|A recent Twitter hack reveals the need to do more to protect employees from social-engineering attacks. It is a hack of high-profile accounts that clearly shows the need for good controls on verifying access.
Twitter was the target of a spear-phishing attack last week that resulted in 100s of celebrity accounts hacked to request Bitcoin donations. This has shown the need for CISOs to take action to protect employees from these attacks & ensure internal processes are not abused by hackers.
This attack led to the tweets from the ‘so-called’ likes of Bill Gates that had variations of this: “Everyone is asking me to give back. You send $1,000, I send you back $2,000.” The tweet posted details of a Bitcoin wallet to send money to. Soon, at least 375 transactions were made totalling over $120,000.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems & tools,” revealed Twitter in a tweet. It added that “significant steps” had been taken to “to limit access to internal systems & tools while our investigation is ongoing. More updates to come as our investigation continues”.
Twitter also stopped many verified accounts from tweeting, while the incident took place.
In a statement, the UK’s National Cyber Security Centre commented that while “it appears to be an attack on the company rather than individual users, we would urge people to treat requests for money or sensitive information on social media with extreme caution”.
Tony Cole, CTO at Attivo Networks, explained that it is impossible to state specifically how the systems were taken over because we don’t have the internal details from Twitter.
“Due to the number of accounts compromised it’s quite possible that an internal administrators’ account was compromised via some method of phishing which bypassed any controls the individual Twitter users had in place, allowing the attackers to tweet anything from accounts under the control of that administrative account,” he commented.
We also know some very significant Twitter accounts, e.g. Donald Trump’s, did not suffer. Despite being an old-fashioned type of attack, there was nuance to the wording, as the hackers seemed to personalise or change the copy on each account.
Cole added that CISOs could have combated the attack through focusing on 2 different but important security efforts. 1): user awareness training to counter phishing susceptibility. 2): instrumentation inside the perimeter & on endpoints to detect adversary lateral movement & credential use.
“Both of those could have stopped the attack independently if the suspected methods are correct,” he further observed.
What the board needs to know
Dr Shorful Islam, Chief Product & Data Officer at OutThink, explained that in these cases, there will have been a lot of discussion about how to best communicate the attack to the board & Twitter’s consumers, & it looks like the CISO & their team have gone with the honesty option, which is good.
“Of course, as a CISO, you want to give assurances that this won’t happen again, but at present, I am not sure the security team at Twitter can make that promise. They will be saying the company will double down on security training, especially anti-phishing modules & that they will conduct more & more phishing simulations to find gaps in security.
The problem is, they will have already been doing a lot of this, but it clearly hasn’t worked,” he observed.
With these types of breaches, being honest is always the best policy, “The CISO should be telling the board that they are doing everything they can to understand exactly how this happened, which means doing more to understand human risk & how to reduce it.”
Islam explains that this is a reminder of a lesson all senior cyber security professionals know – concentrate on the people, not just the technology.
“Get to know employees – their sentiment towards security, any risky behaviours they exhibit & their willingness to comply with policies, before making highly targeted interventions.
“In Twitter’s case, it could be reviewing the privileged access of some users that are deemed to be high risk or asking them to attend a webinar on a particular security issue that they aren’t engaged with.”
A man has been sentenced to 2 years in prison in the US after being convicted of hacking Cisco’s Webex collaboration platform in an insider-threat