Rogue Staff Account

Compromised Staff Account

Threat Description

Work with trusted individuals and build Discord as trust-less as possible. Discords are compromised, not hacked, in one of two ways:

• The staff account was compromised Externally through social engineering or phishing

• The staff member decided to attack and compromised the Discord Internally for personal gain

The entire guideline, specifically: Role Hierarchy, Channels & Permissions, are built with external compromises in mind & we limit or outright remove human access to Owner & Administrator Permissions to reduce internal compromises.

Preventing External Threats

Users can spend thousands of hours learning every single which way a new login token phishing scam works, or they can KISS (Keep It Simple Stupid) and remember the common attack vectors. DMs, Links through Discord and outside of it.

The Server Owner is offline/inactive and Administrator permissions are limited only to few trusted individuals, reducing the chances of them attacking to INTERNAL threats. If an Administrator is compromised, the server is compromised and they are done.

This leaves everyone else, without high risk permissions as open and vulnerable to attacks. The good news is, the server should be built with those users assumed to be compromised and without risk to the Server.

If Server isn't designed to be safe from full compromise when Staff and Moderators are compromised, then get back to work and build it correctly. Review and understand Cold, Warm accounts, and Role Hierarchy.

This is why we have Role Hierarchy and why these users have only the perms they need, for their job, while limiting access to High-Threat Channels & Permissions. Same with bots. Few bots can be trusted to be in a position to do harm to server & even then, this is why high profiled servers should have custom bots (reduce the attack vector to Internal, Trusted Users only).

All staff conversations should be in Whatsapp or something encrypted/trusted, outside of Discord, with any information or links to it deleted from Discord/DMs so that if a staff members account is compromised, private information isn't.

Preventing Internal Threats

Keep staff happy and accountable. Limit attack points to an assumed Internal Threat for Administrator positions. Administrators understand this, their livelihood is at risk if they are compromised. I would personally NEVER hire/rehire a compromised Administrator.

Response to Active Threat

Use Administrators to remove the compromised account and in case of emergency / server poorly designed or flawed, use the Server Owner to remove the threat and lockdown server completely.

Once server is locked down, remind all staff members to change their passwords and consider changing out their emails associated with account/reviewing security practices. If locking down server, reduce visibility to a single read-only channel alerting Server of issue, broadcast on Socials/take accountability, take time before reopening. Utilize YAGDPB, DYNO, WICK to ensure NOTHING can be posted while reviewing Audit & Server Logs.