Update on Ubiquiti Data Breach: Insider Threat

CIEM Data Breach Identity & IAM Skill Level: Learner
Reading Time: 7 minutes
Sonrai Ubiquiti Data Breach

It is no secret that data breaches have become a ubiquitous problem, and some would even say, commonplace. In fact, before the year’s end, in October 2021, North American enterprise organizations surpassed 2020’s record for a number of breaches, totaling 1,291. Forbes notes that 74% of data breaches can be linked back to over-privileged Identities. So it is no wonder that in a world of fantastic digital transformation and nonstop growth leveraging the cloud, it is very easy to allow more rather than less access to data, cloud resources, and company tools. Who wants to potentially slow down progress with roadblocks thwarting access? But who wants a data breach insider threat?

If your answer was ‘not me’, you may want to reconsider. About 22% of security incidents are thought to involve an insider threat. That is, whether intentional or just human negligence, someone from inside the company has leveraged a security vulnerability to their own ends.

What Happened? Data Breach Insider Threat?

An attention-grabbing storyline has been followed in the press for over a year now, with a recent update offering a plot-twist to an already interesting series of events – and that is the Ubiquiti breach. Back in December of 2020, Ubiquiti teams started noticing anomalous activity in their environment and began investigating while Nikolas Sharp, the then ‘cloud lead’, joined them. Fast forward a year later, we’ve learned that Nikolas Sharp allegedly exploited his privileged access to steal a large amount of confidential company data and then posed as an external criminal demanding a ransom of $2 million US dollars. When the threat was brought to the company’s attention, Sharp played along in the incident response process.

This story raised several security concerns relevant to any organization functioning in the cloud and highlighted the lack of visibility and controls needed to manage risks with respect to sensitive data and Identity access policies (or lack thereof.) Simply put, organizations need continuous insight into the Identities that can access their data, which ones are actually accessing the data, and what they are doing with it. This insight allows an organization to then implement the necessary security programs to ensure there is no room for privilege exploitation. A best practice to follow is driving your cloud environment to enforce the Principle of Least Privilege. This principle entails that identities (person or non-person) have the absolute minimum permissions they need to complete their job and that they only have said permissions as long as necessary for the task. A critical point is not just getting to the least privilege, but remaining there through continuous audit and quick remediation when the deviation is detected. 

In the case of Ubiquiti, Nikolas Sharp was the cloud lead. This role implies that there were likely several sensitive privileges and highly privileged Identities Sharp needed to perform his job. It is obvious that a certain developer working on a specific one-off project should not have the ability to access customer data, for example (though you’d be surprised how often this does happen.) However, someone trusted on the inside, like Sharp, may on exception have access to sensitive data… and if that was the case, it needed to be flagged immediately! The point is, this Ubiquiti case may not have been strictly a problem of over-permission. Instead, it raises the question of better Identity design and continuous monitoring to manage the risk of those necessary permissions.

Those responsible for security in the cloud need the tools and visibility to continuously monitor cloud activity on a 24/7 basis. Solutions need to be put in place to first define the baseline of what a secure cloud looks like and then trigger alerts when drift is detected from that security baseline. This Ubiquiti case takes things even a bit further, because we can assume that Sharp perhaps had a business need to access that sensitive data, being the ‘cloud lead.’ This now begs the concept of context. When it comes to data, context is key.

Solutions needed to be in place to answer the following: ‘who can and is accessing this data?’, ‘how are they accessing it and from where’, ‘when was the last time they accessed it?’, ‘is this consistent activity, or irregular?’, ‘is there a pattern to this access?’ As information is gathered, a baseline is formed to better understand what really is going on.

The Solution

Ubiquiti is not unique. This could happen to any organization, in fact it has happened a lot over the past few years, and it can easily be solved with the following solutions.

Cloud Infrastructure Entitlement Management (CIEM)

CIEM, Cloud Infrastructure Entitlement Management, is a relatively new sector of cloud security, but one posing to be extremely useful in its ability to inventory all your identities and map their end-to-end or effective permissions. Taking things a step further, an especially mature CIEM solution can graph these permission chains for easy visualization. Understanding the scope of your effective permissions, the mature CIEM solution can then assess and prioritize any access Identity risks it detects. This then allows you to work towards and achieve the Principle of Least Privilege. When your cloud has reached the state of least privilege you can now lock in the baseline. With this baseline, using your mature CIEM solution, you can constantly monitor against it to detect anomalous behavior.

