In the Summer of 2024, TeamViewer was the victim of a cyber-attack by Russian APT Midnight Blizzard.
At the helm of the response was Robert Haist, CISO at TeamViewer, and his team of 35 cybersecurity professionals, who quickly tackled the threat actors and used incident as an opportunity to deploy new security measures.
TeamViewer allows for remote support and remote access to computers for mission critical support. Because of the critical nature of its products, the firm’s corporate IT and production environments are highly segregated. This means the attackers were limited to the corporate IT environment during last year’s incident.
In a recent conversation with Infosecurity, Haist shared how TeamViewer responded to the cyber-attack, how the software provider embeds cybersecurity with product development and the biggest challenges in cybersecurity today.
Infosecurity Magazine: TeamViewer was victim to a cyber-attack in Summer 2024. How did you and your team respond to this cyber incident?
Robert Haist: On a general note, first, the overall handling of incidents has changed a lot. Previously, the training materials for incident response were that if an attacker is in the network and not doing you harm, then leave them be and analyze what they're doing. Find a way to kick them out on one single day, in a concentrated effort, and make sure they didn't leave anything behind.
However, with an increased reliance of attackers on fileless action you don’t have a lot of forensic artifacts any more on the endpoint. More advanced attackers and a larger reliance on cloud-based attack vectors has significantly changed incident response management books. The focus now is on interrupting attackers at the earliest point possible and then going quickly from there to clean up.
You can’t afford to watch them anymore because everything is encrypted. Also, APTs with access to cloud-based resources are able to conduct operations much quicker than they could before.
Fortunately, we were able to mitigate the attack on our corporate network in a very short amount of time.
We then took a full week with our external partners to have a thorough investigation because we wanted to make sure that we’d seen and blocked every single resource.
IM: As CISO, what was your first reaction when discovering evidence of the incident?
RH: Everyone was online from our security team, it was daytime for us, so it was a very immediate response.
We blocked all the access for the attackers and then we quickly interacted with external parties that were able to offer us more information. This led to us working on this incident with the incident response teams from Microsoft.
IM: What are you biggest learnings from this incident?
RH: One thing I want to highlight is that we had been in preparation to go full passwordless for our identities. We planned to do this in Q4 2024 and we already had done some baseline testing.
We were confident it was going to work. But the incident led to us accelerating these plans to enable passwordless on day one of the incident for all of TeamViewer.
I think the biggest learning for me was we anticipated a lot of disruption [with going passwordless], so we used the time of disruption of the incident to say ‘hey now is the time’.
We pushed a lot of roadmap items that we had planned for Q4 to a single day and enabled everything.
“Going passwordless for us was the single best security measure I have done.”
We were positively surprised how little disruption and negative impact that actually had. Going passwordless for us was the single best security measure I have done, not only at my time at TeamViewer but any company I’ve been working with.
I think the FIDO standard is the single best authentication standard we have in the industry. It has better user experience than a password, so it’s not only safer but it’s also better for the user.
This, for me, is the combination that really drives that option and for us, now, identities are safer.
For the first time we were able to get a tool that enabled us to be phishing resistant. This allows me to mitigate one of the biggest entry vectors we see today.
IM: As a software supplier, how has TeamViewer adapted security in the light of rising software supply chain attacks?
RH: Our customers use our software for mission-critical activities, so I am fortunate enough to talk to a lot of our customers, especially when they want to talk about security. I see what they do with our product.
The board and I are aware of the criticality of our product in some of the use cases of our customers.
With that being said, we need to make sure that we have a separate product environment from our day-to-day corporate environment. We also need to ensure we only allow a very limited number of people to access the back end of our products.
We need to make sure that even if an attack on us as a company is successful, this does not directly impact what our customers use.
If you look at supply chain attacks where the attackers were able to move towards product-related environments, those two components were always connected in some way. For example, the customer portal or something similar.
That is why we try to air gap as much as possible between the two environments.
IM: How does cybersecurity work with product developers to ensure that the TeamViewer tools are secure?
RH: We have ‘security advocates’, volunteers from each feature team in the R&D department.
They get training from the security team and they are our leaders in the feature splits. So, if something happens in a current sprint that is security related, they have the task of being the cornerstone in their team for every security topic.
They make sure that they get the proper consulting from the security engineering team on topics around authentication to cryptography and so on.
Also, if we discover security vulnerabilities in our product, they are responsible for ensuring that the mitigations that we put in place across the teams are quality controlled.
This is actually working really well, because we need to scale our mitigations effectively. We cannot look at every sprint or every feature that is being developed. So, we need to have people in those teams who know those daily tasks.
IM: How do you balance cybersecurity and product innovation?
RH: This is a point of constant discussion.
Most of our developers have been with TeamViewer for a very long time so they also know what our customers do with the software. This means it is easy to explain to them that ‘hey we have a responsibility here’ and that means they prioritize security.
“I want to sleep at night, so for me it’s important to see that cybersecurity is a shared responsibility in the company.”
I want to sleep at night, so for me it’s important to see that cybersecurity is a shared responsibility in the company. It’s not only the security team, but everyone up to the management board is behind the security strategy.
IM: What is your biggest concern within cybersecurity today?
For me and a lot of CISOs around the globe, I think our biggest challenge at the moment is regulation.
With the geopolitical tensions around the globe, we are seeing a lot of national policies that are tightening cybersecurity regulations. For example, in the EU we have NIS2 and we have transatlantic treaties regarding cybersecurity and AI.
Finding a security program that addresses compliance with all those policies as a software producer on the national and the EU level is probably the biggest topic for this year.
IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?
I think overall on an international level, we have really good collaboration. There's a lot of good communities and a lot of helping hands left and right.
We experienced this during our incident. There was so much positive outreach from the cybersecurity community. I was really grateful for that.
IM: If you could give one piece of advice to fellow CISOs/cybersecurity practitioners, what would it be?
Don't forget the basics. I know there's a lot of sexy hype topics just around the corner but if you want to really improve your security program, it's usually basics that get you 80% of the way. That's patch management and all of the other things that will not give you a medal, but it will make your network safer.
The other thing is, sometimes it's okay to go fast.
Especially talking to people in larger organizations, they have a lot of big change management processes. I get that’s how it is, but sometimes you take a lot of time looking at all the corner cases of a change. The same time invested in doing the basics could get you at a safe level sooner and so it's always a balance.
Image credit: Dennis Diatel / Shutterstock.com