These days, there seems to be a constant drip of headlines about large enterprises experiencing security incidents. Luckily, when corporations provide details about what happened, the security community can learn about the tactics used in the attack and be in a better position to defend their organizations in the future.
Take Uber, for example. In 2022, the rideshare company learned of a successful data infiltration, and in a blog update, they attributed the attack to the infamous Lapsus$ group. According to news reports and Uber’s own blog, a third-party contractor’s credentials were compromised either by social engineering (according to Lapsus$) or by purchasing the credentials from the Dark Web (according to Uber). Either way, the threat actor bombarded the user with multi-factor authentication (MFA) requests and was able to convince them, pretending to be an Uber IT staff, to accept the login. Once the threat actor was in, they moved laterally and found privileged credentials hard-coded into some automation script. From there they gained additional access to a myriad of cloud apps and data inside the company’s network.
While Uber was the target this time around, the threat landscape continues to evolve. This attack illustrates the tactics that continue to be effective, which will help security and IT teams across the globe to better understand what proactive steps they can take to avoid being next.
VPN: Basic authentication and network-wide access
Nowadays, a wide range of users need access to your infrastructure everywhere — whether it’s employees, partners, or contractors. And the default method of connecting them has often been virtual private networks (VPN). But this can be a problem, and I’m not just talking about the poor user experience created by network hairpinning.
Basic authentication methods that are prone to social engineering
VPN relies on basic security controls: passwords and MFA. But just because someone entered the correct username and can produce an MFA token, doesn’t mean they’re legitimate. But without additional telemetry, such as user behavior analytics, organizations have no way of telling whether an account has been compromised.
Because threat actors only need to get past the login process to compromise an infrastructure, social engineering has become very effective. This is especially true with the increased usage of mobile devices, where there are countless channels to deliver credential-stealing phishing attacks, including SMS and iMessage, third-party messaging apps, and social platforms such as social media and dating apps.
Network-wide access makes lateral movement easy
Another risk VPNs create is that they grant users more access than what they need, also known as overprovisioning. Once someone logs onto a VPN profile they often have access to a wide range of systems within that network. If the profile is compromised, this enables the attacker to perform discovery operations to see what other opportunities there may be and move laterally in what’s called a “land-and-expand” operation.
How to protect your organization: three key actions to take
It’s tough to find the silver lining in any security incident, but we can always do our best to learn from each one. Let’s take a look at what we can glean from this incident.
Limit access to your VPNs, especially for third-parties
Enabling seamless collaboration with third parties is critical to any business, but you must do so with security in mind. To minimize breaches, ensure that your users only have access to what they need to get their job done, also known as “just enough privileges.” You may also want to limit the amount of time someone gets access with “just-in-time” access.
To get this level of segmentation, you should look beyond VPN and its all-or-nothing access controls. This not only limits a threat actor’s ability to move laterally, but it also reduces the risk of phishing attacks. Look for technologies, such as zero trust network access (ZTNA) that can address these additional requirements.
Don’t just rely on passwords and MFA
Strong passwords and MFA are solid security baselines, but they alone aren’t enough. Given the variety of devices, networks, and locations your users may be connecting from, it’s incredibly difficult for traditional security tools to differentiate between legitimate users and malicious actors.
This is where additional telemetry needs to be taken into account, such as user behavior or the risk level of the device they’re using. For example, if a user logs in from an anomalous location on a device they don’t typically use or tries multiple times to connect from different networks, those should be flagged. You also need to detect when privileges change, as that’s one of the first things an attacker will attempt to do so they can gain even greater access to your network.
Protect your employees from social engineering
An entire attack chain often can’t be executed without an initial foothold, which is most commonly achieved with a compromised credential. Gone are the days of brute force attacks. It’s much easier to purchase a phishing kit on the Dark Web or create a proxy that reroutes the targeted user to a fake version of their corporate login.
As attackers get better at launching social engineering scams, you need to protect your employees across all devices. The first step is to ensure your users are properly trained, especially when it comes to modern phishing attacks coming through from mobile-related channels. Next, you need the ability to block phishing attacks and malicious network traffic across your mobile devices, laptops, and desktops. Being able to detect inbound and outbound internet connections means you can block malicious sites from reaching your users, as well as prevent any data from leaking out.
No security problems can be solved in isolation
As an industry, we’ve been conditioned to think of different aspects of security as standalone problems. In reality, a breach can only be stopped if each of the steps outlined above works in unison.
For example, you should be able to restrict or block a user’s access from any endpoint if it becomes compromised. And if an account is taken over, you should be able to actively monitor their behavior, so you can quickly restrict or eliminate access. To enforce these consistent and dynamic policies, you need the ability to automate responses based on the telemetry of the device, user, app, and data.
Just as no cloud apps reside on an island, no security problems can be solved in isolation. To truly reduce risks and protect your data, you need a unified platform that thinks about your security holistically.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
KuppingerCole Leadership Compass for ZTNA (Free Report)
An overview of the market for Zero Trust Network Access (ZTNA) solutions with a compass to help you to find the solution that best meets your needs.