I Read So Many IR Posts This Week, Here Are My Thoughts
Twilio, Lastpass, Mailchimp, Signal, Plex, Samsung, Doordash, TikTok(?), and so many more! It's happening ya'll!
I started writing this post a week ago, and in that time frame several additional breaches and security incidents have come up since Twilio and Lastpass, almost on a daily basis.
Not since the Solarwinds attack has there been so much fallout on so many companies!
Instead of summarizing the incidents, I’m going to:
Highlight examples of good writeups
Here’s the TL;DR:
There’s something called MFA Fatigue. So yes, even if you have MFA setup, people may hit yes anyway!
U2F hard keys are the BEST way to go
Be prepared to have a good writeup in the event of an incident
Have an IR plan (goes without saying)
Please limit employee access to data and systems
Don’t let employees save passwords in Chrome. Please!
Select Thoughts On Incident Writeups
LastPass Security Incident
As for the most recent incident, I don’t have any public comment. However, I do want to note this is not their first time.
LastPass Security Writeup
However, I DO want to note that they handled this incident well from a public point of view.
💡For those managing a SOC or limited IR and security management experience, I recommend reading this earlier post from a previous LastPass incident 👈🏼.
They were very transparent and forward about their tactical approach
They even include the mistakes they made!
No better source of learning than from other’s mistakes.
Cloudflare Security Incident
Luckily for them (and us), they had decent security in place to prevent any Cloudflare systems from compromise, including hard key (U2F) requirements for login.
Their blog post has details of their response actions which is worth a read and includes a list of indicators of compromise.
It’s also interesting to see the use of their Cloudflare products (eating their own dogfood) in protecting their security. I’m a bit of a fan (no affiliation) of their stuff too.
Cloudflare’s use of U2F keys prevented any resources from unauthorized access
Their incident writeup is excellent and worth a read
Cisco Security Incident
Not part of 0ktapus, but Cisco had a security incident recently and I think it was really worth highlighting the simplicity of this attack.
Ok, this one is a really unfortunate one.
Cisco employee’s personal Google account was compromised
Cisco credentials were saved in Chrome Browser
Credentials in Chrome are stored in plain text!! Don’t let your employees do this.
VPN 2FA access was obtained by exploiting MFA fatigue via vishing (voice phishing) by attacker 🤦🏼♂️
Plex Security Incident
Well, Plex also got attacked recently. Here’s the thing, I couldn’t find anything on their website AT ALL. That is not a good practice at all. Be open and transparent. I did save a copy of the email however here.
Looking at so many incidents, I ended up putting together an Airtable with some attributes of various incidents and then linked them together to certain campaigns. I threw it up on a domain I had, Foorbarsec.com, which seems pretty appropriate. Lmk if you’re interested in helping.
If you liked anything here, please feel free to share with your community or Tweet It