This was how Lastpass was exploited +/- details, lot of write-ups on this.
Devops eng ran a personal unpatched Plex server, threat actor came in via home network/plex, pivoted to personal, devops eng accessed production via the personal.
To your point, this is fairly targeted.
But to your other point, you miss what I’m hammering above - Series A’s Crown Jewels, if it is selling SOAR (or any other sec tool in this direction) are its clients and their sec infra. 90% of the time, Series A can get hacked and who cares really. If you’re selling SOAR, you’re hacked to hack clients. JumpCloud, selling identity, was hacked this way last yr.
Threat actors know about the angle I am describing in this thread wrt to this. Sec and identity infra has been targeted heavily for the last 24 months, specially to pivot into client companies. If you’re selling SOAR, this is what to plan for.
This is also pretty common across crypto.
All in all, depends on your threat model, and if you’re selling security tools, your clients’ threat model becomes your own, bc threat actors know and exploit this now.
Devops eng ran a personal unpatched Plex server, threat actor came in via home network/plex, pivoted to personal, devops eng accessed production via the personal.
To your point, this is fairly targeted.
But to your other point, you miss what I’m hammering above - Series A’s Crown Jewels, if it is selling SOAR (or any other sec tool in this direction) are its clients and their sec infra. 90% of the time, Series A can get hacked and who cares really. If you’re selling SOAR, you’re hacked to hack clients. JumpCloud, selling identity, was hacked this way last yr.
Threat actors know about the angle I am describing in this thread wrt to this. Sec and identity infra has been targeted heavily for the last 24 months, specially to pivot into client companies. If you’re selling SOAR, this is what to plan for.
This is also pretty common across crypto.
All in all, depends on your threat model, and if you’re selling security tools, your clients’ threat model becomes your own, bc threat actors know and exploit this now.