Posted by Joyce Ling
October 3, 2022
Join our CEO Oded Hareven and Admiral Michael S. Rogers of Team8 as they discuss the implications behind the recent Uber breach.
Elliot G.: Hello, and welcome to this cyber analysis special from Team8. I’m Elliot Gotkine, and I’m joined by two leading lights of the industry to discuss the recent Uber data breach. Michael Rogers, is a former commander of Cybercom and an ex-director of the NSA, and an operating partner at Team8. And Oded Hareven is CEO and co-founder of Akeyless. Welcome to you both.
Oded H.: Thank you.
Elliot G.: All right. So we’re looking at the Uber data breach, where it appears that an 18 year old man reportedly gained access, I think to the company’s source code. Michael, what happened here?
Michael R.: So first, let’s acknowledge that we’re at an early stage. Uber first acknowledges the activity on the 15th of September, and then does a follow-on statement on the 16th of September, and has not yet, to the best of my knowledge, made any additional public comments as of the 19th. So we’re still clearly trying to fully understand this.
But what I think we’re going to find is we have an individual who was able to compromise the credentials of a single individual, got their password. Then, overcame the multi-factor authentication by then going to that person, posing, if you will, as an I.T. component of the Uber company, and basically saying, hey, look, I need you to answer this, I need you to acknowledge. The individual, then did, which gave this hacker, then, it appears, and again still very early, we don’t fully know. But it appears that this hacker was able to achieve fair-, I think we’re going to find, fairly broad access.
To me, this all goes to this idea of… one of the challenges of so automating, if you will, our systems, it points out the need, number one, credential protection gets to be really important here. Because this automation is achievable, because we believe that our credentials are adequately protected. We believe that it’s an individual, says this is their username, this is their password, that it is in fact them. And what we continue to see, it’s much broader than just Uber, is this idea that a lot of hackers, they gain access by ultimately compromising identity.
Elliot G.: Right. And Mike, you said that obviously it’s not just Uber, but this is just the latest example of a major corporation being hit by some kind of a cyber-attack.
I think just last week, I think it was InterContinental Hotels, obviously slightly different breach, but still nonetheless, these big companies that spend huge amounts of money on cybersecurity, not least because the reputational damage is usually even more costly than what they’re spending on the cybersecurity in the first place, and yet, these things still happen.
So perhaps, Oded, you can give us a sense, I mean, just how big an issue is the issue that we think is the one that targeted Uber?
Oded H.: Yes, sure. So first of all, just to add to Mike’s comments, Uber allegedly have done whatever she could as it seems from what we are seeing and reading in the net. As they have basically placed an MFA, they’ve placed any kind of component that helped them to prevent those kinds of things.
But the hacker, as it seems, have been able to trick that using what we call social engineering, to trick the other person and to let them think that basically the malicious attacker is actually legitimate.
The second point of it is, actually, after that attacker have been able, again allegedly as far as we know, have been able to access the internal network after bypassing that particular individual, and that access to the network.
Then, that attacker has been able to put his hands on a credentials that eventually have led him to the treasure. The treasure as we call that is actually a pile, a whole database of credentials. And that was, well, again, it seems like Uber have done something good by protecting lots of credentials, but the thing here is what we call secret zero problem, right? Is basically how do you protect the access to your treasure of that credentials store, right? And to make sure that no one can get it, and today there are some mechanisms that allow you to do so.
Going back to your question, every company today can fall into that, and this is something quite sad and shocking. Basically, a lot of companies can implement practices, like privileged access and practices of secrets management and practices of MFA, and still find themselves within… being attacked in that way, because they have not closed the last loop which is considered to be a bit advanced.
Elliot G.: Michael, Oded was talking there about closing the kind of last loop. I mean, is there a way for corporations with all of this money dedicated to cybersecurity. Is there a way to build a system to put the protections in place that will mean that this kind of attack that Uber suffered simply cannot happen? Or will hackers always be one step ahead of cybersecurity?
Michael R.: So clearly, where we are right now, I think, broadly, the attacker has an easier job than the defender. In part, because, as you saw, by the use of this social engineering technique. This all started, if you will, it appears, by a bad choice by a system user.
So you got, the way I would phrase it is, so you got multiple levels of security here, you got the human dynamic in the initial, if you will, kind of barrier, that is really done by the human interface. And then, what was interesting to me is again, it appears that the hacker in this case then was able to move into the second level, and get broader credentials that gave him broader access across the network, that enabled him to, if you will, to compromise a much broader set of credentials, not just an individual password or user identity.
So to me, that argues, look, we’re going to have to have a multi-tiered approach to security. There’s no one single answer, but I do think we need to be collectively, not just Uber, but collectively, we also need to be paying more attention to this internal protection of credentials if you will.
That, hey, if a hacker or intruder is able to penetrate the network, how do we make it more difficult for that individual then to access a broader set of credentials that, in turn, give that individual greater freedom, greater access and quite frankly the ability to cause much greater harm.
Elliot G.: Right. But if it wasn’t for the human, Oded, they wouldn’t have been able to get into the network to start with. So is it always the human that’s the weakest link? Or is it the machine?
Oded H.: Well, definitely I would argue that it is the machine. The human is, it might be in this particular case, the first entry point, but it’s not necessarily the same in any other cases. That said, and that’s, again, to add what Mike’s is adding, I’ll take a different approach, where, basically, practitioners actually have tools to tie this up and minimize that risk to the minimum.
