Safeguarding Secrets: Addressing Security Issues in Sisense

Sisense, a major player in business intelligence and data analytics, recently suffered a significant cybersecurity breach. This incident highlights the critical importance of implementing robust data protection and DevSecOps security measures in both their cloud and application environments. The breach originated from the self-managed GitLab repository, allowing attackers to gain access to Sisense's AWS account using hard-coded tokens. As a result, sensitive client data was stolen from their Amazon S3 bucket. This event emphasizes the need for businesses to continually enhance their cybersecurity defenses, particularly in cloud-based and application-based infrastructures, by embracing secure configurations and DevSecOps practices.

‍

Understanding the Attack: Root Cause Analysis

Fig-1: Root Cause Analysis for the Sisense Incident

Based on the information available, the following is a likely root cause analysis of the Sisense security breach:

1. Insecure GitLab Deployment: 

Sisense used a self-managed version of GitLab, which may not have the same security features as GitLab’s cloud-hosted solution. This raised Sisense's security burden in properly configuring and maintaining their GitLab installation.

2. Compromised GitLab and Exposed Credentials:

Attackers gained access to Sisense's GitLab repository

The breach occurred due to an unprotected hard-coded token in Sisense's GitLab repository, indicating inadequate access control and storage of sensitive credentials.

3. Unauthorized Storage Access and Data Exfiltration:

The attackers used the token to access the S3 bucket and stole terabytes of client data, including access tokens, passwords, and SSL certificates. It's unclear whether Sisense was encrypting data at rest in their Amazon S3 buckets, which could have made it harder for attackers to exploit the stolen information.

‍

How does Unosecur help in detecting data exfiltration?

Unosecur's Identity Threat Detection and Response (ITDR) plays a crucial role in identifying and mitigating AWS exfiltration activities by leveraging AWS CloudTrail events. Although it will not detect the initial use of compromised access keys or tokens, it can identify suspicious activities that often occur after such compromises.

‍

Detecting AWS Exfiltration with Unosecur

Monitoring Suspicious Activities:

• s3.ListBuckets: Flags unexpected bucket listings.
• s3.GetObject: Alerts on unusual or bulk downloads.
• s3.HeadObject: Detects repeated metadata checks.
• s3.GetObjectAcl: Identifies ACL access for reconnaissance.

Behavioral Anomalies: Analyzes user behavior to spot deviations, such as accessing many objects or unusual activity times.

Contextual Alerts: Correlates actions (e.g., s3.ListBuckets followed by multiple s3.GetObject requests) to generate alerts.

Real-time Notifications: Provides immediate alerts for suspicious activities, enabling rapid investigation and response.

Detailed Audit Logs: Maintains comprehensive logs for post-incident analysis, offering insights into attacker activities and breach impact.

‍

Conclusion

The recent security breach at Sisense highlights the urgent need for robust cybersecurity measures. Organizations must implement strong access controls, regularly audit security configurations, securely manage credentials, encrypt data both at rest and transit, conduct vendor security assessments, and provide comprehensive security training to employees to safeguard the company against this kind of attack.

Unosecur's ITDR system detects AWS exfiltration attempts at an early stage, monitors suspicious activities, analyzes user behavior, and provides real-time notifications for rapid response. Detailed audit logs support post-incident analysis to determine the extent and consequences of the breach and to stop the attack before it starts.