For over a decade, I have analyzed the root causes, trends and patterns from what post-breach management specialists like to call unauthorized third parties performing really sophisticated cyberattacks. In the past, these cyberattacks were rarely “sophisticated” – and “unauthorized third parties” almost always meant cybercriminals.
2022 was different because infamy, that quality of becoming well-known for being cosmically bad at something, or an epic clown act, is no longer a prerequisite when it comes to having your digital landscape compromised. It is no longer *always* the organizations with lousy cybersecurity that are getting their data hacked.
In 2022, when it comes to large breaches, the unauthorized third parties are not necessarily the traditional organized gangs of cybercriminals from years gone by – they might be rogue nation-states or gifted (albeit misdirected) teenagers. Many of the cyberattacks are now looking far more sophisticated than in previous years.
The past year has been so full of breaches, not even the tech journalists can agree on what measurement to use to work out which of the hacks or breaches are the worst. Should it be monetary? Number of people impacted? Amount stolen? Remediation cost?
For those reasons, I am going to take what I think are the three largest data breaches (based on number of records stolen) and identify what key lessons we can take from them.
We start with the smallest of the three data breaches:
Optus (9 million)
“Cyber Security. We won’t just do better. We’ll do best” declares the Optus cyberattack response page. A bold statement given that up to 9.8 million people could be impacted by the breach, which equates to approximately 40% of the entire population of the country it operates in, Australia.
Optus has not officially divulged the root cause, but various sources report that the intrusion leveraged an application programming interface (API) that could retrieve customer details without any authentication. Why? Because it was *thought* that the API would only ever be instantiated within secure network areas.
Allegedly – due to human error – a build engineer placed an instance of this API (with access to real data) in a test environment – and that test environment was accessible over the internet. Additionally, the records inside the database had insecure serialization – meaning the intruder could use example customer record IDs to predict the reference ID of other records.
If the information above proves to be correct, there were multiple, significant major and critical security control gaps at Optus (what I have always referred to as stacked risks). As I have stated in the past, any enterprise taking a siloed approach and looking at individual risks can easily miss the potential magnitude of their overall exposure.
Optus has set aside ~$95m (A$140m) to cover the fallout from this data breach.
Lesson Learned from Optus Breach: Do not be tempted to let multiple known security risks sit unresolved because your organization *thinks* there is another layer of security in place. Why? *Because* that other layer of security will be taking the same approach.
As with every megabreach, intruders need to find multiple holes in the security of a digital landscape to do real damage and take substantial amounts of data.
Uber (57 million):
This next example begins with an attack vector that is part of an intrusion trend. The hacker, in this case understood to be a teenager affiliated with Lapsus$, compromised the multi-factor authentication (MFA) by bombarding one person with authentication requests. Eventually, the authorized user accepted one of the bogus authentication requests, enabling the intruder to gain access to the company VPN (virtual private network).
(Side note: In a prior cyberattack earlier in the year, Lapsus$ had a 5% success rate in this type of MFA request-bombing attack vector, which was much higher than the 0.1% predicted by some marketing materials.)
Once inside the Uber VPN, the attacker was able to leverage several sub-optimal security configuration settings within the network and locate a PowerShell script that contained hard-coded privileged account management system (PAMS) credentials.
Once inside the PAMS, the intruder was able to access multiple tools and storage areas containing millions of Uber drivers and user records.
Lesson Learned from Uber Breach: Never rely on MFA alone to protect critical assets. Expect that hackers will compromise MFA on occasion and will target your highest value security assets (such as PAMS).
Take steps to mitigate the potential for compromise of these systems by, for example, minimizing any system accounts to the very least privilege they require, having automated monitoring alerts for any unusual behaviors and enforcing the highest standards of security best practice.
If you *must* place privileged access credentials in any system scripts, then compensating controls, such as surgically limiting permissions and automated monitoring, will be required.
Neopets (69 million)
… Although I did state that an enterprise no longer needs to fail badly at cybersecurity, in my view, this breach seems to flatly fall into that category. Neopets managed to get its source code and 69 million user details stolen … without noticing until the cybercriminal offered to sell their database.
As Neopets put it in their statement:
As part of that same statement, Neopets stated that it “… is committed to safeguarding our players' personal information.” – which felt a little hollow – but at least the company committed to more extensively implementing MFA and strengthening security.
With the dwell-time (time from intrusion to discovery) of around 16 months, the intruders were able to take a leisurely stroll around the internal digital landscape for a long time without any fear of detection.
Lesson Learned from Neopets Breach: Underinvestment in cybersecurity continues to be a false economy. Breaches create brand damage, remediation work and potential regulatory fines that massively outweigh any initial cost-savings from underspending on security operations. When regulators look at organizations after a breach, the main question is: Can this enterprise demonstrate due diligence in how it invested in and operated its cybersecurity BEFORE the breach took place?
Average Isn’t Good Enough
2022 saw most organizations continuing to scale up their investments in cybersecurity as awareness grew that skimping on infosec was not a wise or viable way forward. Nonetheless, 2022 was still a cyberattack wasteland because the threats are still moving faster than the *average* enterprise.
Hackers (ethical or otherwise) can get in through the tiniest of gaps. If there are layers of security gaps, then intruders can also get back out with a lot of data.
Expect that it is the multiple unresolved gaps that can seem small on their own that hackers can stack together to form a bridge into and back out of your critical systems.
Expect intruders to try to target and re-purpose the tools and processes your enterprise uses to keep itself secure (such as multi-factor authentication and PAMS).
For me, the primary breach lesson from 2022 is this:
If your enterprise security wants to stay ahead – do not aim to be average – aim to be exceptional.