Cybersecurity experts are concerned the recent Twitter cyberattack is just the beginning of a surge in similar attacks.

In last week’s attack, malicious hackers went after dozens of high-profile accounts to promote cryptocurrency scams. According to Twitter, it was a coordinated social engineering attack. And it was by people who successfully accessed internal systems and tools by targeting Twitter employees.

The FBI has launched an investigation.

The Twitter cyberattack appears to be the largest and most coordinated in Twitter’s history, according to NPR. It raises questions about the vulnerability of the platform.

NuData’s Robert Capps

To find out more about the danger of attacks similar to the Twitter cyberattack, we spoke with Robert Capps, NuData Security’s vice president of market innovation, cyber and intelligence solutions, and Jimmy Jones, cybersecurity expert at Positive Technologies.

Channel Futures: What was most significant and alarming about the Twitter cyberattack?

Robert Capps: Concerns go beyond the attacks Twitter experienced recently. The use of internal administrative tools to launch attacks, instead of attacking individual account holders, has broad value to cyber criminals, because they are so powerful. Once access has been obtained, it’s generally very little extra work to launch broad attacks against compromised systems versus a one-by-one attack against individual accounts. Without proper protections, this may become a new favorite attack vector for cyber criminals.

Jimmy Jones: The global visibility of Twitter made this incident unique. Companies are hacked every day, but the results are normally only felt within that organization, whereas this incident had wide-reaching effects. Publicly disclosed events are very few and far between because no organization will advertise they have been breached if they don’t have to.

CF: Why would the Twitter cyberattack be the start of a surge in similar attacks? What would be the characteristics of such attacks?

RC: Access to administrative interfaces and tools have been a concern of many security industry practitioners for years, as has been social engineering against staff who have access to such tools. Adversaries need to be right just once to gain access — tricking one employee to give up their credentials to allow access to sensitive tools that in a number of cases may allow access to customer accounts that have strong authentication technologies deployed, such as one-time passwords or biometric authenticators.

Companies need a strong, layered defense to thwart such attacks every time. Attacks generally start as phishing emails or malware infections that allow for the theft of valid user credentials or access to the high-value administrative tools. When bad actors use these credentials to access a system, if the verification tool doesn’t also evaluate the user’s behavior and only looks at the credentials or other basic information such as IP and connection, they will be able to access the account as if they were the legitimate user. Once they gain legitimate access, it can be sold, or it can be used directly in the form of an attack. There is also the risk of …

… rogue employees, who could sell access to tools or make changes themselves. This kind of access abuse has been seen in the telecom industry, in the form of SIM swap attacks.

CF: Are we likely to see similar attacks following the Twitter cyberattack?

Positive Technologies’ Jimmy Jones

JJ: The weakest point in cybersecurity is most often human beings, either through deceiving or bribing them, as seems to have been the case [in the] Twitter cyberattack, through misconfiguration or other mistakes. An incident of this type is always possible to occur. It’s what processes organizations have in place to mitigate it that form the safeguard. I am sure Twitter will be examining all their admin and maintenance access, and two-factor authentication has been discussed a lot here. There are multiple methods of achieving two-factor authentication, but Positive Technologies has been showing weaknesses within it for many years. In a recent report, we showed that [text] interception was still possible on 86% of mobile networks. Since many secondary authentication codes are sent via (text), if this was being used as an authentication method for VPN access or similar for Twitter employees, that could lead to a problem.

CF: What sort of damage might a hack similar to the Twitter cyberattack cause?

RC: Mostly related to access and contact information changes, but the options are only limited to one’s imagination and the capabilities of the administrative tools in question. Once an account has been taken over, any action that can be taken by a legitimate user can be taken by an attacker.

JJ: Overall, this hack has probably done more good than harm. Twitter’s share price was almost unchanged, and the incident has served to highlight with huge visibility that we all need to be more aware of our own cyber diligence. Being told over and over that not everything you read on the web is true still doesn’t seem to have been understood by large swaths of the populous. Perhaps seeing this cyber attack – which would amount to someone dressing up as Bill Gates and asking you to put money in an offshore bank account in the physical world – will help drive the message home.

CF: What can MSSPs and other cybersecurity providers do to protect their clients from these types of attacks?

RC: MSSPs can assist companies in deploying and managing a layered security strategy to defend against such attacks. Recent attacks illustrate a need for proper security for account-level changes such as emails, password resets, changes to multifactor authenticators (MFA), and other access and account information. Such protections could include supervisor review and approval workflows for high-risk changes to guard against mistakes and malicious actions. It’s also important to protect access to such tools. Administrative tools shouldn’t be directly accessible to the internet, and should be protected on internal/corporate networks. Remote access should be managed through technology such as VPNs. Tools should be protected with strong authentication such as MFA and behavioral biometrics. Beyond access and authentication, real-time anomaly detection should be deployed to monitor for out-of-pattern and high-risk activities such as changing a large number of account email addresses or mass resetting passwords.

CF: What role do behavioral biometrics play in preventing similar attacks?

RC: Using passive biometrics and behavioral analytics to protect logins and interactions for critical tools allows an organization with the ability to discern between access by the human that credentials belong to and someone who just happens to have come into possession of and is attempting to use valid credentials. This means that even if the credentials have been stolen through phishing or malware, they won’t give bad actors access to the account in question because …

… the perpetrator behaves differently. If stolen credentials aren’t useful, there is much less incentive for an attacker to send phishing attacks, spread credential stealing malware, and attempt to socially engineer access to user credentials, reducing the number of effective attacks you need to guard against.

