On 15th July, Twitter fell victim to a highly visible, sophisticated cyberattack. The hacking of high-profile accounts on a social media platform that carries the opinions of world leaders and technology moguls could potentially have a far-reaching impact on world affairs. But should it influence whether an organization should deploy some or all of its IT services to the cloud?
The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.
This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter data of 7.
– Reported Via Twitter :
With the hacked accounts now under their control, the hackers could get to work. They started tweeting and harvesting the data from the compromised accounts using the ‘Your Twitter Data’ tool. This enables all account owners to download a summary of their Twitter account details and activity.
Twitter immediately took action to protect the service from further accounts being hacked by locking hacked accounts, and disabling the password reset functionality until the matter was resolved.
What’s the significance of the attack method?
In this instance, it appears to be a combination of the System Architecture and the System Administrators that facilitated the attack. The nature of the prize in financial terms from the attack was small – the hackers netted a few thousand dollars in bitcoin. This has led Twitter to investigate the impact on the wider service, as it is a commonly quoted statistic that a hacker can be inside a system for up to 3 months.
With the US Presidential Elections fast approaching, and with the US President being such an avid user of the platform, it is not impossible to imagine the scenario where this attack was used as a test to provide the hackers with credibility. Once inside Twitter, the hackers could then lay dormant and launch a much more devastating attack, timed to wreak maximum impact at a time of their choosing.
Can anything be done to stop such attacks?
An organization can deploy all the technology in the world to try to repel such an attack. But where human intervention is involved, the risk from a spear phishing or similar-style attacks like this can never be completely eradicated.
So, I’m afraid there are no silver bullets here, but there are a couple of steps that could be taken to help improve the security posture.
Firstly, more targeted monitoring, such as a User and Entity Behaviour Analytics (UEBA) type solution may have helped. A user account accessing powerful support tools for the first time, could be something that a UEBA solution would detect, prompting an investigation and potentially halting the attack.
Another option would be a Privileged Access Management (PAM) solution. With PAM solutions, access to accounts with significant admin privileges is more tightly controlled and, in some cases, keystrokes and console sessions are video recorded, too. These solutions can also be linked to change management systems, meaning that unless there is a pre-approved change in the system for the required activity, the PAM solution will block and report it.
As an example, resetting a user’s password would only be permitted if there is a valid, authorized request from the user to do so. So, unless President Trump clicked on the ‘I’ve forgotten my password link’ triggering a Ticket in the Incident/Change Management system, no Twitter employee should be able to change the President’s password.
Other additional security measures could include:
- Restricting admin functions to specific machines
- 2 Factor Authentication (2FA) for admin functions
- Separation of ‘admin’ accounts from accounts with access to email (since most phishing scams originate via email)
- Escalation of privilege for specific time periods for administrative functions.
However, it is possible that most or all of these were in place with Twitter.
Regular training to ensure staff are aware of the latest techniques being used by hackers, and in particular, the dangers of spear phishing is essential. Staff need to be aware of how to spot a potential spear phishing attack and have the confidence and support to not fall victim to it.
Hackers often rely on the innate desire to be helpful, but circumventing process and exposing the business to intrusion simply cannot be allowed to happen at any cost.
What should we take away from this?
We need to adopt a change of mindset. It is no longer sufficient to just design, build and operate systems or applications in a secure manner. We must carry on doing these things and seek every opportunity to improve them.
But we must also proactively consider the ‘What if’ or even the ‘When’ a malicious user is active within my system or app, how do I spot them quickly and minimise their opportunity to do harm?
Should this incident influence whether to put my workload in the cloud?
No – absolutely not.
Twitter is a social media platform. Or to put it more simply – an online application built upon a plethora of open source products, mainly hosted in data centres that are owned or leased by Twitter. The cyberattack on Twitter was an attack on an online application and not a cloud hosting service.
As an online application hosted in Twitter data centres, it is the responsibility of Twitter to design the application and its support tools in such a way as to make them appropriately secure. Part of this is ensuring the physical security of the data centres that those application components reside in.
Shared responsibility security model
Hosting a workload in a public cloud means that there is a shared responsibility security model that needs to be understood. The public cloud provider is responsible for some elements, and the consumer of the service is responsible for others.
Relating this model to Twitter, when you create your Twitter account you sign up to their ‘Terms and Conditions’ where Twitter will keep your information safe, and they have controls to prevent unauthorised access. Other than using the recommended type of password and having security features on the device/s you access Twitter from, the onus is on Twitter for your account and your data’s security.
It is possible to enable 2 Factor Authentication (2FA) on your individual Twitter account, although it is not clear if this was enabled on any of the compromised accounts.
The table below compares the shared security models:
|Responsibility||Public Cloud IaaS|
|Data classification and accountability||Customer||Customer / Twitter|
|Client and end-point protection||Customer||Customer|
|Identity and access management||Customer|
|Application level controls||Customer|
|Network controls||Cloud Provider / Customer|
|Host infrastructure||Cloud Provider|
What does this shared responsibility model really mean?
This is the cloud service provider’s way of saying that they cannot take responsibility for how their platform is used. Although it is possible to configure cloud services in a secure way, it is equally possible to leave the doors wide open to any attacker.
So, it is our responsibility as consumers of cloud services to secure our (or our customer’s) data and services in a way that is appropriate to the data and the risk.
Call to action…
 M-Trends 2020 Fireeye Mandiant Services | Special Report. (n.d.). Retrieved from https://content.fireeye.com/m-trends