Thank you for the detailed postmortem. It’s good to see that you’ve decided on some mitigations. However, I still have some questions.
-
You have not defined any mitigations with regards to the root cause. (The infected workstation.) Have you discovered how the workstation got infected? What will happen to the workstation now? And how will you prevent such infections in the future?
-
Why is a shared password manager used? Individual accounts guarded by 2FA (e.g. yubikey) is industry standard. This greatly limits the scope of infected machines. I’d recommend getting rid of the shared password manager all together. (At the minimum for SSH keys)
-
You state that you have rotated keys of the infected nodes. Is this the only action with regards to the compromised nodes? I would recommend completely wiping them, since this is the only way to ensure that they are no longer compromised.
With regards to the ODAO. I think that you understate the significance of the attack. It seems that the attacker was only after some quick ETH, and not after disruption of the protocol, which limited the impact.
However, a more sophisticated attacker could have stealthily infected your network (and your other ODAO nodes). This could have resulted in 30% of the ODAO being compromised, which would bring an attacker dangerously close to a majority, just by attacking one entity.
It seems that you understand this significance. One of the corrective actions stated is: Expand the ODAO. You also state that this action has been Assigned.
However, earlier you state:
Once the affected ODAO nodes have been replaced, we will consider the incident resolved"
It therefor seems that you do not consider this expansion to be in scope of this incident.
Could you please elaborate on this?
-
If not in scope, then what priority have you given to expanding the ODAO?
-
What is the current state of this task?
As you probably know, there is discussion on this subject in this thread