Microsoft and identity-as-a-service (IDaaS) provider Okta respectively confirmed they were breached by the Lapsus$ hacking group. The two incidents highlighted the importance of third-party and privileged identity access monitoring and forensics analytics, security analysts noted.

Microsoft recently released a blog post that dove deeper into the Lapsus$ group and its activities, tactics, and tools. 

The attacker paid employees of targeted companies, or their suppliers and partners, to gain access and then joined incident response calls and internal discussions to get insights into the victim's state of mind, response plan, and knowledge of the intrusion, according to Microsoft.

It “changes the threat landscape when you have bad actors not only get to your computer infrastructure, IT infrastructure, but also join calls, get on conversations,” Andras Cser, VP and principal analyst at Forrester Research, told SDxCentral. It “highlights that you have to really understand who's joining your conferences, especially if it's a larger conference.”

Cser recommended authenticating the participants of internal calls, managing user access, and monitoring it all the time. 

Additionally, access to privileged credentials — such as administrative user, database administrator —  should be controlled using a privileged identity management service, Forrester analysts wrote in a blog post. They also suggested using machine-learning-based, privileged threat analytics and applying zero-trust principles to key systems access.  

Another lesson learned from those incidents is to implement continuous third-party monitoring that collects and analyzes logs from third-party systems, Forrester analysts pointed out. 

Before Okta admitted it'd detected an attempt to compromise a partner account, Lapsus$ group posted screenshots and other data showing that they had access to a computer used by one of Okta’s third-party customer support engineers.

Organizations should continually monitor their partners and contractors, understand how the third party secures its systems, and apply the same security principles as their own employees, Cser said.

Plus, they also should set up a planned and audited timeline for their own and third-party forensic investigations to avoid potential disclosure delays, Forrester analysts noted, adding that the Okta breach was disclosed two months after the initial discovery.

Okta is one of the largest IDaaS providers with more than 15,000 customers globally, according to Forrester. The Lapsus$ group hack was not the first IDaaS provider attack, “and it won’t be the last,” analysts wrote. “This incident further demonstrates the growing cyber risks within the software supply chain.”