In the movie Apollo 13, three astronauts returning to Earth are unaware of their perilous reentry. Back in Houston at Mission Control, chief flight director Gene Kranz (played by Ed Harris) comments on the unfortunate events, saying: "Is there anything they can do about it?"
No one dared to speak.
"Then they don't need to know."
If Kranz was in IT security, he'd probably have a thing or two to say about actionable information and how there's sometimes too little and many times far too much.
In this article, I'll share how automation can help turn the right information into action, helping to defend against cyberattacks, mitigate risk, shore up compliance and improve productivity.
The biggest security risk businesses face is lasting damage, which happens when data is lost or stolen. Worldwide data creation is expected to surpass 180 zettabytes between 2020 and 2025, and today's global shortage of 3.4 million cybersecurity workers means there aren't enough highly skilled employees—making it critical that automation doesn't just move bottlenecks around by introducing new or complex staffing requirements.
Attackers know that you can rebuild your cloud infrastructure or replace a laptop but that you can't "unbreach" data, so they turn your digital assets into a liability and threaten to leak or encrypt them unless you pay. Motivated attackers continue to find new ways to penetrate defenses along a swollen attack surface that's bloated from the pandemic due to more hybrid work, cloud services and remote devices. Some malicious actors have even learned how to turn employees into insider threats—the most dangerous threats of all.
The biggest security risk businesses face is lasting damage, which happens when data is lost or stolen. Worldwide data creation is expected to surpass 180 zettabytes between 2020 and 2025, and today's global shortage of 3.4 million cybersecurity workers means there aren't enough highly skilled employees—making it critical that automation doesn't just move bottlenecks around by introducing new or complex staffing requirements.
The biggest security risk businesses face is lasting damage, which happens when data is lost or stolen. Worldwide data creation is expected to surpass 180 zettabytes between 2020 and 2025, and today's global shortage of 3.4 million cybersecurity workers means there aren't enough highly skilled employees—making it critical that automation doesn't just move bottlenecks around by introducing new or complex staffing requirements.
To add a styled code block:
xxxx in the language-xxxx (or lang-xxxx) class: https://prismjs.com/index.html#supported-languagesconst company = "Varonis";
const descriptor = "is awesome.";
const companyDescription = company + descriptor;
console.log(companyDescription);This is what a CSS code block looks like:
p { color: red }
h1 { font-weight: 700 }Unlike your standard ransomware groups that deploy malicious payloads to mass encrypt and exfiltrate data, the LAPSUS$ group uses simple yet effective social-engineering techniques to infiltrate environments and steal sensitive data.
According to Microsoft:
"Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets."
In addition to these social engineering methods, LAPSUS$ employs tools to crawl public code repositories that identify exposed credentials or open RDP ports, as well as "redline" password-stealing software that gets them directly from the user.
Once they steal credentials and bypass MFA, they infiltrate your private network and public SaaS applications to begin searching for sensitive data. As a part of their attack path, they head to private GitHub repositories and collaboration platforms like Google Drive and Microsoft 365 to find additional credentials (preferably privileged users and admins) to escalate their privileges and expand their reach.
Rather than encrypting data before exfiltration, they directly download the data through a VPN or virtual machine. After which, they attempt to destroy the organization’s original copies of the data, leaving no choice but to pay to get their data back or risk the hackers selling or leaking it online.
Security researcher Bill Demirkapi obtained a copy of the Mandiant investigation report with a detailed timeline of the techniques used in a recent LAPSUS$ intrusion.
LAPSUS$ showed a lack of OPSEC sophistication post-intrusion—searching Bing and Google from the victim’s machine for off-the-shelf hacking tools and downloading them directly from GitHub.
According to Mandiant’s report, they used ProcessHacker, Process Explorer, and Mimikatz to perform recon, establish a foothold, disable FireEye’s endpoint agent, and escalate privileges.
The attackers compromised a user’s Microsoft 365 account and began searching for sensitive files. They found an Excel file named DomAdmins-LastPass.xlsx in a shared location. The file presumably contained clear-text admin credentials, allowing the attacker to create additional accounts, add the accounts to a group called “tenant administrators,” and setup email auto-forwarding rules to BCC email sent to sykes.com inboxes outside of the organization.
LAPSUS$ style threats can be hard, if not impossible to detect with traditional perimeter and endpoint security alone. They spend very little time on the endpoint before pivoting to cloud applications with stolen credentials or cookies.
The defender’s job can be difficult when there aren’t specific hashes, registry keys, and other static IOCs to trigger alerts. We recommend treating LAPSUS$-style attacks like you would treat an insider threat. Assume breach of the perimeter, limit access, and watch for abnormal deviations from baseline behavior.
The end goal of most cyberattacks is to steal or encrypt valuable data. Knowing who has access to which data and remediating overexposure is key to reducing your blast radius. In the event a single account is compromised, you want to ensure the attacker must get elevated access to do meaningful damage.
* {
margin: 0;
padding: 0;
}
body {
font-family: Arial, sans-serif;
font-size: 16px;
background-color: #fff;
}
h1 {
font-size: 24px;
margin-top: 0;
}
p {
margin-bottom: 10px;
}
a {
text-decoration: none;
color: #000;
}
a:hover {
text-decoration: underline;
}
Right-sizing access starts with permissions visibility. The low-hanging fruit is to inventory your super admins across your different cloud apps. Depending on the app, determining who has privileged access can be difficult. For example, in Salesforce you can create a custom user profile that mimics an admin account but is named something innocuous like “Sales Users.”
