I stumbled on the news
about the massive data breach suffered by Uber last
week Thursday. The attack was attributed to the notorious Lapsus$ hacking
group, which has been increasingly active in
recent months. Researchers say the incident has
highlighted the risks that can come from trusting too much in multifactor
authentication (MFA), as well as unmanaged risk around cloud-service adoption.
One well-known tactic
that the Lapsus$ hacking group has been known to use is co-opt
MFA-circumventing tools into its attack chain. In a statement released by Uber yesterday
said the attacker who breached its network last week had first obtained the VPN
credentials of an external contractor, likely by purchasing them on the Dark
Web. The attacker then repeatedly tried to log in to the Uber account using the
illegally obtained credentials, prompting a two-factor login approval request
each time.
Sadly unfortunate, this
can happen to any organization, thus instead of playing the blame-game, it is
important to focus our lens on learning how to protect against such attack
scenarios for our various organization. Here is what experts think should be
done.
- Reet Kaur, a Board Member and Advisor to Cisco highlights the following as controls to be taken:
a.
Implement #zerotrust (ZT) - ZT can address these types of attacks by
authenticating every transaction.
b.
Enable #redteam / #pentesters to test like a real hacker - Uber has a great pentest
team, but most security #teams are asked to play offense but in a restricted way so
that operations don’t get impacted. A hacker would have no such
limitation. Will you like hacker to test it for you or your team?
c. Security
controls do fail, so implement multiple - Security is a #people #processes and #technology play. Implement security controls at multiple layers so
that if one control plane fails, another one protects. Continue providing #training to employees but don’t expect flawless execution from
them all the time as security is only 1 % of their job responsibilities and
mistakes may happen.
d.
Implement #changemanagement | Separation of Duties | Dual Control - This is to make
sure that NO ONE privilege account can disable critical implementations like
MFA without going through proper verifications and approvals.
e. Set
exhaustion limits on MFA - Failed attempts for more than 5-6 times should
disable the account & require call back to enable the account which may
reduce risk of MFA getting compromised.
f.
Implement CASB and #cloudsecurity posture management solutions - It is easy to drift out
of compliance if you don’t have full visibility into the cloud. Implementing
automated monitoring, detection and response can help get an alert or
automatically deny unapproved policy changes.
g. Plan for
out-of-band #communication - In case your internal communication channels (Slack)
get breached.
In
addition to the above, Patrick Tiquet, vice president of security and architecture
at Keeper Security, says the Uber attack highlights a fundamental misconception
around MFA's strength as a method to secure access. "Use of SMS
text messages as MFA should be discouraged and never used as MFA for high-value
assets," Tiquet says. "The use of an authenticator app, security key,
or biometrics are stronger and more effective methods to protect your
accounts."
Although, some
organizations may have implemented these controls however, it is pivotal to
ensure we stay ahead with these multiple strategies in order to avoid being outplaced
by the sprawling complexity of modern threats and the actors.
