Did you hear about the latest data breach caused by a stolen password? Technically, it was a user account security token used by the malicious cyber threat actors to gain initial access into the company’s chat workspace. Once on the IT chat channel, the threat actors impersonated an employee and then used a simple social engineering tactic to trick an IT support member into providing them with a long-lived login access token onto the corporate network.

Once on the network, the threat actors moved laterally to discover and gain access to critical company services that allowed them to download valuable source code, potentially the crown jewels. The threat actors began selling the stolen software development kits (SDK) within multiple underground forums, afterward.

It's difficult to gauge at this early stage what the total cost of this data breach will be for the company, albeit they appear confident that damage will be minimal at this point. I’m also curious to know what security improvements have been made by the company to ensure that this type of data breach and security incident never happens again. It’s easy to be a forensic supersleuth after having all the indicators of compromise (IoC) divulged, but there were several security incidents that ultimately led to the data breach.

By order of magnitude, the first security incident is the issuance of long-lived access refresh tokens to sensitive workspaces like employee chats. Instead, short-lived tokens that expire with no refresh tokens or rotate access tokens could be deployed to protect users, the company chat app, and workspace. I’m not really convinced that the IT member provided a god-level multifactor authentication (MFA) token to the threat actors that granted them access to the corporate network. Some security feeds have made that claim. It sounds more likely the threat actors initiated and succeeded with a privilege escalation tactic and then was “living off the land” to locate and then break into the company vault.

For clarification, a token is not a password or hash value, but a random string value generated by a computer and contains some secret information, and static (long-lived) tokens can be abused just like a password. With that logic, the knowledge factor (something you know) used in an MFA implementation, should be replaced with the something you have (possession) factor, like a FIDO2 security key, or your device-as-identity, and strong biometrics (something you are) factor like liveness facial recognition. Notice the word and in the previous sentence is italicized? No one likes passwords and the worst part is that they are the leading cause of security incidents often ending in data breaches.

Continuous employee social engineering training including phishing awareness needs to be practiced and enforced. The irony is the IT department at most companies are an extension of the InfoSec team, so handing out administrative level access to someone who is saying that they lost their phone at the party last night, without being visibly challenged, even virtually, for additional identity used for authentication and authorization is a very bad security policy. Last I checked, most chat and collaboration apps have video conferencing capability to do just that.

You might ask, would having implemented a zero trust security framework thwarted this security incident and data breach? Absolutely! Why? Because of the zero trust mantra, trust no one, verify everyone! The three core tenets help to reduce company risk and reduces the attack surface. The first tenet is securing the user with Zero Sign-On (ZSO) that eliminates user passwords and can enforce the stronger factors like possession and biometrics in a company’s MFA implementation. Additionally, the first tenet provides multiple layers of anti-phishing protection that protects the user’s credentials including access tokens from being harvested.

The second tenet is securing the device by verifying its health and posture. This ensures the cyber hygiene of the mobile endpoint is good and free from sophisticated morphing device, network, and app level threats before it is allowed to connect to corporate resources. The third tenet is securing the network gateway with strong contextual access rules that can detect bad user behavior on the network. On-demand and per-app VPN also helps in the zero-trust network access (ZTNA) story by only allowing the authenticated user, authorized app and managed device access to the secure access gateway. A software-defined perimeter (SDP) further secures the network and connected resources by cloaking both the control and data planes. All resources behind the gateway are invisible to unauthorized users, apps, and devices.

In summary, implementing a zero-trust security framework may not have eliminated the published security incident, but would have helped to lessen the effects or may have prevented the data breach, altogether. How? Ivanti has all the components that make up the three core tenets of the zero-trust security framework. Proper deployment of Ivanti’s UEM platform, ZSO, MTD, and Zero Trust Access technologies would limit a threat actor’s ability to get to the data - thereby protecting it.