(My) Key takeways from the Lapsus$ review

At the dn of July 2023, the Cyber Safety Review Board has published there “post mortem” on the Lapsus$ group https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

Multi Factor Authentication yes – SMS no

Highlighted through out the report, the “old” ways to do MFA are not even closly secure enough to withstand an targeted or sophisticated attack. SIM swapping has been a constant topic through out the report. Meaning it was possible for the attacker to hijack the second factor autehntication token and using it.

Supply Chain is a weak link

Your “direct” security can be awesome, but if there is any weak link in the overall attack surface it will still not help you in any way. Every company does not rely on its own service alone. Think about Software as a Serice tools you may be using or even something simple like your upstream provider. Those telecommunication providers hold your data centrally, bit by bit and request by request, if they act clumsy it will directly impact you.

Share, Share and Care

Withount any surprise, Threat Intelligence is a key factor. Not like I would preach that for years.
The key to every good security posture is actually knowing what is happening out there in the wild. Threat Intelligence is an awesome opportunity to understand the scenarios and threat landscape the industry is facing.

To me (and many agree) Threat Intelligence, in order to be relevant, comes in three different categories

  • Industry, every company operates in a certain industry. Energy, Finance or Retail are only three of the possibilities. Many times your infrastructure, way of working and attack surface will be the same based on the similiarities a certain industry has in common
  • Geo Location, not even since Anonymous, we know that often a certain geo location is under attack. This could be for political reasons, for example as part of a cyver warfare campaign, but it also “simply happens” because attackers test something in a certain location and your IP address is just close by.
  • Technology, is the factor we all have in common, in various shapes and forms. Under this topic falls your Linux system, Windows, Apache Webserver or whatever.

So, my general advise would be

  • Connect to your ISAC. An Information Sharing and Analyse Center exists for any industry. I tended to write “almost” but I am actually not aware that any one is left out. These centers give a great opportunity to see what is going on in regards of attacks against your industry. You should find your industry easily, if it is FS-ISAC (Financial) or any other.
  • For Geo location information go and find your local Cert. This could be NCSC.NL if you are in the Netherlands or for example BSI for Germany.
  • Also subscribe to your security advisories of what ever technology you use.