Don’t Be Another Bad Cyberattack Sequel | Clorox Breach In Review

Clorox Breach: A Familiar Cyberattack Story

When it comes to cyberattacks, how many success stories have we heard in recent years? Do you remember a single, positive story, like “yeah, they tried to attack us, but we stopped them” or “yeah, they got in, but we were only impacted for 10 minutes”.

They all play out like bad sequels with the same story line and plot in every, single time. See if this sounds familiar: bad guy infiltrates and gains power. He uses his new found power to wreak havoc, gain more power and take what he wants. Then he holds the victim’s most valued possessions hostage. The victim, turned defiant hero, attempts retaliation!

There’s one big difference between those bad Hollywood sequels and reality: in the movie, usually the victim, though badly beat up, prevails. Unfortunately, real life rarely turns out that way and the tragic end to these attacks include weeks or months of devastating, costly outage, and not just to the company, but to other companies and finally, individuals.

The Latest Bad Sequel: Clorox

Well…here we go again, another bad sequel as another industry giant was the target of a cyberattack. The Clorox Company, a U.S. manufacturer of household products, now joins the ranks of a rapidly growing community of organizations feeling the total impact that extends well beyond just revenue lost from an attack.

Same Old Timeline

Clorox first detected the breach on August 14, 2023. In an attempt to isolate the breach, IT severed communication immediately to, and from, impacted systems, which unfortunately brought down large portions of Clorox’s manufacturing systems.

The short version of the ‘total time impact’ story is this: the breach continued to spread, more systems had to be isolated, and then recovery and rebuild had to start. Clorox did not regain normal, full operations for 47 day, that’s 6 weeks and 5 days! They reported full operational status on September 29, 2023. 

Same Old Cost

The reported cost associated with the downtime and then recovery efforts changed rapidly from August 2023 to now, and is still changing. The ‘total cost impact’ from these events is challenging to finalize because it’s not just a moment-in-time, finite impact to the revenue. It’s a ripple effect that continues for months, sometimes years.

For Clorox, a publicly traded company, the impact is in the triple-digit millions and they expect to continue to feel the effects throughout 2024. So, why? What constitutes that loss calculation? Here is a quick list of impacts, but by no means exhaustive:

  • Revenue and labor expenses from lost operations during the 47 day outage
  • Fines
  • Consulting fees (3rd party groups to clean and investigate)
  • System, software, and data replacement
  • Felt an overall 2023 revenue drop of approximately $500 million
  • Reported a 20% decline in net sales, $356 million, for first-quarter 2024 earnings
  • Company’s valuation dropped by $3 billion
  • Executed large reductions in force, which decreases their operability and production (this is largely why the expected impact continues into 2024)
  • Potential of their cyber insurance cost exponentially increasing or being revoked

The Same Old Actor Vector

So, how did Clorox get breached? The same way nearly every other company has been breached: some method of social engineering. Hackers don’t really try to break through firewalls and security boundaries, that’s just for Hollywood. They work smarter, not harder. They know where the weakest link is in any company and that’s people! Phishing remains the number one social engineering tactic used by bad actors. And, the reason it’s still effective? They have better and better technology at their disposal to make those phishing attempts seem real to people! AI has really enhanced their capabilities around this.

The short of it is, the hacking group that attacked Clorox used social engineering. They were able to compromise an account with privilege and once they have that, there’s no stopping them. But, what does that mean “an account with privilege?” For the Clorox event, full details have yet to be disclosed. History tells us this means an Active Directory account. It is the primary target because 90+% of organizations (especially legacy, large enterprises) leverage Active Directory as the central place that knows everyone and everything and how it is allowed to access and interact with the company’s operations.

When it comes to rating the most important technology components in any organization, Active Directory is only 2nd to the network. The network is first, because without a path for all those data bits to travel, nothing can happen. But, beyond that, nearly every resource, employee, vendor, contractor, supplier, supplier systems, application, database, customer, etc., authenticates via Active Directory to gain access to what they need to perform a function for the organization. Even in the wake of cloud, Active Directory is still the commander in chief as most users and groups reside in Active Directory and are synchronized to cloud resources.

So, Why All the Bad Sequels?

Ok, enough of the bad stuff. Clorox isn’t the first company to run through this same script and unfortunately won’t be the last. Why is that? We’re betting the C-suite and CISO thought they were covered with whatever security and recovery technologies they had in place, but it took 47 days for them to recover. They operated manually for 47 days. It’s the same story every time.

Another safe bet is that all the other impacted organizations in recent years thought they were protected and covered too. It’s doubtful that any of them thought it would take weeks to regain the ability to conduct business. The way we’ve all been taught to secure and plan disaster recovery isn’t working. Just like the bad actors, we need to abandon old concepts and adopt new ones.

Cayosoft's Modern Approach to Managing and Securing Microsoft Platforms

Don’t become another bad sequel, rewrite your script with Cayosoft’s modern, built-for-hybrid, technologies! Cayosoft is natively built to seamlessly manage, monitor, and recover in hybrid Active Directory and Azure AD (Entra ID) environments.

Cayosoft easily implements a true, least privilege, granular delegation model so that native privilege can be eliminated, providing admin users just what they need for their role. Removing native privilege in AD and Azure AD/Entra ID eliminates at least 85% of the surface attack area, especially eliminating the danger of social engineering. If there are no accounts to compromise, there’s no threat.

Cayosoft also offers threat detection and analysis specifically for Active Directory and Azure AD/Entra ID. Cayosoft’s approach and development for threat detection is unique and maintains itself with little effort from your IT organization. More importantly, you do not need to be security experts. The product is a security expert, that updates itself, in a box.

Cayosoft’s real-time seamless auditing and change monitoring of AD and Azure AD/Entra ID provide a powerful and immediate view into the happenings of your hybrid environment. Automated rollback or object protection can be used to prevent harmful changes, including ones we know bad actors take advantage of.

Finally, Cayosoft has reinvented Active Directory forest recovery with a patent-pending methodology and modern technology that leverages the power and availability of the cloud. Cayosoft’s technology will reestablish a healthy, working, exact replica of your forest within minutes.

Ready for a Modern Way to Manage and Secure Your Microsoft Environments?

Schedule a personalized demo to see how Cayosoft secures and simplifies your Active Directory management, monitoring, and recovery.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.