How Insider Threats Exposed Twitter (and How You Can Prevent That)

by Ray Hillen 0 Comments

This week was rough for Twitter. They suffered a major breach that led to high-profile accounts (e.g., Joe Biden, Bill Gates, Elon Musk, et.al.) being hacked. From those accounts, hackers tweeted that they would pay you double if you put money into a Bitcoin account. But Bitcoin isn’t the story here; it’s just the financial motivation. Having a secure Twitter account isn’t the story either.

So, what is the story? Insider threat. That doesn’t mean employees are intentionally trying to harm the company. In fact, it’s the unintentional user that leaves the door open. Think working over unsecured networks or sharing devices with non-employees. This happens every day by well-intentioned users who don’t fully appreciate the consequences of their actions.

Protect Multiple Platforms with Multiple Users

My experience tells me Twitter’s incident was probably a coordinated attack directed at Twitter employees to gain access to Twitter’s internal systems. In other words, the bad actors came in through the back door and achieved access to platforms and accounts that way. But how does that happen?

Employees and support personnel don’t access Twitter the way you and I do. Employees supporting Twitter may have half a dozen platforms they connect to while they’re working remotely that let them into the Twitter environment. For example, the company may have a VPN platform that developers use, or a remote/virtual desktop platform that’s provisioned for everyone on the team and may provide unintended access to internal support systems that support the platform you and I use.

As we often see in our incident handling, the bad guys didn’t likely get into Twitter through the Twitter platform, but rather an adjacent platform used by a few or many people inside the company (i.e., an insider threat). If a bad guy gains access to one of those platforms (e.g., via a remote or home computer), he’s immediately in the backend of Twitter and ready to do business.

Update Systems and Review Partners

What does the backend or support environment of a platform like Twitter look like? It’s a good bet that it’s full of systems that aren’t all up to date. Many companies don’t maintain their internal systems with the same degree of rigor as the ones that are publicly facing because no one is supposed to be able to get to them. Once the bad guys got into that side of Twitter, they could have exploited a vulnerability or used harvested credentials and started to do some damage.

What can you do to avoid a similar situation? We stand by the brilliance in the basics approach to systems. The real message is that companies should be reviewing how other platforms used by the organization can open a pathway for the bad guys.

Regular testing is a must. Some organizations outsource a lot of these other platforms. If you have any third parties working for you or on your behalf—offshore developers, contractors, etc.—they potentially have access to everything on the inside or are a short step away. Your main organization doesn’t have control, but the third parties have access to your internal environment.

So, if you’re working with any third parties, you have to confirm that the cybersecurity framework they have in place is adequate and sufficient. Like your organization, they should be maintaining the gold standard.

“Third-party threats are where vendor risk management is critical. You must understand what your exposure is based on the level of access a third party has to your systems, your data, your users, and your clients.”

How is This Relevant to Me?

I’d argue that everything in this article is relevant to you irrespective of your business model. For example, if you’re a private equity firm, you should know that these third-party issues could be happening to your portfolio companies—and you should extend the same concepts to them that I’ve talked about here.

Agio’s Vendor Risk Program gives you a dual assessment of your vendors, real-time threat assessments, and more. Our managed detection and response (MDR) solutions proactively monitor and mitigate threats to your environment all day, every day so you can get on with your business.

You need what we have—a transparent MDR suite of services with full reporting and accountability that catch things like DNS tunneling, password spraying, brute-force attempts at authentication, excessive login failures, logins from multiple countries, and more.

Summary

It’s not just Twitter that’s vulnerable. Every company should be reviewing how other platforms can open a pathway for bad actors and how third-party vendors and contractors play a part. Agio’s MDR services and our governance and testing programs assess your health, keep track of changes and alerts, and make sure you’re safe 24x7x365.

Contact us. We’re here to help.