The recent Twitter hack shows that devastating security breaches don’t always involve sophisticated actors or methods, according to Rachel Tobac, CEO of SocialProof Security. On the CyberWire’s Hacking Humans podcast, Tobac explained that social engineering only requires an attacker to trick an employee into doing something.
“That's like a knee-jerk first reaction, is the word sophisticated is used in almost every press release – a sophisticated actor. I think we saw that in the case of the Twitter announcement as well – a coordinated, sophisticated social engineering attack,” Tobac said. “And while it was coordinated – they did likely coordinate on Discord from what we're seeing – it doesn't necessarily mean it's sophisticated. Social engineering somebody and calling to gain access to credentials while pretexting or pretending to be IT support, I wouldn't call that sophisticated. The things that I do are interesting, but I wouldn't say they're so hard that the average person couldn't do them.”
Tobac also noted that the hack could have been much worse if the hacker hadn’t simply been a teenager interested in running a Bitcoin scam.
“If I were a real malicious person, I'd probably try and start World War III,” she said. “I would take over accounts for, you know, leaders across the world and have them fight with each other and really escalate that. If I were really malicious, that's probably what I would do. Now, of course, it's malicious to take over accounts, but it's not that level of maliciousness where they're trying to incite violence or war. It's just, I'm looking to get some money quick. That points to more teenager behavior, and there were a couple other things that showed that it was more in the teenager direction rather than the APT direction.”
Tobac concluded that the incident shows the importance of a defense-in-depth strategy. Training is important, but organizations also need protocols and technical defenses to minimize the chances of a successful attack.
“There are so many things that we need,” Tobac said. “We need to make sure that we have protocols in place - you know, maybe, like, two eyes or four eyes to make sure that two people are able to make that request before it goes through. Like, for instance, can you imagine if you had to get two Twitter employees to say, sure, we'll change the email on former President Barack Obama's account before actually having it go through?”
Tobac added that the Twitter incident shows that organizations will never be in a place where they can relax when it comes to security.
“It's very possible that they were doing all of the suggestions that I recommended, and it still didn't work,” she said. “So I can't really comment to that, but I can say that we know many organizations out there do not take these steps. They might not have hardware MFA. They might not have social engineering training with up-to-date examples of how exactly it happens, not just over email but also over the phone, which is a big limitation of a lot of trainings now, and also making sure that we have all of the technical tools to backup if a person inevitably makes a mistake, which is, of course, bound to happen. Twitter might have been doing this. They might not have. But we do know that it's a learning point for every organization, regardless of whether or not they're currently doing it. So just keep it up.”
New-school security awareness training can give your organization an essential layer of defense by teaching your employees about social engineering and instilling in them the importance of following security protocols.
The CyberWire has the story.