月度归档:2020年12月

how to learn security incident response from the Twitter event

0x01 describe the Twitter event

July 16, A lot of celebrity Twitter account post Tweets about fraud information, some people Transfer Bitcoin to Bitcoin account controlled by the hacker.

0x02 how Twitter reacts to account post fraud message controlled by the hacker?

1. immediately locked down the affected accounts and removed Tweets posted by the attackers

2. limit post Tweet message, reset your password for all accounts, etc.

traditional incident response method:
1.containment, like direct Shut down the server or stop services of the server.
2.eradication and recovery, the services will recovery until finding the origin of the issues.

in my view,
Twitter incident response method:
1. containment, stop using some functions.
2. eradication and recovery, Twitter accepts the influence of functional and immediately read functional logs. if it confirms not to be affected, then step-by-step recovery function. it will read other functional logs again. it is more friendly for business than stop services.

0x03 how Twitter analyses the event and to solve it?

Twitter doesn’t have published detail, so I only guess the process of analysis. LOL

First: the attacker has a lot of behavior features, like user login and Tweet record. search attack features in the login logs of the application and finds the login origin is access to internal systems and tools.
Second: read the log of internal systems and tools
Finally: Twitter detected that is a coordinated social engineering attack by people