🐈 5 security predictions for 2023

Read time: 5 minutesChuckles: 14

This is meoward – an exclusive, luxury security newsletter for the refined and sophisticated.

Also,

Cheers 🍼🥂

We've got an excellent wine pairing for you today:

• 🍷 SaaS Smackdown: CircleCI and Zendesk and GoTo and MailChimp, oh my! January was busy. How are y'all surviving these SaaS vendor breaches?

• 🔮 2023 predictions: I asked my toddler what he thought this year would be like. He said "bananas." My answers are only slightly better.

• 📚 3 must-reads: WhatApps account takeovers, hunting for vulnerability exploits, and cars for kids (and hackers).

Chop, chop. Look lively now.

ISO 8601 or GTFO.

SaaS Smackdown

2022 was a wild year for SaaS breaches. Microsoft, Okta, HubSpot, Twilio, DoorDash, and last but certainly not least, LastPass.

But I've already forgotten 2022.

2023 is fresh and new and already making a blazing deput.

Here's a short list of what happened in January:

Zendesk

1. Attacker used an SMS phishing campaign to target Zendesk employees

2. Got credentials

3. Gained access to a logging platform for a month

4. Customer data might have been in the logging platform 🙊

GoTo

I told you this wasn't the end. Remember how encrypted backups were stolen from LastPass? Well, they were also exfiltrated from LogMeIn Central and Pro, join.me, Hamachi, and Remotely Anywhere.

It gets better.

GoTo: We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.

So yeah, about those encrypted LastPass passwords...

MailChimp

1. Attacker social engineered MailChimp employees and got credentials

2. Used credentials to get access to a customer support / account administration tool

3. Accessed 133 Mailchimp accounts before getting the boot from the security team

CircleCI

1. Engineering laptop got malware

2. Malware stole a valid, 2FA-backed SSO session cookie

3. Attacker used the session to generate production access tokens

4. Accessed production databases and data stores

5. Exfiltrated customer environment variables, tokens, and keys

6. Every CircleCI customer needs to rotate their secrets

What have we learned?

• 2FA isn't a box of Lucky Charms. Sure, it's delicious. But it isn't 🪄magic✨

• SaaS is the new entry point. The many SaaS applications your enterprise uses? Potential gateways for a threat actor.

• We don't have (the right) visibility. Sure, we might have logs or visibility through CASB, but when threat actors gain access using legitimate accounts, are detections firing?

• We've (conveniently) forgotten the Shared Responsibility Model. SaaS vendors aren't responsible for:

  • protecting against unauthorized access when the credentials being used are legit

  • preventing or detecting data exfiltration

  • performing all the response actions when they've been breached (are you tired of rotating secrets yet? That's right, they don't do that for you.)

So what do we do?

• Implement least-privileged access controls across your SaaS apps in a sane, maintainable way. I like groups.

• Monitor SaaS access and activity for anomalous or unusual events. It's good to know when accounts are accessing the app, but it's even better to know what they're doing in the app.

• Audit SaaS-to-SaaS access. You know all those stellar 3rd-party apps your company's employees love using to boost their productivity? Those apps are often being granted the ability to read, create, update, and delete corporate or personal data. Your Third-Party Risk program probably didn't evaluate the risk of those add-ons. Not to mention that some are just plain malware.

• Limit your device-to-SaaS user risk. Without restrictions, users can access SaaS apps from their personal devices. Infostealer malware loves this.

• Have specific response plans for each of your SaaS apps. Do you have a plan if the vendor is compromised and all your data is potentially stolen or modified?

My 5 security predictions for 2023

1. Cars will soon need cyber insurance.

I'm really looking forward to the day I can have this conversation:

"Sir, do you know why I pulled you over?"

"No officer, no idea."

"I clocked you doing 95 in a 65 MPH zone."

"Oh no my car was hacked."

For legal reasons that's a joke. But seriously, as vehicles become more connected, the root cause of vehicle theft and incidents is going to get a lot more complicated. Car hackers having fun on a Friday night might be very difficult to investigate or attribute. And who will be held liable? What responsibility do car manufacturers and their technology partners have in ensuring cars have protections against cyber attacks?

I can't wait to run ransomware on my next car.

2. SaaS will continue with breach stories.

And I'll be here to write about them. 🐈

3. Security vendors are going to get more specific.

The big security companies have captured all the big boy Gartner squares and triangles. But the cool niche products that solve the very specific problems that keep you up at night, those are largely untapped. I'm excited to see some innovation spamming my LinkedIn inbox.

4. You are going to finally accept that we need to understand how machine learning works.

Don't sigh at me. It's time, my dude. This is the year you finally stop calling it Wizard's Breath. Every vendor is selling it, and I guarantee you're already paying your antimalware vendor for their ML models. It's time to stop being stubborn. It's time to accept that those annoying buzzword bingo words have real meaning. Now get out there and take some machine learning courses so you can school the next wand waving sales engineer.

5. Bananas.

2023 is going to be crazy fun. Crazy exciting. But this is the first year I won't be crazy busy.

Go read go

💬 [thread] WhatsApp account takeovers are back and old tactics still work. Tell your mom.

🔎 [blog] Hunt for bad guys poking at your web apps and detect application level vulnerabilities in real-time.

🚙 [blog] Unless you drive a '99 Camry like me, your fancy modern car has a web API. You don't need your GPS to know where this is going.