As the Federal Bureau of Investigation looks into the cyberattack on
last week, corporate security chiefs say the hours and days after a major hack yield important evidence for investigators piecing together how the incident occurred and what the company must do next.
The immediate questions are, “How did they get in? And what did they do?” said Raj Badhwar, chief information security officer at Voya Financial Inc. “We obviously plug that hole and stop the bleeding.”
Twitter’s breach Wednesday blew up in public, with the verified accounts of influencers such as Barack Obama and Bill Gates urging users to send cash to cryptocurrency accounts. Security experts believe the attack might have focused on the company’s internal account-reset systems, which are used to help users regain access after losing their phones or forgetting their passwords, The Wall Street Journal reported Thursday.
Confusion can reign during such high-profile incidents. As security teams evaluate data from across their systems, trying to find the vulnerability, early evidence can also lead investigators to false leads or dead ends, said Fredrick Lee, chief security officer for Gusto, a payroll and benefits platform formerly known as ZenPayroll Inc.
“That’s also a tactic of an attacker,” Mr. Lee said. “If you’re a good attacker, you want to compromise an insider and look like an insider to try and cover your tracks as much as possible.”
Details of what happened to Twitter are emerging. The company has said “attackers targeted certain Twitter employees through a social engineering scheme”—trickery or coercion—got through two-factor security measures and accessed internal systems. Of 130 accounts targeted, the company said, hackers were able to reset passwords, login and tweet from 45 of them.
“For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information,” the company said. It added later that none of the eight were verified users.
It could not be learned whether a Twitter staffer was actively involved in the breach or how much data was accessed.
Mr. Badhwar at Voya said the incident struck fellow security leaders as unusual.
When he heard about the account takeovers, he immediately consulted his intelligence network to learn more and looked for Twitter’s statements on the attack. “I’m surprised. They’re a tech company,” he said.
Employees are often the weakest points in a company’s defenses because they can fall for lures such as phishing emails, cybersecurity experts say, and attackers are increasingly turning to automation to blast them out en masse.
But insider threats can be hard to identify in real time, said Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, the research arm of cybersecurity firm
“These insiders already have credentialed access to the network and services, so few, if any, alerts are triggered when they begin to behave badly,” he said in an email. “And given the increased amount of data already leaving the traditional network perimeter [with remote work], it is easier to hide data theft than ever before.”
In a blog post Friday night, Twitter said its incident-response team temporarily locked many other accounts and internal tools last week to limit the attack’s reach.
“We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems,” the company added.
The incident has underscored the dual, and at times divergent, security calculations of companies that cater to both consumers and enterprises, cybersecurity experts say.
Mr. Lee, formerly the head of information security at Square Inc., which is also run by Twitter Chief Executive Jack Dorsey, said companies should install preventive measures such as requiring multiple employees to access customers’ accounts during troubleshooting.
“What that does is it raises the attack cost, because, as an attacker, it means that I have to compromise two individuals inside of a company, and not just one,” he said.
While the added layer of security can create new hurdles for individual users seeking to fix problems, Mr. Lee added, it might also reduce the possibility of costly or embarrassing breaches.
“When you introduce friction, you have to be thoughtful about it,” he said.
Write to David Uberti at firstname.lastname@example.org and Kim S. Nash at email@example.com