials, thereby enabling them to change user emails and reset passwords without notifying the user(s).
Based on what I read about the hack, I have three takeaways:
- Know your attack surface - An attack surface is specific and unique for each organization and typically relates closely to a company’s “crown jewels,” often defined as mission critical information assets. Twitter enables communication and sharing of ideas, opinions, and thoughts. Because of this, crown jewels may be considered high-followed accounts like those that were impacted by this hack. As a result, additional protections were warranted for high-value/high-follower accounts enabling a risk-based approach to security.
- Know your enemy - In this case, it seemed the initial attack was successful. However, upon further speculation and based on the limited amount of cryptocurrency transferred, the attackers may have had other motives and/or this public display was used for misdirection. Extrapolating on the possible uses for this hack, the same approach could have led to tweets that move the stock market, generate election misinformation, or other, more-impactful posts. I eagerly await any additional information made available as Twitter performs their IR post-mortem.
Privileged Access is always in play - Privileged credentials are usually at the heart of most breaches; this instance was no exception. It seems no matter how many breach reports are released, many organizations are still struggling with the concept of privileged access and truly understanding how to (better) safeguard against misuse. Our research indicates the biggest barrier is the perceived complexity of addressing privileged access. The good news is help is on the way.
After a career spent attacking networks and finding weaknesses, I find Remediant’s novel and simple approach to privileged access management a refreshing change of pace, created by people who obviously “get it.” While vaults have their place, the Remediant approach to JIT (Just-in-Time) and “Just Enough” access makes it difficult for an attacker to compromise the admins on a system if there is simply none to compromise.
While we’re still learning about how Twitter was hacked, it’s clear privileged access was involved. The most sensitive assets in your environment may have a privileged access weakness that can benefit from Remediant's unique and modern approach to detecting and protecting privileged access.This means we are better at keeping an initial incident contained to a much smaller portion of the environment. We like to say we turn a boom into a blip. While we don’t claim to remediate all security challenges, in this case, we may have helped limit the impact following the initial foothold.