I just had an article published in Solutions Review covering the Twitter breach in which I addressed some of the vulnerabilities that may have been exploited in this attack, and what we can do to not fall victim to similar attacks. Twitter shared that: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
According to The Verge, the account takeovers of a number of high profile Twitter users — including those of presidential candidates and those with two-factor authentication enabled — point to the fact that the attackers had at least indirect access to employee tools.
So insider access was definitely part of the story. But how did the attackers achieve it? Hackers use different techniques like emails, SMS messages and social media to lure users. Spearphishing, sending an email to specific and well researched targets while posting as a trusted sender, likely allowed the attackers to gain initial access into Twitter’s systems. Such an email may include either an attachment carrying exploit code or a link to a malicious website. Once clicked, the attacker gains control on of the end user’s system, and uses an Exfiltration Over Alternative Protocol attack to exfiltrate the data to offshore servers managed by the attacker over a different protocol than that of the existing command and control channel.
But here’s the head-scratcher – high profile organizations like Twitter are probably some of the best-secured networks on the planet. How did they leave themselves vulnerable to a well-known attack like Spearphishing? In this case, an organization’s strength may also be its weakness. Like a huge 18-wheeler truck, large organizations usually have “blind spots” in their security operations. Necessarily these large organizations have many departments, and likely a number of security teams. Information – about potential attacks, about vulnerable entities within the organizations – may fall through the cracks in internal communications.
Without knowing exactly what occurred at Twitter, it’s likely they fell victim to the “silos syndrome” –different security groups and technologies within Twitter likely “saw” different aspects of the attack, but the big picture was missed because all the information was not fed into one “brain”.
SIEM platforms were supposed to be the “brain” where all the information is disseminated and orchestrated. The problem is that SIEMs flood SOC teams with hundreds, even thousands of alerts per day, the vast majority false positives. How can analysts know which alerts to focus on? They don’t. This becomes even harder when you have ‘blind spots’ – when security teams are dispersed and don’t know the ever-changing people and assets of the organization well (impossible to achieve in an organization with many thousands of employees and dozens of departments).
There’s only one route out of this mess – effective automation. If the system can learn and constantly adapt according to the changing organizational landscape, and actually do much of the work today demanded (unreasonably) from the SOC team, the security system can be managed effectively.
The 16 patents (including nine granted) held by empow are focused on creating this unique automation. Algorithms based on kill chain patters, AI and Natural Language Processing (NLP), and using the MITRE ATT&CKTM language, basically remove the need to write and maintain correlation rules. In this way we are able to gather information through our UEBA and NTA engines and weed out the mountains of false positives.
The result is a SOC team that is fed with only truly high-risk alerts. Now analysts can do what they are trained to do and dig deeper into those few alerts and take action to protect the network. The result is a SIEM that is able to fill in the many blind spots SOC teams have in large, distributed systems, through effective automation.
Even if you’re not a Silicon Valley giant, there are still steps you can take to protect your network from Spearphishing attacks:
- Raise the awareness among the company employees to attacks like social engineering, Browsing, Ransomware, and Advanced Persistent Threat.
- Equip yourself with effective tools that lower the volume of false positives and enable your SOC team to effectively manage the security platform.
- Utilize a technology – SIEM or analytics tool – that is able to automatically identify abnormal behavior, including insider behavior using internal organizational tools but with potentially malicious intent, and correlate it together with other alerts and indications coming from other security technologies.