HugOps to Twitter Security Incident Response

It looks rough. I wish you the best. https://www.businessinsider.com/hackers-bitcoin-crypto-cashapp-gates-ripple-coindesk-twitter-scam-links-2020-7

The decisions and repercussions involved in how access is cut off can be particularly challenging to evaluate during Security Incident Response

This incident provides a learning experience for every cloud service: how can we prepare to make that decision? https://twitter.com/rakyll/status/1283523940187422721?s=19

E.g.,
1. CSIRT detects that an attacker has control of one container

Destroy the container and redeploy. Usually nearly zero impact of that response.

[Then investigate and cut off however the attacker got there, assess risk to other systems, etc.]

E.g.,
2. CSIRT detects that an attacker has control of a host

Some orgs have infra that isn't ready for zero impact redeploy. Could involve data loss, service degradation, or require paging owner to deploy.

Almost certainly destroy+redeploy, but you can see the murky area.

3. CSIRT detects attacker spoofing user messages. Unknown vector.

Hypothetical response 3A: Immediately stop delivering messages until attack vector is secured?

Oof. Huge impact. Let's unpack that..

In Twitter's case, shutting off verified account tweets has a direct impact—e.g.,
• Cloud services can't announce outages nor recovery on Twitter
• Local services can't make time-critical announcements
• Support teams can't respond to user issues

Twitter shutting off verified accounts has indirect impact—particularly reputation risks. E.g.,
• Reduced reliance on Twitter as a platform by brands, services, or celebrities.
• Reduced advertising income
• Increased scrutiny as a target for attacks big and small

Security Incident Response teams have been in these situations. Regardless of our preparation and experience, our organizations and leaders change. CSIRT teams face blockers such as controls we failed to get or hesitation to make those high-stakes calls. https://twitter.com/argvee/status/1283561999452893186?s=20

This underlines the importance of prioritizing security: e.g.,
• A CISO with the trust of executives to support CSIRT judgment on when severe action
• AppSec teams empowered to ensure that effective controls are implemented
• Red teams tasked with testing security assumptions

For any theorizing we do, as CSIRT or spectators, we don't know all the details during an active attack—and for emphasis: plans fall apart during incidents. https://twitter.com/SwiftOnSecurity/status/1283524319658889216?s=20

For every proposed response to this Twitter security incident, there's a situation for which that is exactly the wrong response, or an unknown reason why that is infeasible or undesirable.

We're not Twitter, but I'm certain of two things:
• Twitter leadership weighed the tradeoffs in shutting down service at various levels
• Twitter incident response teams considered and attempted many approaches before "just shut it all down" https://twitter.com/saraislet/status/1283569072471339008?s=20