Stop Malicious Insiders with the AAA Framework

A series of tweets rocked the world recently. The following accounts had messages posted to them from a criminal impersonator:

• Elon Musk – Twitter.com/elonmusk
• Bill Gates – Twitter.com/BillGates
• Joe Biden – Twitter.com/JoeBiden
• Barack Obama – Twittter.com/BarackObama
• Apple – Twitter.com/Apple
• Jeff Bezos – Twitter.com/JeffBezos
• Kanye West – Twitter.com/kanyewest
• Uber – Twitter.com/Uber
• Bloomberg – Twitter.com/MikeBloomberg
• CashApp – Twitter.com/CashApp
• Wiz Khalifa – Twitter.com/wizkhalifa
• Warren Buffett – Twitter.com/WarrenBuffett
• Floyd Mayweather  – Twitter.com/FloydMayweather
• Binance – Twitter.com/binance
• Tron Foundation – Twitter.com/Tronfoundation
• KUCOIN – Twitter.com/kucoincom

They all had similar themes:

The tweets fooled many hopeful people into sending Bitcoins. The wallet contained slightly over $100,000 in Bitcoin following the event; but Cipher security researches suspect it may have been even more. Scammers are known to offload Bitcoin Wallets into other “non-advertised” wallets to avoid attribution and disburse their financial gains. Twitter quickly responded by preventing verified hacked accounts from tweeting until they got a handle on the situation. These top accounts have millions of followers and caught the attention of the world. There is a whole industry centered around what these influencers tweet.

Insider Threats

Since the attack, analysts have written extensively on the topic. The cause of the incident, according to Twitter, is that an employee was “socially engineered” to give access to the internal Twitter dashboard that has control of important functions. Twitter wrote the attack was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

This is not the first time this has happened to technology companies. Criminals have bribed employees of cell phone companies in the past to perpetrate SIM-Swapping Attacks. This method involved changing the phone numbers of a person to bypass two-factor authentication. The end result of the technique might be to steal a username, gather information or other nefarious activities. Even Twitter’s CEO Jack Dorsey fell victim to a SIM Swapping scam after his AT&T phone number was taken.

During the heyday of MySpace, there was a tool dubbed Overlord that allowed unfiltered access to user data. A report from VICE said that insiders abused this tool. “It was basically an entire backdoor to the Myspace platform.” Tools used by law enforcement are often used for inappropriate purposes. Companies and organizations that have mountains of consumer data must also safeguard that information from insiders. If the insider tools allows for public damage or worse, the controls must be even tighter.

Prevent Access Abuse by Employees

As a first step, employees should be told not to abuse the tools they have access to or share access with anyone. Creating a structure is another step. A common framework for managing user access could be used to lessen the chance of this abuse and scandal from happening. The AAA Framework stands for Authentication, Authorization and Accounting.

Authentication

Accessing a part of a company’s internal network that contains sensitive data should require further authentication. This would ideally be a password combined with two-factor authentication or even a hardware dongle that must be inserted. This will ensure that the person accessing the system is authorized. If an authorized person leaves their computer on after stepping away, having strong authentication will prevent the wrong person hopping on the computer. Along with the two-factor authentication, the user should be logged out if inactive.

Authorization

Authorizing the person to get access in the first place is critical. If everyone at Twitter has access to the tool that facilitated the hack fiasco last week, that would be poor authorization guidelines. The more people with access to information, the more likely it is to be abused. Companies should ensure that only the people who need access to the information to perform their jobs to have access. Access criteria should be set and adhered to. Sloppy user access leads to more difficult accounting, which is the final A.

Accounting

The Accounting aspect of the framework involves regularly looking at logs related to data for trends and anomalies. Analysts should regularly review logs for noteworthy assurances and investigate. We can be sure that Twitter has and is currently doing serious accounting and auditing after this attack. Accounting plays a part in being proactive, as well os reactive. Perhaps there was a clue in the logs before the incident that could have given them reason change protocols. A Security Incident Event Manager (SIEM) is a software category that makes analyzing logs and events easier.

Work with Experts to Improve

A company might work with an outside vendor to assess their cybersecurity controls, including user access policy. Frameworks like NIST can be used to evaluate how well data and access are being managed.

Managed Security Service Providers can also provide 24×7 monitoring of logs and systems. If an incident falls outside of normal bounds, an alert will be generated and triaged.

What do you think about attack maps? Comment below with your feedback.