On June 17, 1972, five men broke in to the Democratic National Committee (DNC) headquarters in the Watergate complex in Washington, D.C. Forty-four years later (almost to the day), hackers breached and infiltrated DNC computers.
The Watergate break in and the scandal that followed eventually lead to the resignation of President Nixon. In time we will know the extent of the damage caused by the 2016 DNC hack, but just as Watergate was a wake-up call for the political establishment, the Hack on the DNC is a wake-up call for all organizations that need to protect their sensitive data.
Most of the media focus has been on who was behind the attack. While the details are subject to change, it appears that it may be the Russians. A rogue group out of Romania also claimed responsibility. Given the stealth and complexity of the attacks, we may never know the answer.
The “who” and the “why” are clearly important, but my greatest concern is the “what.” What happened and what can we do to prevent this from happening to other organizations? In this case, there were really two “whats.”
One attack (started nearly a year before discovery) involved a “low and slow” attack approach referred to as COZY Bear or Advanced Persistent Threat 29 (APT29) which used a combination of spear phishing attacks tied to a web dropper that deployed remote access tools.
The other attack (started in April 2016) was an approach known as FANCY Bear or APT28 which—among other things—setup the domain, misdepatrment.com, to fool people into thinking they were communicating with the DNC IT department, misdepartment.com.
Both of these methods used a series of persistence mechanisms, unique encryption keys and full situational awareness to obfuscate any traces in logs, and encrypted command and control (C2) over HTTP. They also used techniques often referred to as “living off the land” to avoid detection. The level of sophistication points to a nation-state.
All it took to compromise the entire DNC network was one click by one person. That’s it. It may have been one misguided click by a harried staffer.
The next chapter of this story will play out in the press and will no doubt involve a close evaluation of the DNC’s InfoSec defenses, including any cybersecurity assessments or methodologies they followed.
Just what did the DNC have in place when the hack happened?
Was there anti-malware deployed on its machines?
Did they obtain a state-of-the-art, sophisticated, comprehensive cybersecurity assessment, which disclosed the known vulnerabilities lurking within the software deployed on the DNC network?
Did they rely on endpoint solutions or weak systems that used rule-based solutions, predictive analytics or theoretical algorithms?
Did they run a sandbox or a sophisticated, layered email protection system built into its network or other means of controlled payload detonation?
Are DNC staffers required to use multi-factor authentication to reduce risk of credential hijacking?
Was the entire DNC staff provided with a state-of-the-art cybersecurity training? If so, did everyone participate and did DNC enforce compliance?
Whatever the answers, most organizations still rely on old school cybersecurity, which assumes that a hack will occur. After an attack, cybersecurity vendors surface, eager to provide political cover for their new, shiny solution, whether it works or not. Treating the symptoms and not the disease has been the hallmark of cybersecurity for decades. But consider this, proactive cybersecurity would have either prevented these attacks or eliminated the intruder’s advances.
While most organizations are not playing on the world stage like the DNC, their data is still valuable to global adversaries. Employee diligence is important, but there is no substitute for performing comprehensive cybersecurity assessments to identify and prioritize risks, which can then be mitigated cost-effectively.
How do we learn from the DNC incident? At Assured Enterprises, we believe its time to take a proactive approach to cyber defense. Organizations should immediately have a state-of-the-art, comprehensive cybersecurity assessment. At a minimum, this will establish the following:
A cyber maturity posture. We consider the organization’s capability to ward off attack, the staff’s skills and training, the status of hardware, software, network connections, systems, architecture, permissions, operations, governance, etc. The assessment must include the detection of known vulnerabilities in the software used on your network, because some 80% of all successful attacks against corporate America come through exploits of known software vulnerabilities.
A threat posture. While known vulnerabilities are essentially facts which can be detected, “threats” are defined by real world possibilities for failure in the form of insider threats or external adversaries bent on obtaining data within the control of the organization they attack. Actors and insider threats are a key part of assessing known vulnerabilities in the organization.
An impact assessment. Which of the adversaries in the world are likely to try to exploit your network and data? Amateurs, hacktivists, corporate espionage agents, criminal organizations, nation states, surrogates of nation states, terrorists and even insiders—employees and others with access to your system—each pose unique threats that must be included in a proper Impact Assessment. In the case of the DNC, a proper impact assessment would have evaluated the likelihood of a nation-state targeting DNC, and the attack vectors most likely to be deployed by these adversaries in order to penetrate the network and seize the data. Phishing, social engineering, and other attacks can only be clearly recognized in context.
We will follow this developing story as it may be expanding beyond the DNC and into Hillary Clinton’s campaign.
Whether it’s the DNC, RNC, Senate and House Offices, or any organization that wants to secure their data, following a rigorous cybersecurity assessment program is the best initial step toward genuine cyber defense. It’s the only credible way to establish a baseline of understanding, and to make cost-effective and informed choices about cybersecurity technology, processes and practice. It’s also the only way to cost-efficiently design and monitor cyber defenses over time, to ensure that the organization stays one step ahead of the ever-increasing cyber threat.