They bypassed multi-factor authentication by exploiting OAuth tokens—proving that locking the door isn’t enough. How secure is your vault when attackers can slip in through trusted third-party apps? Dive in to see what the Salesloft/Drift breach teaches us.
https://thedefendopsdiaries.com/defending-the-vault-lessons-from-the-salesloftdrift-oauth-breach/
#oauthsecurity
#googleworkspace
#thirdpartybreach
#tokenmanagement
#cybersecurity
#infosec
#dataprotection
#assumebreach
#securityposture
Zero Trust assumes that threats could be both external and internal, and thus, no entity, whether it is a user, device, or application, should be inherently trusted.
https://linuxexpert.org/deep-dive-into-zero-trust-security-model/
#ZeroTrust #Cybersecurity #NetworkSecurity #IAM #MFA #SSO #Microsegmentation #EndpointSecurity #ApplicationSecurity #DataSecurity #RBAC #LeastPrivilege #AssumeBreach #linux
For those following the Microsoft vs Midnight Blizzard issue -- Pay Very Close Attention to this Response part of the lifecycle and don't over index your security program against preventing the Root Cause.
It is very likely that you will also experience an Auth Materials leak that results in combatting threat actors obtaining piles of valid credentials to spray and surgically target objectives. Usually a code repo or internal documentation site is the source, but Email and Chat are also likely origins as well.
Lots of different avenues exist for the threat actors to achieve the initial beachhead; a fire can break out in lots of different ways, make sure you have the right processes in place to limit the spread to other flammable materials.
If "identity is the new perimeter", your ability to inventory, reset, rotate, and fortify is the key.
@sassdawe I usually say that we can only do our best to strengthen security, but there will never be anything called 100% secure.
If you use the same password on Twitter with ANY other account, I'd really consider changing that ASAP. You don't want a security breach at Twitter impacting your other accounts. #AssumeBreach
Regarding Breach-level Security Incident Notifications and the Telemetry needed:
TL;DR
When handling a breach-level security incident I draw three circles of a target for potentially impacted:
1. The innermost bullseye is that subset of data which has explicit telemetry proof of harm.
2. The inner ring is all of the data contained within the impacted infrastructure/server/device(s) where you may need to #AssumeBreach.
3. The outer ring is the total data/user population of the service / product representing catastrophic impact.
https://telegra.ph/Security-Breach-Notifications-Telemetry-11-10
@Enigma Thanks. And so you know that E2EE and data minimization are core parts of what we do. If someone held a gun to my kid's head, I would comply with whatever they want. But the damage to customers should still be limited.
The whole Secret Key stuff is part of an #AssumeBreach approach. (This term is growing on me.)
@Enigma What is the old saying, "there are two kinds of services: those who have been breached, and those who don't know that they have been breached."
So yes. The #AssumeBreach mindset is right. Don't waste time on yet more anti-phishing training. Instead build your systems to protect what you need to protect under the assumption that parts are compromised.
@jpgoldberg similar to Mike Tyson's sage advice about planning for vs being punched in the mouth... I've found it help to actually be breached; for a great number of reasons. Synthetically and very much literally.
You learn what works, you learn what doesnt work (technically and/or logistically), you get confirmation of the accepted risks/debt that get paid to the piper, you get a whole lot of servings of humble pie, and when the dust settles, you also get a renewed sense of gravity and urgency about the work the security needs done.
And in a lot if cases, the #AssumeBreach mindset isn't a future tense condition - it is a present state undetected reality waiting for the right bidder to buy the access that has been quietly sitting unused in the environment waiting to be monetized.
I do miss the prod environment war games though
More Network Security Thoughts:
#AssumeBreach
Don't just threat model based upon ingress network traffic to surface area
Design from the standpoint that infrastructure is assumed to get breached and limit exposure to other resources.
We used to do this with 'DMZs' but that concept is largely obsolete in the modern era --
If you can, leverage host-based firewalls to prohibit inbound remote-admin connections except from trusted source-subnets
I shouldn't be able to play ssh/rdp/powershell hop-scotch across your backend network from a webapp server to another.
