2023 February

GoDaddy's Multiyear Dwell Time: Red Flags and Lessons Learned

graphical user interface
graphical user interface

Recently, cybersecurity experts discovered that GoDaddy, a popular web hosting company, had been hacked in 2019. The attackers were able to access the company's SSH accounts, which allowed them to make changes to their customers' websites. Despite the breach occurring over a year ago, the hackers remained undetected for several months. This is known as dwell time – the period between when an attacker first gains access to a system and when they are detected.

According to reports, the hackers behind this attack were likely part of an advanced persistent threat (APT) group. These groups are known for their ability to remain undetected for long periods of time while gathering sensitive data.

The fact that GoDaddy had such a long dwell time is concerning because it means that the company's security measures failed to detect the breach for an extended period. This raises questions about how effective their security protocols really are.

While GoDaddy has not released details about which parts of their source code were stolen or how much was taken, this breach is still a significant concern. Source code contains the programming instructions that power an application or website. If attackers have access to this code, they could potentially identify vulnerabilities and exploit them for malicious purposes.

This incident serves as a reminder that cybersecurity threats are constantly evolving and that even large companies with extensive security measures in place can fall victim to attacks. It also highlights the importance of timely detection and response to such incidents. Companies should regularly review their security protocols and ensure that they have mechanisms in place to quickly detect and respond to breaches before significant damage can be done.

There are several lessons that can be learned from this incident:

Regular Security Audits Are Essential

The longer an attacker remains undetected on a system, the more damage they can do. This is why regular security audits are so important. Companies should conduct these audits periodically to ensure that there are no vulnerabilities or unauthorized access points present in their systems.

Multi-Factor Authentication Is Crucial

In this case, it seems that the attackers gained access through compromised SSH credentials. If multi-factor authentication had been in place, it would have been much harder for them to gain entry even with stolen credentials.

Timely Detection Is Critical

It took several months before GoDaddy detected the breach. That is far too long for any company to remain vulnerable without realizing it. Detection mechanisms need to be improved so that breaches can be detected as soon as possible.

Incident Response Plans Should Be in Place

No matter how good your security protocols are, there is always a possibility of a breach occurring. This is why having an incident response plan in place is critical. The plan should outline what steps need to be taken if a breach occurs and who will be responsible for those steps.

GoDaddy's multiyear dwell time highlights some red flags regarding their security protocols and serves as a reminder of why regular security audits and multi-factor authentication are essential components of any cybersecurity strategy. Additionally, timely detection and having an incident response plan in place can help mitigate damage caused by breaches when they do occur.


GoDaddy's Multiyear Dwell Time

Red Flags and Lessons Learned

2/28/20212 min read