Frankly Speaking - Analyzing the LastPass hack
Why defense in depth is important and hard!
Hope everyone has a great holiday! I’m hoping to do some more writing, and I’m also having a holiday sale: 50% off my annual subscription! It ends on 12/31, but for those of you who still have some professional budget to use, this is a good thing to spend it on!
LET’S BE FRANK
Due to popular demand, I’m going to write about recent hacks and my analysis of them as someone who has spent over a decade in security in various positions, such as VC and security engineering. I will share my thoughts based on the information that the company has provided.
As the first part of this series, I am writing about the most recent LastPass hack. Techcrunch does a great job of providing basic coverage and tips, which I will go over.
What do we know?
I am reading through the main disclosure provided by the company through their blog post. There has also been a recent Twitter post by a former LastPass employee. It’s not an official statement, but I believe it is credible. Here are some facts that I’ve gotten:
This hack occurred because of another hack in August where some information was stolen from their development environment
This information was used to obtain access keys to cloud-based storage that LastPass uses to store encrypted backups, but because the threat actor had keys that were obtained from “targeting another employee”
There are a couple of layers of encryption. First, backups in the cloud are encrypted by default, but they were able to bypass this because they had the decryption keys. That’s why they were able to access some unencrypted data, such as URLs, company names, etc. However, the vault is also encrypted using the master password that the user creates and that LastPass doesn’t hold.
To obtain a user’s passwords, the threat actor has to brute force the encryption on the vault, which seems hard.
However, it seems like they only started to use stronger encryption in 2018, and based on the Twitter thread, some legacy customers did not have their vaults re-encrypted with the stronger encryption
What are my thoughts?
To start, this doesn’t seem to be a sophisticated hack. Honestly, they rarely are. This goes back to my philosophy that a large majority of hacks target weaknesses in identity and access management. It’s important to have a strong policy and to clean any previous weak legacy access policies.
From what I understand is that somehow they were able to “target an employee” based on information the threat actor gathered in the first hack in August. I’m not too sure what that means. I don’t know the forms of communication at LastPass. It seems like this employee might have been phished, or this information might have been obtained through some form of social engineering.
This could be prevented with a strong email phishing program or by restricting most communications to authenticated services like Slack, Microsoft Teams, etc. It’s bad practice to share keys in general, but if you must, you should use the time-limited access that 1Password and LastPass offer, which didn’t seem to happen. In time-crunch situations, they should be shared only over authenticated services, i.e. services where users have to confirm their identity, e.g. Slack, Teams, Zoom, etc.
What’s surprising is that the initial investigation and threat assessment by the security team following the initial hack flagged getting the cloud decryption keys as part of the blast radius. It’s possible that it did, and they rotated the keys. However, they should have removed employee access to these keys or restricted them.
It’s surprising that an employee was able to access credentials. Employees should only be able to access portals through SSO, which is behind MFA. As a result, employees minus a very small group should never have credentials. That group can grant access to root credentials, but any root credentials should be stored in a special vault which should require multiple approvals by very senior employees, e.g. CTO or principal engineer, and the security team. Access should be logged, and access activity should be closely monitored. MFA should also be enabled for root accounts.
Moreover, it should be extraordinarily difficult to access decryption keys. Decryption keys should be stored in a secrets vault, and if needed, a CI/CD process should pull them. Very select employees should have access to this secrets vault, and access should be logged and monitored. Another possibility is that there were no strong access policies for the secrets vault. Finally, it might have been possible to extract this information out of the CI/CD process without having access to the secrets vault. It seems like the threat actor was able to figure out (probably from the information obtained in the initial hack) which employees had what type of access.
The benefit is that the cloud service seemed to have strong detection capabilities and audit logs and alerted LastPass. Security is a team sport. It’s important to both have your own capabilities and also work with vendors who strongly believe in security and will monitor for malicious activity in case you miss it. It seems that LastPass did miss the fact that credentials were used to log into this cloud service.
A good thing is that LastPass doesn’t have access to customer keys, and vaults are encrypted with strong encryption, which is hard to brute force. However, based on the Twitter thread, it seems like some of the older customers might have not had their data re-encrypted with the stronger encryption. This seems like an oversight that is relevant now. However, overall, this provides an important lesson in defense in depth. That is, assume the attacker access your systems, what can they access, and what is the blast radius?
Even with access to customer passwords, the hope is that most customers use MFA for most of their critical sites. Hopefully, those sites, such as email services, etc. will also become more vigilant as a result and have higher detection thresholds for malicious logins. There has been this trend, at least with 1Password, to have your MFA in your password vault, but this situation might be an argument to have it separately in a service like Authy.
Finally, it’s great that they hired an IR firm like Mandiant to help with the investigation. Even with the strongest IR teams, it’s always important to have outside perspective and counsel in these types of moments. It’s important to have a pre-existing retainer so that you are not trying to negotiate terms during the incident.
Conclusion
Overall, this is unfortunate, and I’m sure LastPass is trying its best. They are doing a great job of communicating, and I hope the blast radius is limited and doesn’t dissuade people from using password managers, which I believe is a great trend similar to using MFA. However, this shows the importance of spending time on access management. Most hacks start there and having a strong story substantially reduces a company’s risk. Mainly, I am souring on spending too much effort on complicated attack vectors. It only makes sense if your access management policies are solid, but it’s much harder than most security leaders think.
I’m happy to discuss this more, so feel free to reach out with additional thoughts and/or information.