What happened at Twitter was a cyber attack almost unprecedented in scope and publicity. One of the largest social media platforms in the world suffered at the hands of as-yet-unknown hackers.
Phishing Has Been Around for a Long Time. Why Did Twitter Fall for It?
By Sivan Omer, Product Manager of empow.
COVID-19 is causing immeasurable hardship around the world, and many people are facing sudden personal or financial ruin. Good people are trying to help, and we’re seeing an increase in donations—the LA Times called the increase in charity “off the charts.” Most of the donations are done through crowdfunding sites and social media initiatives that target people with a history of donating.
The dark side of this targeting is similar to social engineering conducted by bad actors, trying to get people to divulge information or take action.
It’s hard to fathom that hackers are taking advantage of people’s kindness in this global catastrophe but, unfortunately, they’re hard at work. Cybercriminals will do anything to accomplish their goals, unhindered by things like morals. One of the ways for them to achieve their goals is to communicate around topics that are relevant to the target audience.
Let’s take for example the brazen Twitter attack last week, in which the profiles of Joe Biden, Barack Obama and other very high profile users were taken over, earning the attackers $120,000 in Bitcoin and causing immeasurable damage to Twitter’s reputation, not to mention posing a threat to democracy in an era when the President of the United States tweets out policy regularly. In picking such high-profile targets, it’s clear the attackers wanted to create an immediate impact and reach a large audience within seconds, even at the cost of the attack being quickly mitigated.
Twitter shared: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” According to The Verge, the near-simultaneous account takeovers of a number of highly sensitive Twitter accounts—including those of presidential candidates and those with two-factor authentication enabled—suggest the attackers did not simply exploit individual account owners and had at the very least indirect access to employee tools.
To get insider access like this, hackers use different techniques like emails, social media, and SMSs to fool users. One of the known techniques is Spearphishing: sending an email to specific and well-researched targets while purporting to be a trusted sender to gain initial access into the victim’s systems. Such an email may include either an attachment carrying exploit code or a link to a malicious website.
If the victim believes this email is legitimate and opens the attachment or clicks on the link, the exploit code executes and compromises the system. It can also download additional tools such as a RAT (Remote Access Tool) to take complete control of the user’s system.
Once the attacker gains control of the end user’s system, they can now attack other systems on the internal network and steal data. The data can then be exfiltrated to offshore servers managed by the attacker over a different protocol than that of the existing command and control channel. This kind of attack technique is called Exfiltration Over Alternative Protocol.
To secure your organizations from this type of attack a number of different actions need to be taken. Firstly, it’s important to raise awareness among the company employees to attacks like social engineering, Browsing, Ransomware, and Advanced Persistent Threat. Second, the organization needs to equip itself with effective technological solutions.
From the technology side, the key lies in a security analytics layer that will be able to identify abnormal behavior including insider behavior using internal organizational tools—but with potentially malicious intent—and correlate it together with other alerts and indications coming from other security technologies. This approach would protect organizations in the best possible way, while quickly identifying attacks and prioritizing entities at risk, or in the Twitter case “accounts”, that require immediate attention.
One of the best platforms that would enable this level of protection is a Next-Generation SIEM (NG-SIEM), one that includes built-in behavioral analysis capabilities and the ability to automatically connect the dots between all the steps described above and raise a red flag to the team about a potentially high-risk attack, while it’s still possible to stop it.
An effective NG-SIEM can neutralize the problem of “siloed” security tools that don’t know how to “talk” to one another, a major pain point for security teams.
Without having insider knowledge, it’s safe to assume Twitter has at its disposal the most advanced security tools available today, probably including a next-generation SIEM or a data lake analytics platform that they built on their own. But organizations of this size and complexity can be especially vulnerable to the “silos syndrome”—what probably happened was that different security groups and technologies “saw” different aspects of the attack, but the big picture was missed because all the information was not fed into one “brain.”
Surely Twitter is now working on ways to better protect public accounts (one conjecture is that Trump’s profile wasn’t hacked because there were special protections in place for it due to past attempts, Twitter is likely planning to use them more widely). An effective advanced SIEM, or a security analytics system that includes the required capabilities, can help organizations avoid the massive damage suffered by Twitter in this latest high-profile attack.
Latest posts by Ben Canner (see all)
- Gartner Names 4 Cool Vendors in Security Operations and Threat Intelligence - October 19, 2020
- Micro Focus Reveals 2020 State of Security Operations Report - October 19, 2020
- What the Barnes and Noble Breach Can Teach Us About SIEM - October 16, 2020