• Vulnerable U
  • Posts
  • 🎓 VulnU #011: Courage is Contagious: Exploring the Dragos Breach

🎓 VulnU #011: Courage is Contagious: Exploring the Dragos Breach

Understanding Challenges in Employee Onboarding and the Significance of Public Dissection

Read Time: 8 minutes

Hey Everyone! - Pre-school was out today so I wrote a chunk of this with baby shark and loud couch gymnastics as my soundtrack. Despite of, or maybe because of, all that I’ve got a great bunch of stories this week:

  • Explore a Breach: Understanding the challenges of employee onboarding and home network security in the recent breach at Dragos, a security vendor.

  • Discover the Power of Transparency: Highlighting the importance of public transparency and dissecting incidents in the tech industry using Dragos' example as a case study.

  • Gain Insights into Secure Onboarding: Exploring proactive strategies for verifying new hires and ensuring secure onboarding processes in the evolving remote work landscape.

Have feedback for us? Just hit reply — we'd love to hear from you!

Lets get vulnerable:

In the spirit of why I started this newsletter, I'd like to share a great example of transparency that isn't always easy to come by. This week, we witnessed a security vendor, Dragos, who experienced a breach and demonstrated remarkable transparency by providing a full public writeup within 48 hours. Today, I want to accomplish two things:

  1. Talk about the breach and why its a rough one.

  2. Look into why more companies should, but don’t, publicly dissect these incidents.

The Hack

Quick summary: a new hire for Dragos had some sort of personal compromise in which the attacker got access to their onboarding materials. They were able to onboard themselves as if they were the new employee and gain access to whatever that new employee would have access to. A few hours of digging in they shot a ransom text to Dragos demanding payment or they’d go public with the hack.

Lets take a look at the timeline of events as shared by Dragos:

Why is this a hard one?

  • Employee's personal devices and home networks, especially for those who haven't started at the company yet, are beyond the company's control for preventing or detecting hacks.

  • Prior to the employee's official start, the security team lacks a "known good" baseline of information. For instance, the user typically logs in at 8 am from Austin, TX, but it's currently 3 am from Mexico.

  • Even if the attacker encounters some obstacles due to limited access, their actions may resemble typical behavior of a new hire exploring shared drives during their first week, which may not raise immediate alarms.

  • In a usual account compromise, the account owner would likely notice unusual activity and report it to IT/Security. However, in this case, the user hasn't even started their new job yet.

  • Remote work has added complexity to verifying the identity of individuals who appear on email from day one.

What should you be doing about this?

It's crucial to take proactive steps to verify new hires and ensure their secure onboarding process. Consider the following strategies:

  1. Visual verification: Implement measures that require in-person or webcam confirmation with a photo ID of the new hire. Choose the approach that aligns with your organization's threat model and risk tolerance.

  2. Device verification: Restrict access for new hires to their first day using only the device you have provided them. Alternatively, consider mailing them a hard token, such as a YubiKey or RSA token, which they need to access company resources. This adds an extra layer of security, particularly during the initial stages of their employment.

🚀 Courage is Contagious

In tech careers, we often find ourselves in uncharted territories, pushing boundaries, and taking risks. Along this journey, failures and breaches can feel like landmines waiting to detonate, threatening our sense of security and pride.

This is especially true if you’re a security vendor. Many feel they should be un-hackable or who would trust them to provide security services?

It's in these moments that summoning the courage to share our experiences, in all their messy and vulnerable glory, becomes a transformative act.

🌟 When we share our stories, we extend an invitation to others to do the same.

We create a space where empathy flourishes, and the isolation that often accompanies failures and breaches begins to dissipate.

It is through this vulnerability that we build a community that is resilient, supportive, and capable of embracing the complexities of the tech world.

It takes immense courage to stand up and say, "This is where I stumbled, and this is how I learned." When we show up with authenticity and humility, we invite others to join us on the journey of continuous improvement.

💡 The Power of Sharing Stories

Our experiences, especially the ones that involve failures and breaches, hold immense value not just for ourselves, but for others as well. When we vulnerably share these stories, we create a ripple effect of understanding and connection.

