A recent breach of global data storage firm Snowflake could be becoming one of the largest ever, according to WIRED.
What Happened?
Snowflake first revealed that criminal hackers had been attempting to access its customers’ accounts using stolen login details. The company announced that a “limited number” of customer accounts had been accessed. That number would then balloon to at least 165. Organizations like Ticketmaster, LendingTree, and Advanced Auto Parts announced that their information was involved in the incident.
Security researchers reported that in some cases the hackers obtained access to Snowflake accounts through a third-party contractor of Snowflake.
WIRED spoke with an individual who said they were part of a hacking group known as ShinyHunters that say they were involved in the breach. The individual told WIRED that they were able to infect the computer of a third-party contractor of Snowflake and found unencrypted usernames and passwords used to manage Snowflake customer accounts. The hackers reportedly were able to use those credentials to access the Snowflake accounts because the accounts did not require multifactor authentication (MFA).
The hacker also said they were able to harvest credentials on the dark web that had been leaked after being stolen in previous breaches. These credentials are easy to find because they have been posted online by hackers who have used infostealer malware to nab the credentials and then post them to the dark web or deep web. If these leaked accounts have not changed their passwords, they can be easily broken into, especially if the account doesn’t use MFA.
The Snowflake breach is a developing story. The Los Angeles Unified School District recently announced that it was a victim of the breach and hackers had obtained student and employee information. Reportedly, 10 of the victimized companies in this breach have been urged to pay ransoms ranging from $300,000 to $5 million.
If you want any indication of how this incident is affecting Snowflake, its stock has dropped nearly 24% in the last month.
What is Multifactor Authentication?
When you consider an online account, whether it be a social media account, banking, online shopping, or work-related account, most of these accounts simply use a username and a password to authorize access. The goal of MFA is to make it more challenging for someone other than the authentic user to access the account. Often, MFA comes in the form of a one-time password (OTP) that is sent to a user’s handheld device. The account cannot be accessed without this code. Authentication apps such as Google Authenticator or Microsoft Authenticator are also useful tools when it comes to MFA. These apps also get an OTP that the user can access to log into an account.
Why is MFA Important?
I want to be clear, MFA is not a panacea. There are certainly ways MFA can be bypassed. Users can be tricked into giving up the code or compelled to through harassment. In more extreme cases, hackers can use SIM-swapping attacks to get a phone changed into one they control. This can happen when phone carriers are duped into activating a SIM card that would give the hackers access to any text messages you might receive, including OTPs.
But, if you consider your online accounts, the goal is to make it as difficult for a hacker to gain access to your account as possible. You want as many guards at the gates as you can possibly have. These guards can include using strong, unique passwords and MFA.
You should use MFA on as many accounts as you possibly can, and certainly any that contain sensitive, personal, or financial information. As an organization, it is important to enable MFA on as many accounts as possible, especially if the information stored in those accounts include client or customer information or employee or financial information or sensitive intellectual property. Most third-party contractors should offer this option, if they do not, you may want to look elsewhere for someone who does.
Why Incident Response Planning?
The Snowflake incident is a perfect example of the importance of incident response planning. Building a robust incident response plan is important, because you never know when something might occur to one of your third-party vendors that involves your information. We can hope nothing will ever occur, but the truth is that it can and, without sounding dramatic, probably will. If it can happen to Ticketmaster and so many others, it can happen to anyone.
Proactive incident response planning allows your organization to be prepared if an incident does occur. It is important to be a head of an incident and equipped to manage the incident, instead of scrambling when one does occur.
The first moments of an incident are critical. How you respond to your customers, your employees, the public and, if necessary, the media and regulators, will define how your response was perceived. If it is perceived to be uncaring, modest, suspect, or disjointed, you will ultimately suffer in loss of perception. This could hurt your customers, your employees, and your bottom line.
Today, incidents have become so common that organizations can often weather them. However, if an incident response is disorganized and perceived poorly, this will hurt worse than if it was not.
When people think of incidents, they think of ransomware or a data breach. However, it is much more than that. What do you do if an employee’s laptop is stolen that contains important information? What if one of your third-party vendors has your data mishandled by one of its third-party vendors? What if one of your employees has pilfered important internal intellectual property and brought it to a competitor? These are all important scenarios to consider and prepare for.
How to Build an Effective Incident Response Program?
Building an effective incident response program takes a few important steps.
Build Your Incident Response Team: It is important to get key stakeholders together to begin preparing for an incident response. This should include the incident response team, who will be the team directed to respond to an incident should it occur. The IR team obviously includes those in your organization, or a third-party, that protects the network and is elected to run your digital security. But it also should include executive leadership who should not rely on IT or IT security to manage an incident response.
Other important roles in an IR team include those who will communicate both internally (with employees) and externally (with customers/clients, public, media, regulators, etc.). These could be the same person or two (one internally and one externally). However, it is critical that only the person elected to speak for the company does so. Having a random employee tell a customer or another outsider that “we’ve been breached” can be devastating to an incident response and cause many future legal headaches for the organization.
In an incident response, crisis communications are as important as making sure the network is protected and the method of breach has been removed.
Develop Incident Response Playbooks: Incident Response Playbooks act as a guide. When an incident does occur, an effective playbook lays out exactly what everyone is responsible for during an incident and how it should be accomplished. A playbook walks each key stakeholder through their responsibilities from when there is recognition that something has occurred to the time of full remediation. Playbooks should also be periodically updated to reflect changes in the organization.
Hold Tabletop Sessions: Tabletop sessions allow the organization the opportunity to test the playbooks and understand where improvements should be made. It also ensures that response is top of mind for all key stakeholders. Tabletop sessions are simulated scenarios that mirror a real-life incident. A good tabletop session will unfold like a real-world event, in stages, so that each stage presents you with a new problem that you need to solve. It can be helpful to have an experienced third party facilitate these as they can help you understand areas of needed enhancement and ensure the scenario is one that will provide opportunities for learning.
Build Communication Templates: It is important to have some communication templates already built before an incident. These of course may change with the type of incident, but a template will help you build a foundation if an incident does occur. These templates could include how you would alert customers, regulators, the media, your cybersecurity insurance, and even employees of an event. Having these in hand will help you craft proper communication during that event.
Consider Dark/Deep Web Monitoring of Your Information
Another important proactive step you can take to prepare for an incident, is to engage in dark web/deep web monitoring of your information. This can help you understand if any of your information has been leaked to the dark web or deep web or if there is chatter about your organization or its employees in these dark corners of the internet. You can also monitor your third parties, so if they are involved in an incident, you will be notified as quickly as possible and can more effectively prepare if any of your information was involved.
Protecting your online accounts by using MFA wherever possible is a crucial step toward greater cybersecurity. Developing a strong incident response planning program will help you proactively prepare for an event that could damage your organization. Dark/deep web monitoring will help you understand early if there is a situation that you will need to manage instead of being surprised by one.
Reach out to us if we can help you with incident response planning and dark/deep web monitoring. These services are important components toward greater digital security.