Twitter Hack Root Cause Applies Equally to Enterprise Systems
by Sash, on 16/07/2020 4:54:49 PM
Background
The public figure Twitter account hijacking extends well past social media and has many parallels to business and enterprise systems. Whenever there is a breach, it should be review not merely for the specific circumstances, but also to identify systemic failures, weaknesses or observations that can improve the effectiveness of environments that are dependent on the same security principles.
To summarise the relevant events:
- The Twitter accounts of public figures had posted authorised content in the form of a tweet.
- The tweet stated that any donations using Bitcoin would be matched.
The Twitter accounts in question displayed the verified blue tick, indicating that Twitter has validated that the holder of that particular account is in fact the public figure named and shown. This was in response to numerous ‘fake’ accounts being setup with the name and readily available profile photo of a public figure, however it was usually impossible to validate if it was actually that person.
A Strong Front Door
Attackers rarely go in the front, even if that is where you focus your attention
If the intent here was to be able to send tweets from the accounts of public figures, which have been targeted heavily throughout the history of social media, then logging into their Twitter account would be the equivalent of the front door. Multifactor authentication, application-based security notifications and risk-based locking systems would put this as heavily fortified, to use our door analogy.
Best to try to understand the environment and identify where the weakest links are – the analogical side window and back door, often left ajar or unlocked. Think suppliers, integrations, extranets, or that dusty old Windows 2008 Server nobody knows about. Nobody is going to successfully penetrate even a moderately well configured firewall by blasting it from the internet.
Chain of Trust
Trust can be used as a threat vector as much as technology
The Twitter verified blue tick was used in this case to elicit a response that would otherwise be dismissed. That is, content on the internet requesting payment via an irreversible cryptocurrency, with the promise of a doubled return!
Whilst promises of double your money are unlikely to impact enterprise environments, the systemic weakness is relevant. This is not dissimilar to the CEO/CFO requesting urgent payment of an invoice, bypassing regular controls and human behaviour, because of their position of trust.
The Insider
The insider can be malicious – sometimes without knowing it
A real concern with this incident is that, if indications of a socially engineered employee are accurate, the employee has the ability to interact as customer accounts including posting tweets. This behaviour must not be possible by a single employee and must follow a strict authorisation process where there may exist a business requirement for customer account access (see more below).
The requirement for multi-person access is to mitigate the risk of malicious insider, as well as a compromised insider. Sensitive operations such as financial transactions have often required multi-party approvals. The same should apply to sensitive data access operations.
Business Requirement
Most security frameworks talk about a business need for privileges
Need to know is well understood and has developed from military circles where keeping secrets meant the different between life and death. Nowadays, the principle is equally relevant in that it is fundamentally designed from protecting you from yourself. Just as you cannot spill a secret that you do not know, you cannot breach a system you are not able to access.
By limiting all access to that defined by business requirement significantly reduces the consequences of a cyber event. The details are not yet know at this stage, however it is likely that a multi-party sensitive system access approval process coupled with a disciplined least privilege approach could have prevented this breach.
The Weakest (Convenient) Link
External management tools bypassing multifactor authentication
Whilst all indications are that an insider was socially engineered in this specific event, it is important to understand how external tools can be used to undermine an otherwise well considered security approach.
Twitter is used by individuals and organisations as part of a broader communications strategy, which has resulted in the formation of an entire ecosystem of tools developed to support this by adjusting images, shortening links and scheduling posts.
Some of these tools request and are provided access to post content as a particular account, at a scheduled or optimal time. Being a modern app, authorisation is provided using modern protocols such as OAuth 2.0. Tools such as these will use their stored OAuth token rather than the username, password and multifactor authentication to gain access to post your scheduled accounts. Compromise the convenient tool and you compromise the primary target.
Microsoft, previously Office, 365 and Azure more broadly is an example. Hardened and with multifactor authentication, here is where add-in and integrations can be granted significant privileges, which may not come under the same level of protection. IT administrators are particularly vulnerable, with numerous operational responsibilities and a multitude of third-party tools ready to help them cut down on administration overhead. Their elevated privileges and the persistent access granted to these tools, often bypassing Microsoft’s MFA, is ripe for exploitation as the weakest link.