Twitter attacked - Catches, stops attack-in-progress

Unless you've been on vacation from technology completely, you've heard that Twitter got hacked recently some time prior to February 1, 2013. Most of the news items that this breach generated were speculative, and focused on the breach, the data lost or the other companies potentially involved (if this was indeed a campaign).


In fact, the first two paragraphs of this Guardian article illustrate this perfectly.


"A quarter of a million Twitter users have had their accounts hacked in the latest in a string of high-profile security breaches at internet firms.


Anonymous hackers were able to gain access to around 250,000 accounts on the social networking site, including usernames, email addresses and passwords."


twitter-logo-002.jpgYou even have the Twitter blog post stating outright that they believe this attack wasn't the typical amateur hour stuff - and that it was something targeted and "extremely sophisticated."


"This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."


This brings me to an angle that I haven't seen talked about publicly. Twitter's PR team highlighted this in the blog post they did, but I have not found the broader media talking about it. Here's what I'm focusing on:


"This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later."


Did you catch that? I highlighted the part.


If you're one of the growing number of Information Security professionals who believe that it's a matter of when and not if (you will be hacked), and that enterprise security organizations need to re-focus their efforts this is could be a monumental event.


With the exception of the Lockheed Martin attack chronicled in May 2011, there haven't been many incidents where the organization breached came out and said that they were able to detect, respond and restore in a meaningful amount of time and more importantly limit the scope of damage. Whether Lockheed and now Twitter were able to get inside the attacker's OODA Loop, or they had some brilliant applications of security technologies working together through a SecOps-type of cooperative effort, the big story is that detect, respond, restore should be the go-forward strategy for enterprise security organizations.


Your enterprise's ability to detect an attack, respond meaningfully to both stop the attack and minimize its impact, and restore services to business-ready state should be your number one priority. The main reason for this is as Twitter security staff know full well, the determined attacker will be extremely sophisticated, extremely well resourced and likely will succeed. The real focus, I continue to believe, of realistic security organizations should move away from building increasingly ineffective moats around their ever-expanding assets and to build intelligence-to-action processes that will deliver on the ability to detect, respond and restore thereby limiting damage a potential breach can inflict.


Let's face it, if we're realistic about security we have to acknowledge that we won't be able to perfectly protect everything of value (even the most critical assets) but we should strive to build intelligence platforms that directly give us actionable results to minimize the potential damage.


If this is really what Twitter did, then I have to say that this is the real story here ... because while 250,000 is a lot of accounts' worth of information taken, when you consider this is out of a potential 501,000,000 total accounts (extrapolated from here) you're looking at a .05% compromise rate if my math is correct. Let's say that the attackers weren't targeting those specific 250,000 accounts (or some sub-set therein) - this event then illustrates what a potential success would look like.


More on the detect, respond, restore mentality is on the horizin both here on this blog and in some published material I'm working on with SecOps. If you find this line of thinking is something you're interested in, get a hold of me and contribute to the research and development of something that will hopefully be useful for enterprises struggling to define and defend themselves.


By the way, if this PoV interests you, come see Art Gilliland's keynote at RSA 2013 - as he talks about the lessons we can learn from the attackers!

Stuart Coulson(anon) | ‎02-04-2013 11:00 AM

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later.


  • This WEEK
    - how long did they monitor this for ?
  • Unusual access patterns
    - more than one pattern - one pattern repeatedly used ?
  • unauthorized access attempts
    - so they could see them, but were they able to stop them ? If so, then why was there a leak ?
  • to Twitter user data - nothing else, not tweets ? Sounds  like a rogue app
  • Discovered one live attack - patterns plural, one attack - does this support the app version ?
  • shut it down in process moments - what on earth is a process moment ?!

Unfortunately, while Twitter sort out the actual incident, we are left guessing on the front end what really happened.


Here's my guess :

Here is Secarma's guess :



TestWithUs(anon) | ‎05-22-2013 05:30 AM
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation