Outsourcing security services has become common practice today. While it has proved to reduce operating costs for most organizations, the exposure to third-party risk can often create blind spots for the end-users of these services.
When control of security operations and data is relegated to a third party, the client essentially places the burden of protecting data and services from loss on end-users’ shoulders. We see a significant data breach impact hundreds, if not thousands, of consumers who have outsourced even a fraction of security services. When the SolarWinds Orion breach was reported to have put thousands of organizations at risk, it was a shockwave felt across multiple industries. Even the Log4J vulnerability has been assessed as a threat vector that will haunt the industry for months to come.
The recent Okta breach
In January this year, the security authentication company Okta announced details indicating a data breach. A postmortem forensic report was conveyed to Okta by the security firm Mandiant, which Okta had hired to uncover information about the breach.
This data breach impacted the organization internally; however, customers found themselves in a severe predicament due to Okta’s third-party service. As more details were divulged to the public, the specifics of this attack proved very unsettling.
Realization of the Okta breach
Okta reported, In March, that an organized hacking group named “Lapsus$” had gained unauthorized access to a laptop belonging to a Sitel customer support engineer. Sitel was a third-party service provider for Okta that had recently acquired a similar support organization known as Sykes. Sitel has attributed the breach to unsecured legacy network systems belonging to Sykes that were integrated into its infrastructure following the acquisition and were likely not equipped with a monitoring platform.
While this breach was disclosed publicly in March, a forensic investigation revealed the breach had occurred January 16-21, meaning substantial time passed before any victims were notified. As a service provider, Sitel had allowed a data breach that resulted in unauthorized access to and subsequent exposure of data for upwards of 366 Okta customers. Even with knowledge of this security incident, Okta publicly confirmed and disclosed details of the breach only after an extortion attempt by the Lapsus$ hacking group, when the group released screenshots proving they had successfully compromised Okta and its affiliates.
How it happened
Once Lapsus$ operators had officially gained access to Sitel’s systems, they reportedly laid dormant for several days before attempting any further actions. On the first day of activity, Lapsus$ conducted a web search using Bing to query popular privilege escalation tools stored in the online repository GitHub.
With their search for exploit tools concluding, they performed additional searches that targeted the details of a known vulnerability, CVE-2021-34484. The threat actors were then able to find vulnerability-specific exploits on GitHub and download them to the compromised host to begin their privilege escalation and lateral movement to other systems on the same network.
This was all made possible because Lapsus$ operators were able to terminate FireEye’s endpoint agent intended to prevent these exact actions. Using a credential-dumping utility known as Mimikatz from its official online repository, the threat actors created a series of backdoor user accounts to enable continued access. A final touch of implementing an altered email transport rule from within the compromised system allowed all internal emails to go to a malicious email account set up by Lapsus$.
From that point, the hacking group could simply swipe all emails received and extract sensitive information used to publicly extort Okta later. The ability to compromise endpoints and remain within the system for a prolonged period are again another testimony that covering the network with detection and response tools is a must in order to have true visibility into your environment.
The timeline that Mandiant reconstructed alludes to Lapsus$’s access to a spreadsheet titled “DomAdmins-LastPass.xlsx.” This filename indicates that domain administrator passwords had been exported from the enterprise password management tool LastPass.
While various media outlets have contacted Sitel spokesperson Matt Jaffe to verify whether the spreadsheet contained passwords, he declined to comment. However, some days afterward, representatives of Sitel insisted that the spreadsheet did not contain any passwords and instead merely listed account names from legacy Sykes systems.
Whether or not the company was telling the truth, this degree of uncertainty presents a compelling case for exactly how risky it is to fully rely on the integrity of third-party services amid a breach and how this can result in loss.
The transitive nature of third-party risk
While the breach of Okta’s outsourced security services presents a costly set of circumstances for the organization itself, the downstream damages are equally impactful. One must consider the known 366 Okta customers whose data was compromised due to this breach.
When an active group of threat actors persists on a network, they can collect more sensitive data and attempt to compromise other systems. Unfortunately, the concept of compromising subsequent systems is not limited to those that belong to the initially compromised victim. Any systems or information they have access to belonging to other organizations or individual users amplifies the amount of third-party damage inflicted.
Prevention eventually fails
Some organizations implement multimillion-dollar information security policies and controls to mitigate risk only to be undermined by basic techniques that could be used even by entry level script kids. A state-of-the-art firewall could perform great until something as trivial as a user clicking a malicious link or file in a phishing email happens.
What is worse, in these third party cases, is the idea that a software vendor can be compromised and have its final, tainted product shipped out to consumers. Supply chain attacks are unpredictable and nearly impossible to mitigate for the average organization. Knowing that a purely preventive security posture is only half of the battle fought, it is worth remarking on the merits of a robust monitoring and response capability.
Network detection and response in action
Relying solely on preventive controls when third-party risk threatens an organization makes it only a matter of time before a threat actor pivots from a service provider to your organization’s highly sensitive assets.
The constantly evolving modern cyber battlefield requires solutions that match and exceed the pace of the latest threats out there. When third-party risk is nearly impossible to prevent, it stands to reason that a reactive approach driven by effective monitoring capability is the answer to the problem.
WireX’s NDR solution
WireX’s NDR platform is a complete solution that provides network detection capabilities supported by robust response mechanisms. Being able to quickly respond to alerts, prioritize the important ones from the noise and using the analytics to calibrate current detection tools allows your organization to optimize existing investments and take more significant advantage of their utility whether these solutions are SIEMs, NGFWs, threat prevention or breach detection systems.
In addition to in-depth monitoring capabilities WireX’s platform instantly provides context and timely data to ensure that threat investigations take a fraction of time they usually would. The system is designed to empower even entry level operators to investigate as experienced analysts in order to mitigate the critical shortage of human resources in the industry.
Contact us today
Schedule a demo to learn more about how WireX can prevent those stealthy insider threats looming within your organization. Contact us today, and eliminate the stress of wondering whether or not you’ll catch a disgruntled employee or double-agent contractor.