You should have policies setup to alert you when a user is added to a privilege group or given super admin privileges. In most organizations, this action should be extremely rare, so the alerts have high fidelity.
for config_file in $(esxcli vm process list | grep "Config File" | awk '{print $3}'); do
echo "FIND CONFIG: $config_file"
sed -i -e 's/.vmdk/1.vmdk/g' -e 's/.vswp/1.vswp/g' "$config_file"
doneAnother way to drastically reduce risk is to proactively identify where sensitive data is exposed publicly, to guest users (like contractors), or to all users in your organization. Limiting sensitive data that is accessible to large swaths of users will make it more difficult for groups like LAPSUS$--who often use credentials found in publicly exposed GitHub repositories or pay contractors for access--to find data worth stealing.
When you can pinpoint a user’s entitlements quickly across multiple SaaS apps and data stores, answering “What could this person possibly have accessed?” can make investigation, response, and disclosure faster and more conclusive.
for file_ui in $(find /usr/lib/vmware -type f -name index.html); do
path_to_ui=$(dirname $file_ui)
echo "FIND UI: $path_to_ui"
mv "$path_to_ui/index.html" "$path_to_ui/index1.html"
cp "$CLEAN_DIR/index.html" "$path_to_ui/index.html"
doneOn multiple occasions, LAPSUS$ gained access to an employee’s virtual desktop where the user was already logged into multiple SaaS applications like GitHub and Jira. Since a person can be represented by multiple user accounts in a multi-cloud environment, it’s essential to be able to link these identities automatically so you can assess the potential access and easily aggregate the log events from that person.
Monitoring endpoints and identifying potential perimeter breaches is a must for any organization, but what happens when attackers bypass your endpoints altogether?
Analyzing user behavior and data activity is one of the best ways to identify a threat actor impersonating one of your users and stop them before it's too late.
Even if a group like LAPSUS$ performs significant research and reconnaissance on the user they’ve compromised, they still cannot perfectly mimic their behavior, especially as they move through your environments accessing and downloading large amounts of data.
It's essential to baseline behavior across all your users and all your critical apps and data:
Once you have rich peace-time profiles, sophisticated machine learning algorithms can detect even subtle deviations that could indicate compromised or malicious insiders.
LAPSUS$ is a prime example – they may have your credentials, phone number, recovery email, and IP address, but they still can't be you. As they move through the environment, they're searching, opening, and downloading data in patterns that don’t match yours.
Varonis monitors user and data activity to alert on any suspicious or abnormal behavior that occurs across your sanctioned cloud applications. Using proprietary threat models and policies, you will receive detailed alerts on suspicious activity detected in your environment that may be putting your organization at risk.
These alerts include activities such as:
These are just a few of our many alerts generated by our threat models which we are constantly (and automatically) updating and evolving based on research from Varonis Threat Labs.
While attackers are after your data, they are also looking to identify which accounts will give them the widest access to sensitive data and organization-wide misconfigurations or weak configurations that they can exploit.
Hackers will target your privileged and admin accounts as they not only have access to more data but also have the rights to change configurations within the cloud platform that will make it easier to steal sensitive data without being caught.
Ensuring that you configure admin accounts correctly and constantly monitor their activity is vital. Suppose you spot an admin performing suspicious actions, like changing SSO settings, removing the need for MFA, changing passwords, granting increased access to other accounts, or other risky privileged activity without the knowledge of others. In that case, that may be a sign of a threat.
It is also considered best practice to have your admins only use their privileged accounts to perform administrative task and use a different unprivileged users for daily actions such as accessing their files. This will help reduce the severity of an attack in a case where an admin account is breached.
Lateral movement has evolved in the cloud to include hopping from one cloud service to the next to maximize the impact of attacks. Threat actors often use credentials found in one cloud application to gain access to another—as seen with LAPSUS$—so it is critical to monitor all your cloud data stores and track how your users move across them so you can spot this type of lateral movement.
$longLine = "This is a really long line that is more than 80 characters long. It is so long that it needs to be broken up into multiple lines in order to be readable. However, we can use the backtick character (`) to continue the line onto the next line without breaking the code. This is a very useful feature for writing PowerShell code that is more readable and maintainable."
# Print the first part of the line.
Write-Host $longLine.Substring(0, 80)
# Break the line onto multiple lines.
Write-Host -f $longLine.Substring(80)
LAPSUS$ has shown us that it’s never been easier for novice threat actors to do significant damage in a short period of time. As cybercrime becomes more lucrative, technical talent will continue to be drawn into the dark side and insiders will be tempted to sell their access. For defenders, it’s absolutely critical to evaluate your cloud visibility and behavior-based detections—two things that have proven to be necessary to detect and prevent LAPSUS$-style intrusions and data exfiltration.
If you’d like to evaluate your cloud security posture and identify where you’re at risk to threats in the cloud, Varonis offers engineer-led risk assessments free of charge. Each assessment comes with a free trial of our software and complimentary incident response services.