This is something that I’ve developed in the last few years, obviously, named secrets management. This is what we call it secrets or credentials, and credentials and certificate keys those are the objects that needs to be managed basically being used by machines. Machines are known to be the weakest link today having them to be in larger number than, actually, employees.
And they do suffer a problem of where do they place their secrets, right? Humans can remember, or to be authenticated by biometric and to basically eliminate that problem with passwordless, etc, right? Imagine that the authentication should have been with a face or something, maybe that could have helped in that case. But for machines, this is the part that actually needs a better attention.
And again, as I’ve mentioned today, there are practices that help to completely eliminate the secrets within the networks. So that even if an attackers have gained access to get into the network, they would not find any credentials, any certificate whatsoever, and they would not be able to go anywhere to continue that attack.
Elliot G.: Presumably, this is something that Akeyless helps with?
Oded H.: Well, obviously, otherwise I haven’t been here. We’ve been able to develop expertise in that realm, in the last, might say, four years. We’ve been working specifically on those kinds of problems. How to centrally manage those kinds of secrets, how to be able to protect them once they are within that treasure, and how to make sure that no one can access that. Even us, right, as we provide a service that does so.
So we have been able also to invest time, money, effort of also solving the problem of making sure that no one can access their credentials, and this includes also the federal government, to be honest. So no one is no one.
Michael R.: Elliot, if I could, so this highlights, look, you got to have a multi-tiered approach. You not only want to focus on stopping unauthorized access, but you also need to think about, is there a way for me to automate protection of the credentials in the broader set of secrets that enable system-wide access?
Because as damaging as the single user initial access is, what you’re really concerned about, if my whole system is built on the idea of having belief in credentials, if an individual manages to access the credentialed database as it were, under most architectures, that now gives them access across the whole system. And I’ll bet you, we’re going to find that’s exactly what, again, don’t know yet, but I’ll bet you we’re going to find that’s exactly what happened with Uber.
Elliot G.: So, practical advice time now, gentlemen. So if you were the CISO at Uber or any other company right now, what would you be doing? What were the first thing you’d be doing right now to think, oh my goodness, I’ve seen this has happened, I need to make sure that I’m protected against this. What would you advise them to do right now?
Michael R.: So for me, the first thing I would do is, I would be assessing the effectiveness of the security structure I’ve created to protect my credentials. My first takeaway when I heard this was I thought hmm, where’s my credential security process? Am I comfortable with where it is? Do I think I’ve got a methodology here? Or, am I just relying on, well, I protect it to some level, but my greatest focus on security is just trying to stop somebody from getting in. And that should be one of the lessons here. We not only need to focus on stopping them from getting in, we need to be able to stop an unauthorized individual from accessing a broader set of credentials.
I also think, and this really is, I know the focus of your question, but I’m struck by this every time I see major penetrations like this. We also need to think about how we communicate what has or has not happened both internally to our workforces, but also more broadly, externally, to our customers, to our clients, to those entities who may have data held within our systems. Credit card, personal information, address etc.
I mean, think about the information for a company, just Uber as an example. Think about the information we provide—names, addresses, our financial information, because we automate… Hey, that’s not an insignificant set of information, if you will. And Oded, I know you had some comments.
Oded H.: Yes, of course. So again, I would basically strategize, re-strategizing or re-looking at the things that you do, that’s for sure. But I would take here the approach of first, number one, since this has started with the human factor, then education, education. Hire a firm that would basically do some legitimate trial and error within your employees to run some social engineering, to provide some reports.
They have some internal education, and continue to do so on a quarterly basis. That’s number one if you haven’t done it yet, that’s number one to do. Number two, develop a strategy, and take a tool for secrets management. Manage your credentials with a unified approach, with the ability to completely eliminate secrets up to the level of secret zero.
This is something that, few years ago, have been extremely difficult to do. But today, with automation, with the new cloud methodologies and, how we call it in the industry, the DevOps methodology all around it, this is definitely possible again with secrets management tool.
Elliot G.: Okay. So some really interesting takeaways there, that obviously no system can be 100% foolproof, but to make your systems as robust as possible, requires both some work on the humans, and also on the machines as well.
So thank you both gentlemen for that fascinating and insightful conversation. Michael Rogers and Oded Hareven, thank you so much for your time.
Oded H.: Thank you.
Michael R.: Yes, thanks.
Elliot G.: Take care.
NewsThe 2024 State of Secrets Management report exposes the perils of Secrets Sprawl. Drawn from insights of 200 leading security professionals, it reveals how overlooked vulnerabilities can lead to major breaches, a crucial read for enterprises striving to safeguard their digital assets.
Customer Spotlight: Best Practices from Cimpress on Implementing JIT Access at ScaleExplore how global company Cimpress is implementing Just-in-Time (JIT) Access at scale to enhance efficiency and security in their tech infrastructure. Conor Mancone, Principal Application Security Engineer at Cimpress, shares insights on JIT Access, its benefits, and how it’s being implemented.
DevOps InfoSec Security
CISOs Under Fire: The New Legal Frontline in CybersecurityRecent actions by the U.S. Securities and Exchange Commission (SEC) represent a significant moment for CISOs everywhere. On October 30, 2023, the SEC announced it was bringing charges against Austin, Texas-based software company SolarWinds and its CISO, Timothy G. Brown.