Heightened cyber threats have everyone on edge, what do you need to know?

The Lapsus$ cybercriminal collective recently entered the hacking scene, and they have come out the gates on a mission. Taking a rather unorthodox approach in their public persona, they’ve claimed a number of notable hacks in the past couple of months. This week, they claim to have breached identity platform provider Okta and Microsoft.

It’s the issue with Okta that has the security community abuzz. And why wouldn’t it? Okta is an extremely popular service helping companies simplify their access to other services. It’s a key part of many companies’ security strategies, and is trusted with a lot of sensitive access for a wide range of companies, and for good reason. Services like this greatly simplify identity and authentication challenges.

Any significant breach at a service like Okta would have a very large blast radius. Given the potential, staying on top of this is a critical issue for the security of your organization.

Getting to the bottom of an incident takes time. During the early stages, speculation can run rampant…especially on social media. While speculation can be a useful tool, your security practice needs to work from data and confirmed facts, not guesses.

We now know the attack against Okta’s service was much more limited than Lapsus$ implied to the public. As this story moves on to examine how Okta responded to the confirmed compromise initially, it’s important companies use this moment to stop, evaluate security posture, and implement best practices to harden defenses against an increasing threat landscape.

Incident response is a dynamic process during which new information often comes to light. Okta has updated their original statement and released a detailed blog post of the incident. The new post provides some clarification and explanation of how Okta operates. In addition, it states that some customer data may have been “viewed or acted upon.” Those customers are receiving detailed, individual reports from Okta now.

Security isn’t a binary state. You aren’t “secure” or “insecure.” Consideration needs to be paid to the larger context. Visibility into your internal systems is critical but so is an understanding of the status of your service providers and the larger world around the organization.

This issue comes to light at a time of heightened awareness around cybersecurity, due in large part to recent world events. The threat landscape has changed significantly over the past few months, so much so the White House recently called for organizations to act immediately to strengthen their cybersecurity postures.

This call to action is one of many initiatives in the US to shine a light on current cybersecurity challenges. The administration and the SEC are also working on stricter data breach reporting requirements. Taken together, it’s clear cybersecurity is an important aspect of any business.

What Should You Be Doing?

How can you take steps to protect your organization today? As a security strategy, you should focus on visibility, insights, and action across your business.

That three step process will help keep your security efforts in line with other business initiatives. Cybersecurity is critical but it’s only one aspect of running a business.

Alongside the call for heightened awareness of cybersecurity issues, the White House offered a number of steps that you can take today to address these challenges. Some of these are tried and true advice about the basics. Keep your systems updated, have a strong backup strategy, use modern security tools which continuously monitor environments, enable multi-factor authentication, and more.

One of the steps stood out in particular: “Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack.”

Organizations often struggle to respond to cybersecurity incidents because they are making up the workflow as they go. That’s a sure fire recipe for disaster. Walking through your incident response process helps familiarize your organization with it. It can also highlight any potential gaps or areas where you’re lacking visibility.

These exercises don’t have to be full run throughs, however. Tabletop exercises can be just as effective and they are much easier to set up on a regular basis. Regardless of the format of these exercises, the goal is to make sure everyone is on the same page before you’re in crisis mode responding to a cybersecurity incident.

Direct Action

In the light of the current situation with Okta and the White Houses general warning, here are the steps you want to be taking right now within your security practice:

1. Gain greater visibility. Increase the sensitivity of the alerts you are actively monitoring. What might’ve been safe to ignore previously probably merits your attention in the current climate.
2. Maximize the effectiveness of your security team. They have the subject matter experience that can provide the insights other teams need to bake security into their everyday activities.
3. Take action when warranted. If your monitoring and observability activities highlight something that’s suspicious, have a bias towards action. In a different threat environment, you might investigate further before taking any action. That risk calculus has changed for most organizations now. Take reasonable actions to mitigate possible threats and then investigate further.

The Future

Cybercrime and cybersecurity incidents aren’t going anywhere. Organizations need to take steps to protect themselves. The second half of the White House’s statement acknowledges that and addresses the longer term.

The path forward means adding security earlier in our technology lifecycle. Commonly coined as “shift left” this effort is really about expanding security thinking throughout the development process of technology.

The memo sums it up as, “bake it in, don’t bolt it on.”

Tactics like dependence awareness (a/k/a software bill of materials), vulnerability management, and providing builders the right insights at the right time will help improve security over the long term.

Cybersecurity is a continuous practice. It requires visibility into your environment so that your teams can draw specific insights that help drive action that makes sense for your organization.

There will be more breaches. There will be bigger breaches. So, make sure your teams are focusing on the basics and making steady improvements to your organization’s security posture.

For more information: CISA, the Cybersecurity & Infrastructure Security Agency has a number of freely available packages to help you run tabletop exercises. They are a fantastic resource to help get you started.