In August, a sweeping phishing campaign, referred to as Oktapus, targeted customer engagement platform Twilio and content delivery network Cloudflare. Though the attackers leveraged relatively low-skilled methods to achieve their aims, the social engineering attack had far-reaching consequences that affected more than 130 other organizations. The cyberattackers were able to net nearly 10,000 sets of Okta credentials, enabling them to spread their attack downstream to many more customers.
This breach calls into question the efficacy of current identity and access management (IAM) strategies. What questions should IT leaders be asking themselves to protect their organizations from a similar attack? Three cybersecurity experts weigh in on the Twilio breach and what it means for cybersecurity going forward in the following five questions.
1. How is the identity attack surface growing?
Identity as an attack surface is growing in popularity. Threat actors are looking for ways to harvest credentials that will grant them widespread access to networks. With the increasingly interconnected nature of the technology vendor ecosystem, even minor identity exposure can have a ripple effect.
“The rise of widespread remote work dramatically expanded the attack surface by connecting nearly every aspect of our lives to our digital identities and dissolving the barrier between work and personal online accounts and devices,” explains Dustin Warren, senior security researcher at cybersecurity company SpyCloud.
A growing attack surface means IT leaders have more vulnerabilities to worry about, both known and unknown.
2. How effective is multi-factor authentication?
Multi-factor authentication is considered a vital IAM practice, but it is not necessarily enough. The Okatpus campaign snagged thousands of two-factor authentication credentials, allowing bad actors to bypass this security access control.
“Organizations would do well to utilize the strongest methods of multi-factor authentication possible, rather than using SMS or other weak methods,” Sean O’Brien, a fellow of the Information Society Project at Yale Law School and founder of the Privacy Lab at Yale ISP contends. “These include authenticator apps, which provide [one-time PIN] OTP codes or physical key tokens such as Yubikey or Nitrokey.”
The phishing attack that targeted Twilio and Cloudflare hit a roadblock at the latter. Some employees were taken in by the phishing lures, but physical security keys helped to prevent compromise.
3. Do you know where all your identities are hosted and managed?
Having a complete inventory of the identities in a network and the assets they can access is vital to protecting your organization. Yet, 52% of organizations do not have full visibility into identities’ permission levels and accessible resources, according to the State of Cloud Security Maturity 2022 whitepaper from cloud security platform Ermetic and Osterman Research.
“As companies invest more in cyber resilience, criminals are finding increasingly sophisticated pathways around their defenses, meaning the most dangerous weaknesses are the invisible ones,” Warren says. “A robust cybersecurity posture must close key gaps by mitigating the risk of unmanaged devices and monitoring for stolen credentials and other forms of identity exposure.”
4. What kind of risk do my vendors expose my organization to?
Even if organizations have a firm grasp of IAM within their own four walls, risk extends much further. The Twilio supply chain attack had hundreds of secondary victims.
“Understanding where your vendors are actually being used, not just for yourself, but in a greater ecosystem becomes very important for your own security, “says Brian Haugli, CEO and Founder of virtual CISO services provider SideChannel and National Institute of Standards and Technology (NIST) guidance expert. “Because somebody else’s mishap now becomes your problem.”
5. Is your organization’s IAM based on recognized industry standards?
Evaluating and mitigating security risk is a complex task, but industry standards developed by organizations like NIST are a good place to start. “I don’t think we do enough building programs based on standards and recognized frameworks,” argues Haugli.
This spear-phishing campaign will not be the last of its kind. Threat actors will continue to find ways to exploit IAM vulnerabilities. “We should expect future attacks to remix well-known attacks that have been effective over email, with SMS and other smartphone vectors being at the forefront,” O’Brien anticipates.