What We Can Learn From Twitter’s Hack
The afternoon of Wednesday July 15th, 2020 was a strange time to be on Twitter. Twitter has become a trusted platform for political speech, breaking news, weather alerts, and even the occasional dog picture. The magnitude of 100’s of “verified accounts” – many (if not all) protected by multi-factor authentication – being compromised to send messages from a nefarious third party should be considered a seismic event for Twitter. This absolutely shakes the ground upon which trust in the platform was constructed. But we aren’t here to analyze the impact of this on their bottom line, we’re focused on the information security impact.
We know from Twitter themselves that this was a successful social engineering attack against their employees, and that the compromise of one or more employee accounts is what was used to take over the verified accounts and post scam attempts to trick people out of cryptocurrency. What we know at the time of writing this is that approximately $100,000 in cryptocurrency was transferred to these scammers as of that evening.
For all that, we should probably be grateful that this was all that these scammers did – or at least all we’re currently aware of them doing.
Just think about that for the moment. If you can control that many Twitter accounts at once you could easily start a significant disinformation campaign that would be very difficult to counter quickly.
Perhaps you could convince people that a particular stock was about to be worthless and manipulate the markets. Perhaps you could cause confusion amid a general election. Or perhaps you could just get people to believe Tony the Tiger will now be representing Quaker Oatmeal.
As security professionals this brings us to a few questions: Stepping outside of Twitter have we thought about the ways our own organization or application, if compromised, could be used? Have we done the risk assessment of those possibilities? In light of this compromise should we re-evaluate those? Should you?
Ignoring company size or resources, let’s call out a few critical steps that any organization can take to prepare for these sorts of issues:
- Determine how to monitor your administrators effectively: your IT administrators are among the most trusted resources in your organization, and with good reason: they’re literally in the position to do the most damage. Deploying a well-configured privileged access management system can help ensure that you have granular control over what your administrators can and cannot do by themselves. And then monitor the heck out of it!
- Practice the principle of least privilege: the TLDR version of this is don’t give users access to systems, or rights on those systems, that they do not need to do their jobs. A member of the marketing team doesn’t need access to install patches on a server and reboot it. A member of HR doesn’t need access to customer databases.
- Require multi-factor authentication for all high-risk tasks. Make the reauthentication period as short as you can without disrupting your ability to do business. Yes, this will be a compromise between security people and the rest of the company, and it needs to be made with the needs of the business in mind.
- Perform continuous social engineering testing: run spear-phishing campaigns against your own company routinely, and run other social engineering attacks as often as you can afford to as well, including phone based attacks, attacks via instant messaging tools, and physical attempts to enter sensitive areas (if those exist) within your company.
- Log all the things! If you haven’t already, invest in a logging solution. Hopefully that involves a SIEM, but no need to get ahead of ourselves. Should something happen you stand a much better chance of noticing it if you’re reviewing logs in real time, but at the least having logging will help you piece together what happened to help you improve your security posture before it happens again.
Just as the Saturday morning commercials for our favorite childhood breakfast cereals would talk about the cereals as being “part of this nutritious breakfast” that usually included a quick picture of fruits, juices, and milk so too, are these suggestions only part of a mature security program. Just eating the sugary cereal won’t get you all the nutrition you should have as part of breakfast, don’t forget the fruit and milk.
We know Twitter will be relatively transparent about their investigation up until it impedes any criminal investigation. We suggest following their own reporting, and analysis by reputable third parties, to see what other revelations come out, and to learn for the sake of our own security programs.
But the lessons learned here don’t end at corporate lessons, there is a personal one here too.
This is yet another call for us as individuals to take stock in how we choose to trust our information sources.
As my colleague Neal Humphrey reminds us: April Fools should probably be renamed as the Social Engineering Holiday because it is the one day a year we all question every email, and every news article. We take steps to make sure that it is corroborated elsewhere, and to be sure that if we click on the link we’re not going to get Rickrolled. If we could train ourselves to bring that skepticism to our daily online lives we’d be much more difficult targets as individuals, and so would the companies we work for.