I Read So Many IR Posts This Week, Here Are My Thoughts

Twilio, Lastpass, Mailchimp, Signal, Plex, Samsung, Doordash, TikTok(?), and so many more! It's happening ya'll!

I started writing this post a week ago, and in that time frame several additional breaches and security incidents have come up since Twilio and Lastpass, almost on a daily basis.

Not since the Solarwinds attack has there been so much fallout on so many companies!

Instead of summarizing the incidents, I’m going to:

  • Highlight examples of good writeups

  • Recommendations

Here’s the TL;DR:

  • There’s something called MFA Fatigue. So yes, even if you have MFA setup, people may hit yes anyway!

  • U2F hard keys are the BEST way to go

  • Be prepared to have a good writeup in the event of an incident

  • Have an IR plan (goes without saying)

  • Please limit employee access to data and systems

  • Don’t let employees save passwords in Chrome. Please!

Select Thoughts On Incident Writeups

LastPass Security Incident

As for the most recent incident, I don’t have any public comment. However, I do want to note this is not their first time.

LastPass Security Writeup

However, I DO want to note that they handled this incident well from a public point of view.

💡For those managing a SOC or limited IR and security management experience, I recommend reading this earlier post from a previous LastPass incident 👈🏼. 

Summary:

  • They were very transparent and forward about their tactical approach

  • They even include the mistakes they made!

  • No better source of learning than from other’s mistakes.

Cloudflare Security Incident

According to Cloudflare, they were attacked at about the same time as Twilio and seems to be related to the 0ktapus Campaign.

Luckily for them (and us), they had decent security in place to prevent any Cloudflare systems from compromise, including hard key (U2F) requirements for login.

Their blog post has details of their response actions which is worth a read and includes a list of indicators of compromise.

It’s also interesting to see the use of their Cloudflare products (eating their own dogfood) in protecting their security. I’m a bit of a fan (no affiliation) of their stuff too.

Summary:

  • Cloudflare’s use of U2F keys prevented any resources from unauthorized access

  • Their incident writeup is excellent and worth a read

Cisco Security Incident

Not part of 0ktapus, but Cisco had a security incident recently and I think it was really worth highlighting the simplicity of this attack.

Ok, this one is a really unfortunate one.

Summary:

  • Cisco employee’s personal Google account was compromised

  • Cisco credentials were saved in Chrome Browser

    • Credentials in Chrome are stored in plain text!! Don’t let your employees do this.

  • VPN 2FA access was obtained by exploiting MFA fatigue via vishing (voice phishing) by attacker 🤦🏼‍♂️

Plex Security Incident

Well, Plex also got attacked recently. Here’s the thing, I couldn’t find anything on their website AT ALL. That is not a good practice at all. Be open and transparent. I did save a copy of the email however here.

Foobarsec

Looking at so many incidents, I ended up putting together an Airtable with some attributes of various incidents and then linked them together to certain campaigns. I threw it up on a domain I had, Foorbarsec.com, which seems pretty appropriate. Lmk if you’re interested in helping.

If you liked anything here, please feel free to share with your community or Tweet It

Reply

or to participate.