More than 100 high-profile Twitter accounts were compromised last month—throwing the social media company into chaos as they tried to explain how the personal accounts of some of the most powerful and famous people in the world were hacked. Twitter has put out some details about the events leading up to the incident. Specifically, Twitter has said that a phone-based spear phishing attack targeted insiders who had access to support tools. After this attack was successful, the attackers leveraged this access to post tweets, access Direct Messages and download complete data for some Twitter users.
This incident is a reminder that insider threat continues to be a serious issue with potentially high-profile consequences. We gathered members of the Code42 security team to share their thoughts about how the Twitter incident has informed their security practices and what lessons it may have for other organizations.
Frequent awareness training
Chrysa Freeman, Security Awareness and Training Program Manager
We are lucky in this day and age to have access to ever-evolving security tools to protect our companies and reputations. Yet, none of them are worth a grain of salt if the people using them don’t have proper training and processes to protect the systems and data they can access. Security training, particularly phishing training, is not a one and done. Nor is it even sufficient to train users only once a year. At Code42, we know that our employees and anyone with access to our systems are critical to our success and need to be reminded of that often. The youngest workers are especially susceptible to social engineering, as they are learning their roles and are eager to help. We need to come to terms with the fact that security is not going to be top of mind for them on a daily basis. We should be sending them monthly updates on phishing campaigns as well as quarterly education content about social engineering. It doesn’t need to be a formal training— just short and simple reminders about what to do and not do. Keep it simple, train often and start on day one of their new employee orientation.
Understand business processes
Michelle Killian, Director Information Security
This incident can serve as a reminder to continue to engage with front-line workers to see what concerns them about people, processes, and technology. Security teams are great at thinking about risk (some would say that it’s in our DNA). We’re always considering what potential bad things can happen and what controls we can put in place to mitigate them. However, security teams are also seeing most organizational processes from a broad view and often don’t have intimate knowledge of every single workflow for every team. If you’ve been training your entire organization on security best practices, then they should be seeing their work through that security-minded lens and probably have growing concerns about gaps in their work that security teams aren’t even aware of. We should continue to conduct interviews with other teams to learn more about the people, processes and technology that may need additional love.
Secure internal tools
Nathan Hunstad, Principal Security Researcher and Engineer
This incident really highlights the risks of privileged access to sensitive internal tools. Many organizations that collect data from customers as part of their business operations have similar types of tools that allow internal users, like support teams, to access that data. It’s important to ensure that the proper detection, prevention and response controls are in place to secure access to these kinds of tools, and that users of these tools are reminded about how they are high-value targets for attacks like phishing.
Get back to basics
Todd Thorsen, Director Governance, Risk Management and Compliance
The Twitter attack highlights the importance of basic security controls around logging and monitoring for suspicious access activity. It also reinforces the importance of having a strong security training and awareness program in place that includes key scenarios relating to insider threats and regular phishing campaigns that simulate an actual attack. It also serves as a reminder to identify who in your organization may be targeted or at higher risk for phishing or spear phishing attacks and to spend time on education and awareness with those individuals.
Identify the crown jewels and run test scenarios
Chris Hernandez, Red Team Manager
The recent Twitter breach can inform both internal and external red teams about appropriate objectives to focus on when developing a scenario for a customer engagement. During short interval network penetration tests or initial red team engagements the goal may be to get Domain Admin (DA) rights and write up the results of the findings as a report for our clients. While that may provide some security value, the goal of a red team engagement should be to prove significant business impact or test a scenario that could result in reputational damage if the event were to occur as a result of a malicious threat actor’s actions. Twitter’s scenario objectives would be something to the effect of “Gain access to administrative account privileges and perform account takeovers.” I’m curious if Twitter ever tested such a scenario before recent events.
After the threat actors had gained access to administrative tools, the next technique they used was social engineering. Specifically, FOMO or “fear of missing out” in the Twitter example— it was an opportunity to double your bitcoins for the next 30 minutes. Somehow, astonishingly, this scam worked. In my own experience, the phishing campaigns that have been the most successful with the highest click rates generally involve the recipient getting some sort of economic benefit if they take an action such as signing up with their username and password. While I’ve never offered anyone bitcoin, iPads and PS4s seem to be quite popular.
The key here is to understand where the crown jewels are, and how they can be accessed either legitimately or by an adversary. After having that understanding, it’s important to identify the mechanisms that need to be put in place to better defend and monitor those crown jewels. Finally having visibility into the employees that may be at risk of social engineering, blackmail or coercion will help an organization gain an understanding of how easily they may be compromised. In summary, perform red team engagements against your critical systems or backend administrative tools and educate your employees on phishing while you’re at it.
Remember how vast security can be
Cory Ranschau, Security Engineering and Operations Manager
The Twitter incident makes me think about the vast scope that security needs to be applied to and the importance of securing your own tools and systems as well as those of your end users. It’s important to apply relevant security steps throughout an organization to greatly reduce the impact an attack like this can have. These basic tools and system security measures accompanied by a solid strategy of logging and proper alerting also would work to greatly minimize the exposure of an attack like we saw with Twitter.