What can security teams learn from the Uber breach?

On 15 September, Uber Technologies reported that its network was breached, forcing the company to shut down several internal communications and engineering systems as they investigated the severity of the cyberattack.

Based on CyberArk Red Team and Labs analysis, there are several interesting elements that cybersecurity professionals should know to prevent similar attacks in the future.

While much of the analysis so far has focused on the human element, including the use of social engineering and multi-factor authentication (MFA) fatigue, what happened after the threat actor gained initial access is key to understanding how the breach occurred and how to avoid similar attacks in the future.

It is also crucial to note that there is no single technology solution, person, or provider that could have prevented the breach.

Understanding the Uber attack process

Step 1 – Initial access: The attacker first gained access to credentials for Uber’s VPN infrastructure, thereby allowing the hacker to successfully enter the company’s IT environment.

Step 2 – Discovery: Most Uber accounts have access to a network share and hackers exploited this to find the hard-coded credentials to the company’s privileged access management (PAM) solution.

Step 3 – Privilege escalation: The attacker then stole the admin credentials to escalate their access privileges.

Step 4 – Accessing secrets and critical company systems: According to an Uber update, the attacker ultimately obtained “elevated permissions to a number of tools”. The attacker reportedly compromised access to the SSO and consoles, as well as the cloud management console where Uber stores sensitive customer and financial data.

Step 5 – Data exfiltration: Uber confirmed that the attacker successfully downloaded internal Slack messages as well as information from an invoice managing tool.

Tips for mitigating a similar attack

Getting rid of any embedded credentials is the first step to preventing similar attacks. Organisations should focus on securing their organisation’s most vital credentials and secrets before extending these best practices across other data and information to reduce risk.

After IT and security teams have developed a strategy for dealing with hard-coded credentials, IT and security teams are advised to take the following additional measures to strengthen their organisation’s defences:

Preventing credential theft: Attackers, like the one who hacked Uber’s systems, are constantly finding new ways to bypass authentication mechanisms. Thus, it is crucial for IT teams to train staff to spot for signs of phishing and be aware of new attack methods so that they do not become easy targets for cyberattackers.

Adopting the principle of least privilege: Organisations need to ensure workers and external contractors have the least number of permissions necessary to perform their responsibilities. Access to privileged accounts for administrators should only be granted when it is necessary, and with a time limit. All privileged account access needs to be separated and validated. As identity compromise through credential theft is one of the most common initial attack vectors today, organisations should also adopt endpoint security tools to limit such attacks (e.g. stealing of browser passwords, session cookies).

Strong defence-in-depth controls: The Uber data breach demonstrated a scenario in which the hacker was able to use a master credential to gain access to other credentials. Because of this, it is necessary to have strong defence-in-depth controls that provide multiple proactive and reactive layers to reinforce security systems and reduce vulnerabilities.

Intelligent privilege controls: Organisations should also remove standing access to sensitive infrastructure and online or cloud interfaces to limit an attackers’ lateral movements. Just-in-time privileges can also significantly minimise the access of any compromised identity, especially when combined with robust authentication.

Smarter MFA controls: While MFA remains the baseline authentication measure for the workplace, smarter and autonomous mechanisms should be put in place to reinforce access without sacrificing the user experience. By integrating MFA with behavioural analytics and automation, security teams will be able to better understand their users’ access behaviours and what constitutes risk. This way, users won’t have to go through extra authentication measures every time they sign in. At the same time, the smart controls will reinforce MFA or block access if it detects a potential threat.

Update software: Patching devices and software to address security issues and bugs have long been a fundamental rule in cybersecurity. However, there is a risk that cyberattackers can use security updates to enter organisations’ systems, compromise identities, and access critical assets. Mitigating this risk requires teams to always assume that they have been breached, and use multiple identity security layers to prevent unauthorised use of credentials.

Final thoughts

There is no foolproof solution against cyberattacks. Likewise, the tools and people in Uber’s case are not at fault. However, it can be mitigated by robust and layered cybersecurity defences, supported by trained staff that will recognise potential sources of danger.

Having these aspects in place will make it more difficult for attackers to strike. Furthermore, these measures will help organisations securely resume operations as soon as possible.