The Seriousness Of Insider Threats

Introduction:

Twitter has suffered scams promoting cryptocurrency due to insiders threats since 2018. But eventually, on July 15th 2020 it escalated to one of the most disastrous security breaches in history that targeted prominent verified profiles like Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Apple and Uber corporate accounts, Kanye West, Kim Kardashian. This major breach that hacked high profile Twitter accounts to promote a cryptocurrency scam netted $100,000 within minutes. And this makes us wonder what security measures companies should take and why this compromise happened on Twitter? Were they not taking enough security measures that led to an insider attack? For better or worse Twitter is one of the world’s most important communications systems and a breach on it raises national security concerns.

To understand this we need to delve deeper and know where it all started.

Background:

In the spring of 2018 cases of scammer impersonating Elon Musk(a cryptocurrency enthusiast) to promote cryptocurrency came to surface. The scammers would use his profile page and utilise a profile name similar to his and tweet some offers of sending a few cryptocurrencies and get more profitable returns. They would engage and present legitimacy by replying to a connected verified account and amplify the fake tweet with bot networks.

Similar incidents have repeated and Twitter didn’t take any major step to bring a solution clearly concluding a few things –

• People were scammed and overwhelming responses were registered in every single scam incident, leading to more such occurrences.
• The response time of Twitter was pathetically slow contradicting their claims of them taking these cases seriously.
• The poor security measures and strong claims of Twitter further enraged the hackers making it more drastic havoc through motivation and incentivization. 

The reason behind the breach:

• According to Nick Statt on The Verge, there is yet no conclusive awareness about the extent of the attack and its effect on the internal systems of Twitter.
• The reason behind the breach is also unfounded but there is suspicion on the underground hacking community gaining access to an internal Twitter tool used for account management, according to Joseph Cox at Vice.
• The sources have provided Motherboard screenshots of an internal panel used by Twitter workers to interact with user accounts.
• Apparently, the Twitter panel was used to change ownership of OG accounts and tweeting cryptocurrency scams messages through high profile accounts.
• Further speculation suggests that the attack was not regular people resting their passwords or hackers using social engineering to convince AT&T to swap a SIM card.
• Instead, it is suspected that hackers got access to internal Twitter tools and the involvement of an insider employee is presumed by Cox.
• Twitter’s spokesperson on 16th July came with the reason of an insider breach after normal access was restored.
• They detected it to be a coordinated social engineering attack by people who targeted their employees to gain access to internal systems and tools confirming the claims of many sources citing similar details through screenshots.

Let’s see a bit about insider threats and what can be done to prevent a potential attack

Insider threats:

Insider threats are posed from within an organisation by former or current employees or individuals like contractors, partners etc. They misuse the access to the networks and assets and unknowingly or knowingly disclose, muddy and delete sensitive information. This piece of information can be regarding an organisation’s security practices, customer and employee data, login credentials and secret financial records making the traditional security measures ineffective.

Insider threats can be malicious threats or due to negligence.

• Malicious threats are caused by employees and contractors leaking confidential data for misuse by taking advantage of their access to the network causing disruption. Sometimes it can be for petty personal gains or colluding with external threat actors, competitors or hacking groups.
• The negligent threat is due to errors made by employees or by falling victim to phishing emails or sharing data on insecure devices etc.
• The reasons for the same can be varying from disgruntled employees, second streamers, inadvertent insider to persistent non-responders.

So now the question arises about the detection and mitigation of insider threats.

Though the complexity and response system is tough to deal with and no single solution can negate the risk entirely. But taking a layered security approach that incorporated a range of internal processes and controls properly is the way to go.

Steps that organisations should take to mitigate the risk of insider threats:

• Conduction of regular risk assessments to realise the potential impact of an insider attack can take.
• Providing regular security awareness training to all staff and testing through mock breaches.
• Closely managing the accounts and privileges of all employees and contractors.
• Performing penetration testing frequently to help identify security improvements and gaps.
• Commissioning a simulated phishing assessment to identify the weak points.
• Implementing a 24/7 network and endpoint monitoring to detect any anomalous behaviour on the organisation server or network.

Implications and actions that were taken by Twitter:

• Twitter’s response to the incident offered further cause for distress. Their initial response held no information and later they disabled many verified users and password resetting ability.
• The company deleted various screenshots of the panel ‘motherboard’ and suspended the users who tweeted the screenshots on basis of rule violation.
• This approach of banning 359,000 verified accounts stresses on the alarming scale of the breach. Many victims said that even multi-factor authentication failed to protect their accounts. 
• They have taken significant steps to limit access to internal systems and tools when the investigation is underway.
• The commonplace scam of using cryptocurrencies by cybercriminals for the encryption procedure raises questions over public safety. 
• Concerns in the light of elections and the implications of the same are staggering and show the imminent need for cybersecurity strengthening.
• The fact that so many accounts needed blocking and the Twitter employees were tricked reflects the seriousness of the breach.
• It seems to be Bitcoin scam but chances of hackers taking advantage of accounts and reading the private direct message can be the main motive.

Conclusion:

Twitter has faced breaches many times and that has affected not only business users but also non-business Twitter users. Incidents of the company asking users to change their passwords due to internal leak and browser caches data compromises are also recorded. Internal breaches are not something that can be taken lightly when considering cybersecurity, and this attack further stresses it’s importance. The scale and speed of the breach raised many questions on Twitter policies and internal processes that need clarification.  

Download our eBook on What Good Security Looks Like Download