In the early morning hours of September 16, 2022, articles and reports started trickling out surrounding a security incident at Uber. In the following hours, numerous news outlets began to confirm a vast breach spreading across much of Uber’s digital infrastructure. Perhaps most notable is that at its core, this breach is no different than numerous other infiltrations that have occurred over the past two years.
People or Technology, Who is to Blame?
A core similarity across many recent breaches has been user credential compromise, achieved most commonly through social engineering tactics. Social engineering is a method used by hackers that takes technology out of the picture and focuses on exploiting a more human vulnerability – trust. Whether it is through physical, in-person engagements, or a virtual approach via social media profiles and emails – social engineering is about gaining enough trust that victims will willingly divulge their secrets. These secrets can include product roadmaps, financial records, and often, user credentials.
While still immensely valuable, user credentials are useless to someone who cannot navigate complex IT environments. Earlier this year, Okta was breached, with the hacker group LAPSUS$ claiming they purchased the user credentials that became their entry point. Let’s be honest, if someone offered you $20k for your corporate credentials, we all would at least consider it!
“But wait! We have controls implemented like multi-factor authentication (MFA) and SSO!” So did Colonial Pipeline, Okta, Cisco, and Uber. While MFA and SSO are important foundations to your overall security strategy, they simply control front-door access to an organization’s crown jewels. Many MFA projects are not successfully implemented across the entire infrastructure and tech stacks.
Another interesting attack vector from the Uber breach was the use of MFA bombing, otherwise known as MFA fatigue. It is simple – spam a user with enough MFA requests that they think something is either glitching or extremely urgent, and they will likely get so concerned or annoyed that they’ll approve the request to make it stop. The Uber hacker texted the end user claiming to be Uber IT and to accept the MFA push request to make the notifications stop.
Existing Tools are Not Enough, So What Should We Do?
Considering that an overwhelming majority of recent hacks have focused on user credentials and the element of human trust, it is clear that organizations must ensure the security of their identity and access management (IAM) stack and ideally adhere to the principles of the Zero Trust framework:
- Implement MFA and SSO across all applications, including legacy resources, OT applications, shared user accounts, and service accounts
- Separate your MFA/SSO and Identity Providers to prevent Person-in-the-Middle (PiTM) attacks and MFA factor resetting after an MFA bomb
- Enforce strict compliance measures like session recording to high-risk users and your most critical applications
- Perform end-user training around phishing emails and other common social engineering methods (tailgating, fake social media profiles, impersonation)
- Actively review and test your cyber incident response plans and disaster recovery strategy
Unfortunately, many of the tools we use to protect our infrastructure are also vulnerable, and throwing more solutions to cover edge cases only further exposes your organization. More tools lead to more complexity, making it harder to secure your entire infrastructure. Taking on a user focus, and their associated digital identities in forms of education and smart tool investment, organizations can quickly start to reduce their attack surface and gain more operational productivity.
Many existing remote access tools like VPNs and first-generation zero trust network access (ZTNA) focus on the network rather than user identity. By adopting an identity-based approach, you will gain full visibility into user access, be able to implemement granular access policies based on user and device identities, and keep full audit trails for compliance and cybersecurity insurance needs.
To learn more about how Cyolo can support your journey to identity-based access control, visit www.cyolo.io.