Barracuda: Specialized Economy Around ATO

A specialized economy has emerged around email account takeover (ATO), according to a new report by Barracuda.

Over the past year, Barracuda researchers teamed up with researchers at UC Berkeley. They studied the end-to-end life cycle of a compromised account. They examined 159 compromised accounts that span 111 organizations.

Highlights from the report include:

Neil Shah is a cybersecurity software technologist at Barracuda Networks. He said the report includes two “quite surprising” findings.

Barracuda’s Neil Shah

“We see evidence of some accounts being compromised and exploited by a single attacker, while on the other side we see accounts being compromised by one attacker and likely sold to another attacker that uses and extracts value from the accounts,” he said. “Therefore, a more mature economy seems to be growing where attackers are specializing in their roles of compromising accounts and extracting value from accounts. Secondly, with each of these enterprise accounts having access to many Office 365 cloud applications, such as SharePoint and Microsoft Teams, we still see that 78% of attackers still only access email. That was a slight shock to me, but it comes to show that email contains sufficient information/value for attackers, such as contact lists and potentially sensitive communication among employees.”

Preventing ATO is a complex task, Shah said.

“All an attacker really needs to do is gain access to one employee account within an enterprise, and they now have access to a wealth of business information, functionality and sensitive enterprise emails,” he said. “In addition, they would potentially be able to launch additional attacks against other users using the trusted identity of the compromised account.”

Real-time detectors can be useful in defending against ATOs, Shah said. In addition, non-real-time detection can still be fairly valuable, he said.

“Namely, a detector that monitors continuous activity after the initial compromise can still mitigate significant damage,” he said. “We also found that 20% of enterprise accounts within our study were compromised via an external data breach, which further illustrates the value in a non-real time detector in the need of monitoring continuous activity in an account. Another thing is that organizations should train their employees on the importance of password management and the dangers of password reuse between any accounts, especially personal and enterprise accounts.”

Once attackers penetrate the enterprise border and gain access to enterprise accounts, the damages can be …

… quite significant, Shah said. It can range from extracting value within sensitive enterprise emails to performing lateral phishing attacks within the enterprise, he said.

“In addition, continuous monitoring of these accounts is challenging given the difficulty sometimes in identifying attacker activity vs benign activity,” he said.

Ivanti, Intel Partner for Device Cybersecurity

Ivanti has entered a new strategic partnership with Intel to offer device as a service (DaaS) with self-healing capabilities for remote workers.

Intel Endpoint Management Assistant (Intel EMA) now integrates with the Ivanti Neurons hyperautomation platform. That allows IT organizations to self-heal and self-secure with Intel vPro platform-based devices both inside and outside the corporate firewall.

Nayaki Nayyar is Ivanti‘s chief product officer. She said joint Intel and Ivanti partners can better deliver on their customers’ need to make endpoints autonomous.

Ivanti’s Nayaki Nayyar

“This helps partners become more valuable advisers to their customers that wish to better enable and service their remote workforce,” she said. “It also gives partners delivering managed services a powerful combined solution for active remediation and deep visibility. When using Intel EMA with Ivanti Neurons for example, partners can configure customer endpoints to take remote actions automatically on vPro devices such as powering them on, restarting them, setting wake-up times, controlling systems even during an OS failure, or repairing devices at scale.”

With the integration of Intel EMA, Ivanti Neurons provide enhanced remote management for on-premises and cloud-based endpoints.

“By better enabling solution providers with the integrated solutions that truly deliver DaaS operations along with hyperautomated self-healing and self-securing capabilities, channel partners can become more tightly aligned with their customers’ business goals,” Nayyar said. “It opens up many new professional service options for partners as they help their customers align their endpoint management with business priorities for performance and productivity, while further supporting demands for increased endpoint security — no matter where users are working.”

ForeScout-ServiceNow Integration Protects Critical Infrastructure

Forescout Technologies this week unveiled its latest technology integration enhancements with longtime partner ServiceNow.

The integration aims to improve asset intelligence. It also improves threat prevention, detection and response for industrial control systems (ICS) and operational technology (OT) environments.

Security teams can make informed decisions to close the security gap from unmanaged OT devices, the companies said. They can also improve performance in mean time to resolve (MTTR) in remediating vulnerable or affected systems.

Jonathan Corini is Forescout’s vice president of worldwide channel sales.

Forescout’s Jon Corini

“Together with ServiceNow, Forescout is helping our partners grow their OT and ICS security business and secure across the modern enterprise,” he said. “Channel partners will benefit from the additional value they can provide in sectors such as manufacturing, utilities and health care. This expanded partnership increases opportunities for joint integrations that improve asset intelligence and threat detection for critical infrastructure.”

The integrated offering centralizes security and improves resiliency in manufacturing, energy, transportation and other sectors. That’s where internet-connected infrastructure is often invisible to traditional cybersecurity controls.

“The new Forescout and ServiceNow integration is the only solution that delivers real-time, rich contextual asset intelligence across all of IT, IoT and OT/ICS,” Corini said. “To simplify enterprise security, Forescout’s automatic network access control and dynamic segmentation leverage existing network infrastructure — including legacy industrial networks.”