Point of View – Learnings from the Uber Breach
The Uber Breach: What we know so far?
On September 15th, Uber confirmed reports of an organization-wide cybersecurity breach. As per media reports, it all started with a social engineering campaign on Uber employees, which yielded access to a VPN, thus providing access to Uber’s internal network. Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution. The Thycotic PAM system is a Gartner magic quadrant leader used by Uber to store cloud credentials and API keys. This tool stores privileges and controls access to multiple systems, which gave the attacker complete access to all of Uber’s internal systems that, included Amazon Web Services, Google Cloud Platform, Slack workspace, HackerOne bug bounty program admin console, internal employee dashboards, a few code repositories, and the company’s endpoint detection and response (EDR) portal.
This is not the first time that Uber has been compromised. Similar instances have been reported in 2014 and 2016, and it appears that hardcoded credentials stored inside code and scripts were the case in all three incidents. In the latest instance, while the alleged teen hacker claims to have done this solely for fun and primarily to expose the company’s weak security, it does highlight some severe security lapses and points to a few key learnings.
Key learnings from the Uber breach
- Conduct social engineering and phishing simulation exercises every quarter
- Deploy a data scanning and classification tool to identify sensitive data
- Capture and monitor remote access logs, like the VPN logs
- Create an incident response playbook for analyzing various critical alerts
- Deploy a deception solution or honeypot trigger for a robust detection control
Social engineering attacks are increasingly becoming the most common method to gain a foothold in a target/victim’s environment. Hackers are also getting smarter, and the entry barrier is lower as tools and kits become almost commoditized. The Uber breach has once again proved that the weakest link in an organization’s security defenses is often the human element. Organizations need to employ multi-layered defenses that go beyond preventing attacks to detecting threats on time and remediating them with minimum disruption to business. SISA recommends putting two levels of controls in place – Preventive and Detective – to help improve cyber resilience and security posture.
1. Conduct employee training and phishing simulation
The essential element in the chain of defense is to train employees on phishing and social engineering attacks. Organizations must ensure the training content is updated with the latest phishing and social engineering attack trends. Secondly, organizations must incorporate the processes followed by the IT team in troubleshooting so that if employees get any requests other than the standard operating ones, they can raise an incident.
SISA has also observed that, in almost 43% of the cases we investigated, phishing is the primary method used to compromise the environment. As the percentage of ingress arising out of social engineering and phishing has increased drastically, organizations are advised to conduct social engineering, and phishing simulation exercises every quarter. This can help improve employee awareness and familiarity with emerging threat vectors and equip them to identify any suspicious alerts/events on time.
2. Deploy data discovery and classification tool
Another growing trend that SISA has observed is that intruders, after establishing persistence in the network, are running scripts for scanning the intranet for sensitive data such as card numbers, user credentials, cloud secret keys, etc., to aid them in deeper penetration of the network. Hence, running a data discovery and classification tool is a recommended prevention control for identifying and scanning the locations where the sensitive data are stored. More importantly, the data scanning tool should locate any files or locations containing sensitive keywords such as ‘pass,’ ‘password,’ passwords,’ or ‘credential,’ etc. Currently, no data scanning solution can identify whether the passwords are stored in clear text. Hence, identifying the potential locations where passwords may be stored in clear text, base 64 encoded value, or encrypted form is a good start for the organization’s security team. Although this method might have a 90% false positive result, it is still better to analyze the false positive than take a chance of leaving something to the intruder to take advantage of.
1. Deploy intelligent monitoring solution
Organizations must consider deploying an ML-based intelligent monitoring solution beyond traditional rules-based and signature-based tools for detecting anomalies and/or suspicious behavior. SISA has observed that most entities that got breached could not detect the breach despite having a log monitoring solution. As a best practice, organizations must ensure that all remote access logs, such as the VPN logs, are captured, and the monitoring team monitors the following:
- Enrich the IP address of the remote access logs to capture the Geolocation and Geo city from where the user has logged in.
- Once enriched, use multi-aggregation for aggregating usernames to the Geo city from where they have logged in. Once aggregated, use the long tail analysis technique to identify a user’s login from a new geo city.
- If the organization has a UEBA-capable monitoring solution, feed the remote access logs like the VPN logs to the UEBA solution to identify the anomalies.
2. Create an incident response playbook
As per SISA Forensic investigation learnings from other cases, one of the main reasons for inefficient detection is that organizations do not have a well-established incident investigation playbook for analyzing various critical alerts. Organizations must therefore ensure they have a well-documented incident playbook to follow, investigate and analyze if a mapping of user login from a new geo city is identified. The playbook should include a detailed checklist of actions, determine communication channels, set pre-defined roles, and document the end-to-end process flow.
3. Deploy a deception solution
Like the Uber breach, where the intruder scanned the intranet to identify the PowerShell containing the credentials, intruders and malware have been widely seen scanning the internal network to determine their next action. Hence, deploying a deception solution or honeypot trigger is a robust detection control for detecting internal breaches and scanning attempts by intruders. Organizations needn’t implement deception solutions but can consider the following steps to create a deception trigger:
- Create a deception file, and record the following data in the file –
- Dummy card number – include at least five dummy card numbers.
- Dummy credentials – ensure that the keywords like ‘password’ and ‘pass’ are mentioned.
- Dummy cloud private keys.
- Ensure that the file format for the deception file is either .txt or .log. It’s better to have two copies of the deception file with a .txt and .log.
- Identify the various virtual LANs (V-LANs), network segments, and cloud segments within the organization’s architecture.
- Deploy the deception file for each identified network segment, V-LANs, and cloud segment.
- Configure logs and alerts to ensure access to these files is alerted as a ‘Critical alert.’
- Ensure that an incident playbook is in place that can guide on how to investigate these alerts and contain either the malware or intruder.
- Create a deception file, and record the following data in the file –
Preventive controls are table stakes! Deploy detective solutions for a robust security posture!
To summarize, detective controls play a more critical role than preventive controls. As witnessed in some of the latest breaches, deploying multiple preventive controls isn’t a foolproof defense as intruders and malware are continuously trying and succeeding in evading these controls. Hence, detective controls and periodic simulations are required, along with preventive controls and solutions, to ensure that the organization’s security posture remains robust. Due to digitalization and the expanding use of multiple PaaS and IaaS solutions, organizations must consider deploying deception triggers to identify whether any intruder or malware successfully evades the preventive controls.
How can SISA help in overcoming an Uber-like breach?
As a forensics-driven global cybersecurity company, SISA enables businesses to grow securely based on learnings derived from forensic investigations. Through our unique 4D approach to cybersecurity, we help organizations finetune the Prevention, Detection, and Recovery controls for preventing or detecting a breach in the network. Besides, as a global PCI Forensic Investigator (PFI) with more than a decade of experience in performing several high-profile and complex data breaches across the globe, SISA is trusted by leading organizations for securing their businesses with robust preventive and detective cybersecurity solutions, built using a problem-first approach and powered by forensic intelligence. Our multi-layered, connected security fabric covers the entire spectrum of risk, compliance, testing and training which help organizations build cyber resilience and improve security posture.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.