Another day, another data breach has become a common refrain in a world saturated with data breaches and other types of data exposures. But over the past few years, a subtle change in the nature of breaches has taken place. We documented some of these changes in our analysis of the 100 largest breaches in the 21st century, highlighting that breaches were getting larger and more likely the result of misconfigurations. Since 2020, though, we've seen another trend emerge—the rise of supply chain breaches. In this post, we're going to go over how these two trends are shaping the world of security, and how to mitigate the risks stemming from these factors.
Illustrating modern risk vectors
While these two trends—the emergence of misconfigurations and supply chain attacks—exist as separate concerns, breaches this year have illustrated how these trends are converging and how threat actors are taking advantage of both. We wrote about one such breach, the Heroku/Travis CI OAuth token breach, which involved threat actors leveraging stolen tokens. The breach was only discovered when threat actors attempted to escalate the incident by using the stolen tokens to access GitHub's npm infrastructure to steal credentials there. Luckily, the attack was stopped before it went any further.
Earlier this year, a breach impacting Okta was initiated by a hacker collective known as Lapsus$. As documented by Microsoft, their playbook entails gaining internal access to organizations and then exploiting privilege escalation through exposed credentials or other security failures. In the case of the Lapsus$ attack on Okta, a third-party provider, Sitel/Sykes, potentially failed to secure a password export (although this is disputed as the direct cause). Regardless, this is a potent illustration of how third parties and their security configurations might have downstream impacts on other organizations.
In general, we've simply seen third party risk expand as a result of increased software dependencies and the growing number of applications and services used by modern organizations. Incidents such as the Kaseya and SolarWinds breaches, as well as open source dependencies like Log4j are a testament to this increased risk. By some estimates, supply chain attacks increased more than 300% last year alone.
Below, we’ll take a closer look at these developments by briefly discussing breaches that best illustrate the impacts of these trends.
Dozens of companies exposed source code and credentials in GitHub - 2020
At the end of 2020 we rounded up some of the most severe data breaches that occurred through GitHub, including a potential exposure of AWS credentials, through an employee uploading almost a gigabyte’s worth of data to a public personal repo. Other stories demonstrated that even in highly regulated industries like healthcare, employees can still make risk mistakes like hard coding login credentials within code and those repos being publicly searchable.
Unfortunately, GitHub is not the only system where this happens. A 2019 report by an independent security researcher found that dozens of Jira instances full of business critical data were publicly searchable and indexed.
Twitter’s backend breached - July, 2020
Okta’s hack is somewhat reminiscent of 2020’s Twitter Hack, where social engineering and poor employee security hygiene combined explosively in a breach that compromised the company’s backend and allowed threat actors to control some of the most influential accounts on the platform. In the case of Twitter, threat actors used so-called vishing, or voice phishing, to move laterally throughout the organization until they stumbled upon credentials to Twitter’s backend in one of the company’s Slack channels. The Twitter hack reveals that even if each individual account follows the principle of least privilege, it doesn’t matter if employees are violating policy by sharing sensitive data in easily accessible channels.
Twilio leaked PII & secrets through a supply chain attack - April 2021
Last year, major code coverage provider Codecov was breached through a compromised Bash Uploader. The attack went unnoticed for four months before a Codecov customer noticed the compromised script. This resulted in a supply chain attack impacting companies like Twilio who leverage Codecov in their repositories. Twilio reported as a result that a small number of emails and secrets had been cloned by attackers. Twilio addressed the risks “by thoroughly reviewing and rotating any potentially exposed credentials.”
What are the biggest takeaways from these incidents?
There are 4 key lessons that we can learn from these breaches and the trends they illustrate more broadly.
1. Data is the new perimeter
In most of the stories we’ve discussed, ultimately, some policy failure occurred as a result of poor employee practices. In many cases, the practice in question exposed credentials that remained accessible for an indefinite period of time. While security has always centered around access, and preventing the wrong people from accessing critical systems, the move to a fully remote world has required organizations to become remote-first. Part of this transition has required adopting a “zero trust” mindset. This means not granting implicit trust to users based on access to an account, network, or device alone.
While much of zero trust has rightly centered around identity, and continuous authentication, another crucial layer of zero trust is data access. In shared environments, like cloud systems, the only way to ensure data remains need-to-know is through permissions, which are only followed when users and admins exactly choose to do so, or when security teams have the bandwidth to enforce policies consistently. This makes employee accounts in collaborative systems like Jira, Slack, GitHub, Confluence, etc. all extremely valuable targets. Should processes like continuous authentication fail, your environments need to remain clean of credentials, secrets, or other types of sensitive data that can result in the escalation of a breach.
Watch the segment below to learn more about the importance of a zero trust mindset in applications like Slack and why it’s needed to address modern data security risks.
2. Make sure your policies are followed everywhere your data lives, including within third-party systems
Supply chain attacks can be tough to mitigate, especially where expectations around whose policies and procedures must be followed to protect data and mitigate breaches. According to a survey of 1400 security decision makers, about 49% of companies did not specify the security standards that their suppliers must adhere to, with only a third seeing supply chain attacks as exclusively their responsibility, and about a third being “very confident” that they could respond quickly and effectively to a supply chain attack. With this in mind, it’s extremely important that organizations commit to a proper “chain of custody” regarding potential breach investigations, as well as more broadly understanding whose security policies will inform how customer data is protected.
3. Your policies can’t be enforced without visibility into user behavior
Policy enforcement has two key components, education and actual enforcement. Unfortunately, today’s distributed and perimeter-less workspace means that enforcement is not humanly possible for security teams to manage without the proper tools. The ability to enforce policies across applications requires automation and the ability to detect the types of data security violations that can potentially result in the types of incidents discussed in this post. The Nightfall platform was explicitly built to solve this problem.
Using machine learning, Nightfall can detect the most common types of sensitive data in files, images, and documents—including PII, PHI, and API keys along with other types of secrets and credentials. Being API based, Nightfall can rapidly integrate with the most popular cloud services like Slack, Google Drive, GitHub, and the Atlassian suite. Alternatively, using the Nightfall Developer Platform, the Nightfall’s detectors can be leveraged within any cloud application, including custom ones. Users can even choose to have the Developer Platform ingest data from an endpoint of their choice in order to detect, redact, or otherwise remediate it.
For a deeper analysis of these trends, and to see Nightfall in action, watch our on-demand webinar on how to build continuous security and compliance into your business critical SaaS applications. There we talk about the fundamentals of zero trust, how it can help you mitigate the risk from these emerging trends, and how Nightfall can enable zero trust data security. Learn more and register here.