How to slow down a cyber attack
South African organisations are favourite targets for cyber crime gangs. This revelation is not new: numerous reports and studies from insurance underwriters and cyber security firms underscore the concern.
Events on the ground echo their warnings: prominent recent examples include pharmacy retail giant Dischem losing 3.6 million records to a breach and criminals grabbing a staggering 54 million user records from TransUnion. There is no shortage of more local examples, and security, IT and business professionals are under mounting pressure to reduce these risks in a constantly shifting landscape.
We can glean important guidance to the most effective strategies by studying significant attacks. Specifically, the recent breach of Uber's systems provides an excellent case study of how one could slow down a cyber attack.
"It's becoming more and more accepted that you can't really avoid a breach," says Craig Harwood, CyberArk's regional director for Africa and Middle East. "The focus has shifted towards slowing down attacks. The security world calls this an 'assume breach' mindset. You still do everything in your capacity to prevent breaches, using tools such as multi-factor authentication and user training. But you also accept that cyber criminals work constantly to circumvent such safeguards. They will eventually get in. When they do, what is your plan?"
Unpacking the Uber breach
The Uber breach reveals how modern attackers behave and how we can stop them from doing any significant damage. The CyberArk Red Team analysed this event and drew several important conclusions. To understand their value, let's start with the chain of events:
- The attackers obtained credentials to Uber's VPN infrastructure. Though these credentials, which belonged to a contractor, didn't have elevated or unique rights to critical resources, they did provide access to a common network share that may have been misconfigured to allow broad reads of the access control list.
- The attackers located a PowerShell script with hard-coded privileged credentials for Uber's privileged access management (PAM) solution within the network share.
- Using the hard-coded admin credentials and access to the PAM, the attackers elevated their privileges.
- According to reports, the attackers gained access to several consoles, including the single sign-on service and Uber's cloud management console, which it uses to store confidential customer and financial information.
- The attackers exfiltrated data from several systems. Uber stated that they "downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices".
The fault in our credentials
We can draw several conclusions from the breach pattern, says Harwood: "Hard-coded credentials played a big role in this attack. Administrators routinely write scripts to automate processes, such as backups, and include credentials in such scripts. These credentials could be anything from privileged tokens and SSH keys to API tokens and other kinds of passwords. It's typical for developers to embed (or hard code) these credentials into the code to save time and to assure automation. This makes it difficult to manage and rotate the credentials because they are left open to everyone with access to the code."
Credential theft remains the most significant risk, and criminals are becoming more adept at getting around safeguards such as multi-factor authentication. In fact, the Uber story features multiple MFA compromises.
"Your staff members are your gatekeepers, so routinely teach them to recognise and report phishing to help avoid identity theft. As attacks continue to change, expect alertness but not absolute precision," Harwood advises. This breach also highlights the importance of ensuring least-privilege access, a fundamental part of zero-trust frameworks: "Consistently apply the principle of least privilege, beginning at the endpoint. Set up privileged access management programmes with the utmost care. Access to privileged accounts for administrators should only be granted when it is absolutely necessary. All privileged account access needs to be separated and validated."
The last major conclusion we can draw is the importance of a defence-in-depth (DiD) strategy, thoughtfully layering security controls to protect critical assets, such as important data, when other controls fail. Limiting lateral movement can also greatly help by removing standing access to sensitive infrastructure and online or cloud interfaces. Just-in-time elevation of privileges can significantly minimise the access of any compromised identity, reducing the blast radius of an attacker – especially when combined with robust authentication.
We all know by now that there is no security silver bullet. Even Uber, which had multiple layers of security, still fell victim to attackers. Few people still believe that attacks can be flat-out stopped anymore. But we can control how bad they become. Attacks such as the Uber breach can be mitigated with robust, layered defence-in-depth cyber security bolstered by continued and repeated staff education to help recognise potential sources of danger.
"Having these aspects in place makes it more difficult for attackers to gain a foothold, move, discover and achieve their objectives," says Harwood. "Just as importantly, they allow us to minimise the success and impact of attacks and get back to normal operations as quickly as possible. This is the meaningful learning we should take and apply to our own organisations."