Think about the last time you heard someone share their experience of a tech failure or a data breach. How did it make you feel?

If you’ve worked in this field for half a minute, chances are, it evoked empathy and a sense of shared humanity. It reminded you that you're not alone in facing challenges and making mistakes. This is the power of storytelling. 🌈

Overcoming Fear and Shame

Now, let's address a few reasons we don’t see this as often as we should: fear and shame. These emotions often stand as formidable barriers to vulnerability, particularly in the tech industry.

The fear of judgment, criticism, and professional repercussions can hold us back from sharing our failures and breaches. Similarly, shame whispers in our ear to convince us that if we fail, we’re not worthy of being where we are.

But here's the truth: fear and shame lose their power when we shine a light on them. When we acknowledge and share our vulnerabilities, they lose their grip on us. 💪

When we choose vulnerability, we choose to challenge the narrative that mistakes are something to be hidden and ashamed of. Instead, we embrace the belief that failures are stepping stones on the path to growth and innovation.

I know firsthand how challenging it can be to confront fear and shame. If you’ve followed me on Twitter for any length of time, this should be of no surprise.

Transparency and openness create an environment where trust can flourish

🔑 How can I be courageous and contagious?

  1. Cultivate Psychological Safety: Foster an environment where individuals feel safe to share their experiences without fear of judgment or retribution. Encourage open dialogue and create space for diverse perspectives. 🌟

  2. Lead by Example: As leaders in the tech community, we have a responsibility to model vulnerability and courage. Share your own stories of failure and growth to inspire others to do the same. 🙌

  3. Establish Support Networks: Create platforms, such as communities or forums, where individuals can connect, share their experiences, and provide support to one another. Encourage mentorship and peer-to-peer learning. 🤝

  4. Celebrate Learning and Growth: Shift the focus from punishment and blame to learning and improvement. Recognize and celebrate individuals and teams who have shown vulnerability and used failures as opportunities for growth. 🎉

🔍 What we learn from failure

Failures in the tech world can be painful and costly, but they also provide valuable opportunities for learning and growth. By examining these experiences, we can extract meaningful insights that inform our future actions. Here are some key considerations:

  1. Embrace a Growth Mindset: See failures as opportunities for growth and improvement rather than as personal or organizational shortcomings. Foster a mindset that encourages continuous learning and resilience. (You might recall I talked about this a few weeks back: link)

  2. Conduct Post-Mortems: After experiencing a failure or breach, conduct thorough post-mortems to understand the root causes and identify areas for improvement. Encourage open and honest discussions during these reviews. 📝

  3. Share Lessons Learned: Communicate the insights gained from failures and breaches with the wider tech community. By sharing our experiences, we contribute to collective knowledge and help others avoid similar pitfalls. Do all of this publicly if possible. 📣

  4. Implement Changes: Act on the lessons learned from failures by implementing changes in processes, protocols, and systems. Continuously iterate and improve to prevent similar incidents in the future. 🔄

Remember, failures are not the end of the road but stepping stones on the path to success. By learning from our mistakes and sharing our insights, we contribute to a more resilient and innovative tech industry.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

Two good ones out of Facebook land this week:

FB’s threat intel team sharing info about malware that targets user accounts that run ads so they can run their own for free

While we’re there - they also put out their threat report which is always got some interesting data points.

Twitter is a threat intel tool. don’t let anyone tell you otherwise.

Whats cooler? This detailed malware writeup, or the fact that BlackBerry has a legit Threat Research and Intel team?

New intel on a North Korean threat actor

The Ubiquiti hacker just got 6 years in jail.

“the group was using and continuously updating a piece of malware known as “Snake” — which dates back to 2004”

An overnight success.

I liked this post - “biases, blind spots, and systematic weaknesses in how teams evaluate and write about threat intelligence”

Intel investigating leak of Intel BootGuard private keys after MSI breach

Community Spotlight:

This week’s spotlight is a quick shout out to Ian Coldwater. They’re an OG in the Kubernetes security space and just generally one of my favorite people to follow on the internet.

Follow not only for deeply technical content but also just a wide range of belly laughs to absolute punk rock raging against the machine in their home state.

Come for the containers, stay for the goose memes.

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen