Once upon a time, there was a mischievous schoolboy who was least interested in studies and often created nuisance for teachers and children. One afternoon when he saw the principal wasn’t in the school, he realized he didn’t have to pick the door lock or bribe the guard to enter the office, so he seized the opportunity. He picked up the microphone, which he knew how to operate, and announced the early closure of the classes. It was difficult to recognize the voice coming out of the wall-mounted hoarse loudspeaker. Teachers were puzzled. Students from many classes began to rush home with their satchels. Soon his mischief was uncovered. But by then, many of the students had fled home.
The plot of the recent Twitter hack that involved compromise of high-profile accounts (Joe Biden, Barack Obama, Bill Gates, Elon Musk, Apple, Uber and many others) doesn’t look different from the schoolboy’s story, except the attackers manipulated Twitter employees to gain access to high profile accounts. Once in control, the hackers duped people with tweets offering a double-your-money opportunity. Simply transfer bitcoins into their desired account and get double your money back. While it’s obvious this offer is too good to be true, cybercriminals amassed a handsome amount of $121,000 before Twitter could suspend the accounts!
While everyone has been aghast at the enormity of the attack and potential reach of threat actors to anyone and anything, it is important to know that this has not happened for the first or the last time. The worst is yet to come because high profile accounts are always extremely attractive to hackers. Twitter provides a voice that can trigger mayhem in the stock market, in political arena or in social circles, so social media handles of thought leaders must be protected.
Two sides of the Twitter hack
Let’s agree that the Twitter attack has two sides: social engineering attacks and the role of insiders. To prevent such future occurrences, it is critical for us to see this event through different lenses and to understand the lessons we can learn.
First, it points out the growing use of social engineering attacks. Twitter has also admitted in an open blogpost that hackers targeted some of its employees to carry out this attack. This attack thus shows hackers can psychologically manipulate employees and convince them to divulge account credentials. Hackers could have used several different approaches for their social engineering – fake login pages and click on phishing links, or exploited technology vulnerabilities or even directly manipulating employees through basic social hacks (Kevin Mitnik was famous for pulling several such attacks!).
Social engineering attacks have increased as threat actors, having realized that most employees across businesses are more vulnerable while working remotely during the pandemic, impersonate government authorities, healthcare officials, contractors, suppliers and third parties to gain access to company systems. The emotion of urgency favors threat actors – who hasn’t felt compelled to respond to an email from your CEO. Now when we see “COVID Update” in the subject line from the CEO’s email, we can’t hold back. The report ‘100 Days of Coronavirus’ by Mimecast that finds the monthly volume of all the cyberattacks increased significantly – by 33% – between January and the end of March 2020 is a testimony.
On the second side, the Twitter hack brings into focus the role of insiders (those with “inside” access), and the devices they use, who may not have willingly or knowingly served to the needs of hackers. The role of insiders in high-profile leaks and breaches lately has been bothering organizations big time. The Twitter hack is a strong reminder that organizations also need to manage the risk of insiders, which come in three categories:
- Malicious insiders, which are people who take advantage of their access to inflict harm on an organization
- Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk
- Infiltrators, who are external actors that obtain legitimate access credentials without authorization.
By embracing the Zero Trust philosophy more intrinsically to safeguard their networks, organizations can develop a program that is far more than a technical program. While technology can prevent phishing and credential theft attacks from succeeding, in a holistic insider threat program, the human element remains just as important as the technology. The consideration of human element is crucial to any successful program. The program must address all aspects from policymaking, monitoring and escalation procedures to consequence management. This will prevent a rouge schoolboy impersonating the principal.
Managing social media securely
The Twitter hack may have originated from the Twitter premises, but rouge actors may target you individually next time as they often do. So, this hack demands everyone to secure their devices appropriately, particularly the devices which are used for managing social media accounts that can be devastated by credential theft or a phishing attack. Hot shots of business, politics, media, fashion, film, etc. must be constantly active on social media since it helps them stay in touch with their peers and followers. But many of them have hired professionals to manage their social media on their behalf. It goes without saying that their social media handlers must be trusted.
On the technology side, it is crucial that the devices used for sending social media messages are adequately secured. Having an anti-virus installed on the endpoint isn’t enough (we all know that!). Hackers are creative and persistent, exploiting various aspects of the browser from cookies to plugins to scripting & rendering technologies to compromise the end users and/or steal credentials. Using effective browser security tool built using the principle of Zero Trust can minimize the risk. Technologies such as Remote Browser Isolation are effective in thwarting ransomware, malvertising or spyware attacks. Many hacks on companies like Twitter involve the browser and could be avoided if the Zero Trust approach gets embedded into your cybersecurity strategy.
To sum up, there is more to the Twitter hack event than meets the eye. Even if ‘social engineering’ led hackers to take control of high-profile Twitter handles and exploit them in their favor, we need to pay equal attention to the role of insiders and protecting endpoints effectively.