What the Twitter Attack Teaches Us About Manipulated Insiders

Do you know everyone who has access to your business’s systems?

The recent Twitter hack has many cybersecurity teams taking a closer look at who has access to their systems. In mid-July, dozens of high-profile accounts on the social media platform were compromised through social engineering, with big names like Bill Gates, Elon Musk and Joe Biden affected. 

The most disturbing aspect of the attack, though, is what the breach exposed about the site’s security weaknesses. According to former employees, in addition to the hundreds of employees with the authority to change account settings, outside contractors also had access to change settings. That increases the number of entry points and attack surface for hackers.

Regular assessments your environment can help reveal security gaps such as manipulated insiders as in the case of the Twitter breach. Our e-book “Insider Risk Management” goes into all the considerations of insider risk and how you can lower your exposure to this threat. In this post, we’ve taken the highlights of the book and focused on what you need to know to protect your systems against manipulated insiders.

Understanding manipulated insiders

When an account belonging to one of your employees falls prey to a hacker, it goes under the header of “compromised insider.” That means someone on the outside gains access to that person’s account. One of your accounts can become compromised in a variety of ways. In many cases, the user clicked on a link and provided the password, giving the attacker all the information necessary to start doing damage.

With manipulated insider attacks, a hacker doesn’t just use the compromised account as a way into the system. The hacker uses that access to make changes to account privileges and other assets. This is known as compromised credentials. In the Twitter case, it’s believed that the breach was used to adjust user account settings so that hackers could take control of their accounts.

“In the case of a compromised insider, the attacker may try what is known as privilege escalation, which is taking advantage of system or application flaws to gain access to resources they do not have permission to access.”—Shawn Thompson “Insider Risk Management”

Preventing insider manipulation

Insider manipulation doesn’t just put your systems at risk. It can also jeopardize your customers. If the breach results in the theft of information like social security or credit card numbers, you may end up having to do serious damage control. The risk to ruining carefully-built customer relationships makes every ounce of prevention well worth it.

To start, it’s important to carefully check your account access. If former employees are right, the sheer number of workers and contractors with high-level access to Twitter’s system made repairs challenging. Use the principle of least privilege to ensure that each user has only the necessary access to do their job. When in doubt, grant lower-tier access and increase as the user requests it.

A little training can also go a long way toward protecting your systems. Make sure each end user, including contractors, understands the dangers of clicking on links. When a new known scam is circulating, a quick email can let all users who access the system know to avoid it. 

Currently topical phishing emails around the pandemic, vaccines and HR updates are making their rounds. Such timely communications are more likely to be accessed by unsuspecting users.

Detecting insider manipulation

Technology is another way to safeguard your environment. With the right solutions in place like behavior analytics, you can watch for signs of a potential breach and stop it before it starts. The problem with manipulated insiders is that an outsider gains access through one of your user accounts. Traditional cybersecurity solutions are built to identify outsider access.

Exabeam uses artificial intelligence to gradually learn the day-to-day activities that pass through your systems and baseline user behavior. Even if outsiders gain access to your system through a manipulated insider attack, chances are they won’t duplicate that user’s typical behavior, which means the activity will be flagged as suspicious. Your team can then take a look and determine if action needs to be taken.

The disgruntled insider

In some cases, insider accounts aren’t compromised by outsiders. Instead, you have an employee, former employee, or contractor with an agenda. This could be a disgruntled employee, an opportunist, or someone who’s helping out one of your competitors.

The one thing any insider attack has in common is that they’re unpredictable. That’s why technology can help. If an employee starts downloading an unusually large number of files, for instance, the right solution with behavior analytics can flag that activity so that your security team can investigate further. As more employees work remotely, it’s even more essential that businesses find a way to monitor what’s happening on their servers and devices throughout the day.

Insider threats are expected to increase in the coming years as cyberattackers seek to find new ways to get around sophisticated solutions. It’s important to take a proactive risk management approach to keeping your network safe. Otherwise, you may find that you’re spending your time cleaning up the damage.

To understand the full scope of managing insider threats, download a copy of “Insider Risk Management.”