Introduction
On May 1st, Dropbox disclosed to the public that they had suffered a cybersecurity breach. This disclosure followed an SEC 8-K report submitted on April 29th, which reported a material cybersecurity incident. According to the report, on April 24th, Dropbox Sign experienced a breach perpetrated by an unknown threat actor. This breach compromised sensitive customer data, including names, email addresses, phone numbers, hashed passwords, authentication information, and additional sensitive user data. The SEC filing on page four states:
'Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.'
What is Dropbox Sign and Why Does it Matter?
Dropbox Sign enables electronic agreements and document signings across a variety of sectors, similar to tools like DocuSign and Adobe Sign. Given its purpose, Dropbox Sign is a lucrative target for threat actors, as it stores sensitive information such as personal documents and commercial contracts. Although Dropbox Sign is configured to work seamlessly with many platforms and third-party services widely adopted in enterprise environments, including Office 365, Slack, HubSpot, Salesforce, and more, this extensive integration, while enhancing functionality, also increases the risk of supply chain attacks. This could allow attackers to access data from other services linked to Dropbox Sign in case it gets compromised, which fortunately did not occur in this incident.
The Role of NHIs in the Breach
As detailed in the SEC filing, NHIs played a critical role in this breach. The breach was executed by compromising a service account—a type of NHI that performs automated tasks across Dropbox Sign’s systems. It's not surprising that an NHI was the exploited resource, as service accounts, along with secrets, tokens, and API keys, often grant access to sensitive data in backend environments, far removed from user interaction. The lack of multifactor authentication (MFA) or conditional access policies for such identities, since they operate programmatically and need seamless functionality, makes them particularly vulnerable and necessitates diligent security measures.
Remediation actions taken by Dropbox included:
Resetting user passwords and expiring all active sessions.
Urging all customers to rotate API keys and OAuth tokens, especially those used in conjunction with third-party services.
Enhancing Preparedness and Response for NHI-Related Security Incidents
To better prepare for and respond to attacks involving NHIs, organizations need to adopt a comprehensive approach:
Mapping out all NHIs within their ecosystem and understanding the specific contexts in which they operate. This mapping should include detailed insights into how each NHI is used, which can aid in identifying and proactively protecting against potential risks and configuration errors.
Implementing robust security measures specifically designed for NHIs, including Applying strict access controls, such as the principle of Least Privilege, performing regular security audits and revoking any unused NHIs, and ensuring that all NHIs are configured correctly to minimize vulnerabilities.
Additionally, maintaining metrics on the usage patterns of all NHIs can play a critical role in early anomaly detection. By monitoring these metrics, organizations can quickly identify unusual behavior that may indicate a security breach, significantly enhancing the speed and effectiveness of their response. This proactive stance not only bolsters security but also reinforces the organization's resilience against complex cyber threats.
Conclusion
The Dropbox Sign security incident serves as a stark reminder of the vulnerabilities associated with Non-Human Identities and the necessity of implementing robust security measures to protect them. As digital environments become increasingly complex, the management of NHIs should be a paramount concern for organizations striving to safeguard their critical data assets.