Lessons from the Sisense Breach
4–16–2024 (Tuesday)
Hello and welcome to a special “traveling for a conference” edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, April 16, 2024, and I know that last week I gave Ivanti CEO Jeff Abbot a bit of shade for his hotel room video, and here we are in a hotel room, doing a video. Karma remains a thing, folks.
Lessons from Sisense
The big news of the week stems from an attack against a company called Sisense, a company “whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard.”
They do this by using a bunch of integrations, including APIs and other mechanics that use keys, tokens, secrets, and usernames/passwords.
This is an important bit, because it’s come to light that that they’ve had an incident (although it’s unclear if they’ve officially or publicly disclosed as much) and even our friends at CISA are warning about the impact.
Here’s why this is a big deal: because Sisense integrates a bunch of platforms together, and needs access to pull data out for integration, a breach of this type could - in theory - allow attackers to take the credentials that Sisense was using and replay them against the integrated systems to gain access that is, as far as the system is concerned, valid.
And these aren’t small customers - they include companies like Verizon, Phillips, Air Canada, and many others.
But what I want to dig in on is the response actions suggested in emails directly to customers from the Sisense CISO, Sangram Dash. They suggest that you should:
– Change Your Password: Change all Sisense-related passwords
– Replace the Secret in the Base Configuration Security section with your GUID/UUID.
– Reset passwords for all users in the Sisense application.
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
– If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
– We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.
– If you utilize OpenID, it’s imperative to rotate the client secret as well.
– Following these adjustments, update the SSO settings in Sisense with the revised values.
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
– Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
– Data Models: Change all usernames and passwords in the database connection string in the data models.
– User Params: If you are using the User Params feature, reset them.
– Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
– HTTP Authentication for GIT: Rotate the credentials in every GIT project.
– B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
– Infusion Apps: Rotate the associated keys.
– Web Access Token: Rotate all tokens.
– Custom Email Server: Rotate associated credentials.
– Custom Code: Reset any secrets that appear in custom code Notebooks.
I want to be very clear about this advice: it’s the right advice if you think all of these secrets have been compromised. It’s also a very, very difficult thing to do, technically, and it’s highly likely to create additional operational impact as things are changed. Things will break, or not work, and need additional technical support.
Beyond that, knowing where all these secrets are within the system and your enterprise is no small task, much less rotating them and logging them into whatever tools you use to manage your secrets so that they can be rotated again as needed.
If you use any type of integration platforms or lean heavily on APIs in your business, I would suggest something like this in your next tabletop as a way to really understand the impact.
Beyond this acute issue from Sisense, however, it’s also been an odd week in terms of attacks on secret managers. We’ve seen breaches reported from Cisco Duo and Delinea’s Thycotic Privileged Access Management product, as well as a thwarted attempt against an employee at LastPass.
Attackers are going hard after secrets and keys that let them move on to the actual systems and data they’re interested in, and we’re playing from our back foot in terms of ensuring this type of data is stored, shared, and rotated safely.
Please take the time to walk through what this space looks like at your organization before you’re having to do it under duress like Sisense customers this week.
Fundraising
Fundraising is back in a big way this week, with a total of nearly $35B in newly committed capital last week, driven by huge fund announcements from Hellman & Friedman (with $22B for their 11th Flagship Buyout fund) and $7.2B from venture capital firm Andreesen Horowitz).
It would seem that the big players are back, and back in a big way. As usual, however, all of that capital needs to get put to work - dry powder doesn’t make anybody any money except for the 2% management fee.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data
https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/
https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee