Twitter breach: what we need to learn… and what we know

Last week, Twitter was the victim of a spear phishing attack that led to hundreds of celebrity accounts hacked to request Bitcoin donations. The incident has highlighted the need for CISOs to take action to protect employees from such attacks and ensure internal processes are not abused by hackers.

The attack led to the tweets from the likes of Bill Gates that had variations of this: “Everyone is asking me to give back. You send $1,000, I send you back $2,000.” The tweet posted details of a Bitcoin wallet to send money to. Within hours, at least 375 transactions were made totalling over $120,000.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” said Twitter in a tweet

It added that “significant steps” had been taken to “to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues”.

Twitter also stopped many verified accounts from tweeting while the incident took place.

In a statement, the UK's National Cyber Security Centre said that while “it appears to be an attack on the company rather than individual users, we would urge people to treat requests for money or sensitive information on social media with extreme caution”.

What we don’t know yet

Tony Cole, CTO at Attivo Networks, told SC Media UK that it is impossible to state specifically at this point in time how the systems were taken over since we don’t have the internal details from Twitter.

“Due to the number of accounts compromised it’s quite possible that an internal administrators’ account was compromised via some method of phishing which bypassed any controls the individual Twitter user(s) had in place, allowing the attackers to tweet anything from accounts under the control of that administrative account,” he said.

We also know some hugely significant Twitter accounts, such as Donald Trump’s, did not suffer. And despite being an old-fashioned style of attack, there was nuance to the wording, as the hackers appeared to personlise or change the copy on each account. 

Cole added that CISOs could have countered the attack by focusing on two different but important security efforts. One: user awareness training to counter phishing susceptibility. Two: instrumentation inside the perimeter and on endpoints to detect adversary lateral movement and credential use.

“Both of those could have stopped the attack independently if the suspected methods are correct,” he added.

What the board needs to know

Dr. Shorful Islam, chief product and data officer at OutThink, told SC Media UK that in cases such as this, there will have been a lot of discussion about how to best to communicate the attack to the board and Twitter’s consumers, and it looks like the CISO and their team have gone with the honesty option, which is to be applauded. 

“Of course, as a CISO, you want to give assurances that this won’t happen again, but at present, I am not sure the security team at Twitter can make that promise. They will be saying the company will double down on security training – especially anti-phishing modules – and that they will conduct more and more phishing simulations to spot where the gaps in security are. The problem is, they will have already been doing a lot of this, but it clearly hasn’t worked,” he said.

With these types of breaches, saying it straight is always the best option: “The CISO should be telling the board that they are doing everything they can to understand exactly how this happened, which means doing more to understand human risk and how to reduce it.”

Islam reiterates that this is a reminder of a lesson all senior cybersecurity professionals know – concentrate on the people, not just the technology.

“Get to know employees – their sentiment towards security, any risky behaviours they exhibit and their willingness to comply with policies – before making highly targeted interventions.

“In Twitter’s case, it could be reviewing the privileged access of some users that are deemed to be high risk or asking them to attend a webinar on a particular security issue that they aren’t engaged with.”