Incident response is a crucial capability for every organization; it’s the one time that organizations can mitigate risk as it’s happening. Some organizations spend significant time understanding their incident response process and fine-tuning response playbooks. This means in the event of an event, or an incident, they are either prepared for something happening that is known or have a structured discipline for addressing something that is unknown.

 

However, having an incident response plan and process is one thing… having a security culture built for resilience is another.

 

Having the ability to respond properly to an incident is not just a matter of having a well thought through (and exercised!) response process. It is also a matter of proper security controls and a culture that implores security vigilance — something may organizations talk about and strive for, but rarely achieve.

 

Sharing a set of security values and practices, in earnest, can really be the difference between knowing you have an event shortly after it has occurred (e.g., within hours) and discovering you have a security incident after irreparable damage (e.g., 250 days after the event).

 

Why We’re Spotlighting Reddit

No organization really wants to be the center of attention due to a security incident, but every once in a while incident-related public attention briefly shines a spotlight on what went well amongst the not-so-well forensic evidence of an incident. On February 9, 2023, the team at Reddit demonstrated the underlying security culture that most strive to achieve, and there is truly something to be said about it.

 

Let’s start by talking about another incident first, though.

 

On June 19, 2018, Reddit experienced a security incident where an initial unauthorized phishing campaign resulted in a significant loss of some sensitive user data. A straightforward account of what happened was on display and available to anyone, including a pledge to “… improve our systems and processes to prevent this from happening again.”

 

Fast forward almost five years later, and this week’s security incident — and its straightforward account of what happened — reflects a security culture, enhanced technical controls, and a coordinated incident response process. A rare look into what went well.

 

Why is this noteworthy? It offers an opportunity to see what went well and note what we can learn from Reddit and the team: public artifacts that demonstrate the impact of an incident response plan aligned with a shared culture of security culture (dare we say, “cyber resilience”?).

 

Here’s how Reddit seemed to accomplish this:

  • (Actually) Learning from mistakes
  • Enticing self-reporting
  • Limiting user access
  • Investigating before reporting
  • Reporting transparently
  • Practicing proactive security

What is the biggest takeaway? Incident response to a cyberattack is a process, not a panic.

 

The Incident in Brief

In their security incident report, Reddit refers to their incident as the result of a “highly-targeted” and “sophisticated phishing campaign” which was aimed at their employees. Phishing campaigns are designed to take advantage of human error, appearing as trustworthy sources in a fraudulent attempt to get sensitive data.

 

What made this attack “sophisticated” was how the threat actors pointed employees to a fake website that mirrored Reddit’s own intranet gateway, seeking access to employee credentials and multi-factor authentication tokens.

 

“As we all know,” Reddit reminded readers in its report, “the human is often the weakest part of the security chain.”

 

A single employee’s credentials were enough to get access to internal documents, code, as well as internal dashboards and business systems. Fortunately, there were no indications of breach of their primary production systems, nor breaches of non-public Reddit user data.

 

In Reddit’s own words:

“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

 

What went well:

  • (Actually) Learning from Mistakes: Five years ago, Reddit was the target of another security incident, and they used that opportunity to improve their security measures. These included making additional points of privileged access to Reddit’s systems more secure with enhanced logging, more encryption and token-based 2FA. They also hired their very first Head of Security and moved to hire a Threat Detection Engineer and a Cloud Security Engineer. Being able to respond to a crisis requires someone capable of handling that incident, and this time around, Reddit had a team ready to do so when another occurred.
  • Self-Reporting (Or: Security as a Culture): As uncomfortable as it is, self-reporting falling victim to a cyberattack is the most crucial part of crisis response. The sooner that the problem is discovered, the sooner defenders can act to prevent the damage from spiraling out. Due to the self-report, the Security team quickly removed the infiltrator’s access and began their internal investigation. This also prevents other employees from falling for the same scam. Had the compromised employee not stepped forward, this incident could have continued unseen and become a far more damaging breach.
  • Limited User Access: The employee whose user access was compromised seemingly did not have permissions for Reddit’s primary production systems. Imagine how much more dangerous the compromising of user access would have been if that employee had been over-permissioned and able to access such critical data (more on that here).
  • Investigate, then Report: It’s important to understand the full nature of a security incident before announcing it. Reddit took several days to assess the extent of their incident, including exposure internally and externally. Only when they understood what had happened and how much information had been compromised did they announce their findings to the public at large, allowing them to assuage any concerns and clearly articulate both the issue and how it had been resolved.
  • Reporting Transparently: It can be tempting to hide security incidents and breaches, but the reputational damage of doing so can be significant. Cybersecurity is not a question of if an organization will experience a security incident, but when. Therefore, when it does occur, it’s important that an organization shows how they handled the situation, how they are making sure to prevent it from occurring again, and how they have done their best to protect their users’ data. In Reddit’s case, they not only publicly announced the incident in detail on their own platform, but also opened the floor to answer any questions their users had about the incident. They also emphasized the investigation was still ongoing.
  • Promoting Security Best Practices: Reddit took the opportunity to remind users how to they can best take a proactive part in their own security online, encouraging 2FA, updating passwords, and using password managers — pointing out that the latter allows for an extra layer of security by warning users if the domain for the password doesn’t match.

Final Thoughts

Rather than looking at a security incident or breach as a failure, it is an opportunity to look at ways to improve and advance moving forward.

 

In Reddit’s case, lessons learned from five years ago directly resulted in a smoother and less devastating incident. Having set measures in place to respond to a cyber threat, as well as employees that are willing to self-report and capable of realizing they have been caught in a phishing scam, allowed for Reddit to respond quickly and appropriately to the security incident.

 

Finally, they had the foresight to report to their users in a transparent, direct, and informative manner after a thorough investigation had taken place.

 

Are you looking to better understand, manage, and measure your organization’s cyber risk?

We at Neuvik are happy to answer your questions about how to improve your incident response and build cyber resilience with security culture in mind. Contact us here, and let’s talk.