I just read the Reddit security disclosure about a compromised account that occurred on Feb 5th, 2023. Reddit clearly is doing a lot of things right as the attack could have been way worse. As it were, the impact appeared limited: unauthorized access of some source code and internal docs. There are some great takeaways from the attack that are worth sharing. But, first…
How it happened:
It appears as if:
- Reddit employees were the target of on-going, reasonably well executed phishing campaigns
- One of those phishing attempts was successful
- The attacker gained access to the user’s account, but data access was limited
Standard playbook. What’s important is that the compromised account was remediated quickly and the blast radius of what was accessed was limited. So what can we learn from this and what did Reddit do right?
Account compromise is not an if, it’s a when
Phishing is a numbers game. It’s a probabilistic attack – Number of attempts x Probability of success x Number of targets => inevitably will produce a compromised account. Technologies such as ChatGPT will just make this worse. We should expect these large scale, credential based attacks to continue in prevalence this year. Companies can invest a lot of effort in preventing phishing attacks from being successful (e.g. employee training, email security, etc). But ultimately this reduces the probability, it does not eliminate the threat. You have to assume accounts are / will be compromised, and build a security program around that as well.
Phishing resistant authenticators are a priority
Passkeys and FIDO2 tokens present strong, cryptographic authentication bound to a physical device that cannot be replayed across domains. Most companies are just now adopting push based authentication, mobile OTPs, and SMS delivered OTPs - largely because of the ease of adoption via mobile devices. But the game has already changed.
Standing access is the new blast radius
Standing privileges and sensitive access pose significant risks. We have to move to zero standing privileges (ZSP) for sensitive access and infrastructure. It would appear that the Reddit team either did this or the person who was compromised didn’t have significant sensitive access to infrastructure or customer data. Either way, it’s a huge win.
Hope for self reporting, plan for the worst
The phished employee self reported - which is fantastic. We need to plan for the worst here as well though. If the employee had not self-reported, how long would the compromise take to detect? Alerting on sensitive access or permissions is an important control in planning for the worst.