Where would this have helped Ubiquiti? Continuous monitoring of a cloud that had achieved a state of least privilege.  

With a mature CIEM solution in place, Ubiquiti would have an inventory of every identity and what they can access. In this case, Sharp’s over-privileged access, whether directly or indirectly, would have been identified as a risk. With a CIEM solution and a baseline created, the tool would alert that an identity associated to Sharp was accessing Ubiquiti’s data in ways that were a deviation from the baseline. Even more compelling, it would have ideally alerted when data was being accessed and then stolen. It would have provided the full pictures of what happened, when it happened and even how it happened.

Cloud Data Loss Prevention (CDLP)

You need to be able to answer where all your data lies at any given moment. Not where it is supposed to be, not where you think it is, but where it genuinely exists. If you can’t currently do this, you’re not the only one. Answering this question is a critical first step in protecting your most valuable asset

The second step in protecting your most critical asset is data classification. This is defining what your data is based on and what is the most essential information to business operation. If you know what all your data is and its purpose, you can prioritize your security program to focus on and protect the most sensitive information. What would truly damage your company if it was compromised? Start there. Third, you must understand what Identities can access your data. We tend to think about this “who” in the context of people Identities, but most often the majority of the risk comes from your non-people Identities. These far outnumber your people Identities and are very often unknown to employees. Organizations spend so much time doing things the old way, tracking their people Identities as they have done for decades, that they have a massive, and unknown risk in their cloud just waiting to be taken advantage of. 

In the case of Ubiquiti, with a CDLP solution in place, the organization could have discovered which identities had access to their sensitive data (noting the ones that shouldn’t), what those Identities could do with that access, and corrected any issue before data was stolen. Secondly, the organization could have validated if these identities were even using this privilege. If they weren’t, like in the case of Sharp, who thought his effective permissions had never previously accessed this resource before, the organization could take away those privileges. This would leave a company with only the Identities who should and actually do access the data, and provide a baseline of behavior that then can recognize deviations from it.

Intelligent Workflows and Automation

The addition of automation into security solutions has elevated the speed and efficiency in which we detect and thwart potential risks. Governance Automation tools exist today to discover the wide array of potential problems and then route them efficiently to the necessary teams. Even just discovery isn’t enough – automation means automatically identifying, classifying and prioritizing potential threats, and then providing remediation.

How would this have helped in the case of Ubiquiti? Two areas: intelligent workflows and automated remediation. When concerning behavior is detected, like an identity accessing new data and presenting a suspicious pattern of access, that information can be presented swiftly to the specific teams responsible for fixing the issues. Let’s say this ticket is created and sent over to the team on a Friday evening, we wouldn’t want to wait to remediate the issue Monday morning. This is where automation shines. Automated remediation would allow the issue to be addressed immediately whether that means stripping the access policy or an account suspension.

Automation allows for enormous scalability. With the modern business being built on the speed and scalability of the cloud, security risks need to be managed at the same rate that business demands. If you are leading a security program and not tackling your risk this way, you are doing it wrong. If you continue to look to old ways of solving modern security risks in the cloud, you will quickly find yourself looking for a new job … or worse being obsolete.


There is no need to point fingers or harp on what should have been done in previous incidents involving a data breach insider threats, but we can certainly study incidents to better prepare ourselves against future risks. It is so critical to have full and continual awareness surrounding the Identities within your cloud environment, what they have permission to do and what they are doing with it. Whether it is a malicious actor within the company exploiting their privileged credentials or a low-level identity that has been hacked with unbeknownst access to extremely sensitive data, the damage is the same. Put controls in place that err on the side of caution, and while you’re at it, consider looking into a mature solution that offers CIEM, CDLP and intelligent workflow and automation capabilities – it might just save your organization’s name from popping up in our next blog.

If you’d like to learn more about Sonrai solutions or are interested in evaluating one for your organization, feel free to contact us at Sonrai Security.