Another month, another high-profile security incident. The most recent news is about a sub-contractor of the identity and access management company, Okta being attacked which led to unauthorized access to Okta’s customer support tools, which in turn may have exposed over 350 of their customers. There has been much hand wringing about the slowness of the forensic investigation and the release of information around the event. There has also been plenty of hindsight-biased conclusions about how, if they got breached, they must have been doing something wrong. What there hasn’t really been a lot of is discussion about what, if anything, might have been done to prevent or mitigate such an attack.
As with most breeches, we don’t have full details of every nuance of this attack, but we do have a few public facts that can help us draw some useful and actionable conclusions. According to a study by the Ponemon Institute, 68% of organizations have experienced one or more endpoint attacks that successfully compromised data and/or their IT infrastructure – which is exactly how these hackers (in this case, a gang called Lapsus$, or as Microsoft calls them, DEV-0537) got into their victim.
Attacks often start at the endpoint
End user machines are often targeted for a couple of reasons: end users can often be duped into performing privileged actions that a more automated attack wouldn’t be able to do, and end user machines’ configuration and security posture tend to degrade over time, making them easier to compromise. Analysis by Absolute shows that most security controls have a high probability of going out of compliance if they are not actively maintained, with about a third of machines having anti-virus and anti-malware agents that are out of compliance at any given time.
Once the attackers compromised the endpoint machine (most likely by getting the user to click on a malicious link or document) they enabled the Remote Desktop Protocol service on that machine, allowing them to view and control the desktop. This allowed them to make use of existing, logged in sessions from the legitimate user, giving them access to all the customer support tools that the user was authorized to use.
Some days later, the attackers used one of these logged in sessions to attempt to add a new authentication credential to the user’s account, which would have enabled them to access various internal services directly rather than through the compromised device. It was this attempt to expand their access that rang alarm bells, about four days after the initial compromise. It then took the company another 18 hours to investigate the alert, quarantine the machine, and cut access.
So much for what we know about the attack. The question we really need to answer is: what could they have been done better, or more pressingly, what should you be doing to make sure that you are not the next victim?
As I’ve written before, it’s naïve to think that any organization can prevent all breaches. If we embrace the fact that security controls can and will fail, then we need to also embrace the idea that rapid detection and response are critical. At Absolute, this is what we call Resilience. Things get bent out of shape and you need them to be able to bounce back as quickly as possible.
In this case, there are several places where Resilience would have helped:
- Detect and automate patching. While we don’t know the exact vector of compromise, we know from the 2021 Absolute Endpoint Risk Report that the average PC is typically nearly three months behind on patching. Being able to detect when a machine is behind on patching and allowing remote control to automate that patching can greatly reduce the window of opportunity for vulnerabilities to be exploited.
- Monitor service configurations. Once attackers had compromised the machine, they enabled the RDP service, a service that would not normally be needed on this endpoint machine. This is a very common pattern when endpoints are compromised. Having the ability to monitor service configuration on end-user machines and see when unauthorized services get switched on can give security teams a heads-up that something might be amiss and allow them to start investigating even before the compromised machine is being exploited for nefarious purposes.
- Enable secure, remote management. Whenever an attack like this occurs, the security team needs to access the machine to investigate the incident, remove malware, and restore configurations. The power to do this remotely through a secure connection can greatly reduce the time needed both to identify the problems and to solve them.
- Ensure Resilience tools are resilient. Finally, the tools that IT and security teams rely on for all the forms of resilience listed above need to be resilient themselves. It’s no good having tools that let you patch, monitor, and configure endpoints if those tools drift out of compliance or can be disabled. Your Resilience tools need to be Resilient.
Absolute Resilience is embedded into PCs by their manufactures. It runs before the operating system starts and has the power to repair and restore itself. It gives you the power to reach out to your endpoint computers, even when they are not on your corporate network, so that your systems can bounce back in the face of attack.
Breaches happen to all sorts of company: big or small, mature or new, technical and non-technical. The breaches may get more attention when it’s a high-profile security company, but they can happen to anyone, at any time, despite the best laid plans. Being prepared for it is not an admission of defeat, it’s the way that you make your business Resilient.