In July, 45 high-profile Twitter accounts tweeted variations of the same offer: Send me any amount of Bitcoin, and I’ll send you back double its value. The messages were sent by hackers who had used stolen credentials from a Twitter employee’s account to gain access to powerful internal administrative tools. They then used that access to take over 130 Twitter accounts.
For hours, Twitter’s security team worked to regain control of the accounts and delete the fraudulent tweets. Unfortunately, hundreds of Twitter users were defrauded. By the time the ringleaders were arrested weeks later, they had amassed more than $180,000 in Bitcoin from the scam.
Unfortunately, this may only be a taste of what’s to come. Attacks that use an organization’s internal administrative tools against it are extremely powerful and of high value to bad actors. And if you don’t build the strong, layered defenses necessary to block such attacks, your organization could be at risk.
Access to administrative tools helps fraudsters scale
Attacks that use internal administrative tools are attractive to hackers because they’re relatively easy to scale. A cybercriminal only has to obtain a single employee’s credentials to gain access to powerful administrative interfaces and sensitive tools.
In most cases, bad actors start by using phishing emails or malware to steal employee credentials. Rogue employees may also sell access to their accounts, similar to how some telecom employees facilitate SIM swap attacks for pay. If your company only verifies users based on credentials and basic information like IP address or device IDs, you’ll be unable to spot such incursions on your network.
From there, attackers may gain access to dozens or even hundreds of customer accounts with very little extra work. In many cases, they can even bypass authentication technologies like one-time passwords (OTPs) and biometric authentication deployed on customers’ accounts.
Often, the purpose of these attacks is to change access settings and contact information, giving the attacker control over customer accounts. Access to those accounts can be sold on the black market or leveraged in schemes like the Twitter hackers’ Bitcoin scam. Once attackers have access, they can take any action a legitimate user can take. Their imaginations and the capabilities of the administrative tools they control are the only limits on what they can do.
Four steps to protect your high-value administrative tools
If you want to avoid falling victim to a hack like the one that affected Twitter, it is important that you layer multiple security approaches to thwart different instances of this type of attack. In particular, you should ensure proper security around account-level changes such as changing the email address associated with an account, resetting passwords or making changes to multi-factor authentication.
- Protect access to administrative tools. Important administrative tools shouldn’t be directly accessible via the internet. Protect them on internal or corporate networks, and only allow remote access through a secure tool such as a VPN. Strong authentication protections such as multi-factor authentication are also a must for access to these tools.
- Require approvals. For high-risk, account-level changes, supervisor reviews and approvals should be built into workflows. This can both stop malicious actions and reduce errors that could lock an employee out of their account.
- Deploy real-time anomaly detection. A real-time anomaly detection system automatically flags unusual high-risk activity, like resetting passwords in bulk, enabling security teams to address a potential compromise of employee credentials quickly.
- Continuously validate identity. In addition to traditional authentication methods such as multi-factor authentication, deploy technologies like behavioral analytics and passive biometrics to continuously validate users’ identities. Behavioral analytics look at patterns of behavior like the location from which a user usually logs on, while passive biometrics look at unconscious behaviors like how they type or hold a device. By combining these capabilities, you can distinguish between the employee who is authorized to use a particular set of credentials and someone who just happens to be using those credentials (e.g., an attacker).
The importance of layered defenses
It’s always unsettling when a large, established tech company like Twitter is hacked or breached. If they can’t defend themselves, what hope is there for others?
There’s no one tool you can rely on to eliminate cybersecurity risk entirely. However, by layering solutions that address different gaps or vulnerabilities, you can build robust defenses that significantly reduce your risk. Think of your home’s front door: It probably has a strong lock that’s hard to pick, but you also make sure the hinges are sturdy enough to make it hard to kick down. Like your front door, your cyber defenses should protect you against multiple types of attack using multiple strategies.
Over time, a layered approach will do more than keep you safe from a particular attack. By making employee credentials less useful to hackers, you’ll also reduce their incentive to execute credential-stealing phishing, malware and social engineering attacks — so you could have fewer attacks to defend against in the long run.