The now infamous DNC computer network hack of 2016 is a poster child for what can go wrong with information security even at government levels. Security companies including CrowdStrike, which performed the forensic autopsy on the DNC systems have all but proven that Russian APTs/nation-state hackers were responsible for the lengthy breach and siphoning off confidential communications and competitive intelligence about the campaign.
According to a CrowdStrike blog post, the Russian APTs perpetrated the attack with methods including APT modification, changing C&C channels/servers, elongated dwell time; spear-phishing with infected links/downloaders, changing out “software implants” to maintain access, and careful data exfiltration. These approaches and their success are nothing new and will continue unabated where the rewards are high, and the hanging fruit is not.
Explore these seven security measures that could have mitigated the DNC hack in case you need to hoist your fruit to safety.
Enterprises use deception technologies such as bogus endpoints to dupe attackers who then attempt to penetrate the decoys. Because the fakes have no legitimate purpose, security teams can assume that any activity is malicious.
“The DNC could have used decoys to detonate elegant phishing attacks and unknown malware,” says Tom Kellermann, CEO, Strategic Cyber Ventures. “This would have informed them that someone was targeting their database and privileged users,” says Kellermann, a former Deputy to the CISO of the Treasury Department at The World Bank.
Deception techniques detect the initial attempts at network entry that make long dwell times possible. Stop entry, and you stop attackers from settling in.
The real-time alerts that deception techniques provide enable security departments to use adaptive authentication to change credentials across the organization and use stronger authentication such as dynamic identity verification to ensure that attackers don’t escalate the privileges that they do gain, says Kellermann.
Security teams can automatically toggle adaptive authentication to two- or three- factor authentication to protect the network, explains Kellermann. This type of response would have further shielded the DNC and made it more difficult for attackers to use credentials they stole via spear phishing.
Some experts advocate regular use of at least two-factor authentication. “No one should be able to log on or change a password without a physical authenticator,” says John Morello, CTO, Twistlock; “intelligent authentication should understand normal behavior and identify anomalies (such as someone logging on from an IP in Russia).”
User behavior analytics
User Behavior Analytics (UBA) enables security to understand whether APTs have secret paths through the network, where those are, and what systems are trying to communicate with the outside world, according to Kellermann. By applying deception technology, adaptive authentication user behavior analytics, security can break links in the Russian kill chain used in the DNC attack.
UBA can work something like this. Computer security platforms or CSPs integrated within the OS can provide clean file event data to a behavior analytics engine, says Andy Green, , Varonis. “The analytics part is tuned to spot certain threat models–bulk copies, access to sensitive data, directories that the user doesn’t usually browse—and then alert or automatically disable the account,” says Green.
URL filtering, disabling macros in attachments
“Spear phishing attacks will likely come through a particular URL,” says Kellermann. URL filtering would have mitigated known-bad URLs for the DNC. Criminal hackers are increasingly using macros in malware that they attach to emails in spear phishing attacks. Disabling macros can skirt these attacks.
Integrate intrusion protection with breach detection
Set up breach detection systems to talk to intrusion prevention systems. When breach detection triggers a malicious payload inside a sandbox, the system should send the results of the analysis into intrusion protection systems to defend the rest of the network against similar attacks.
Limit administrative credentials
Limit the number of users who have administrative level credentials. Force adaptive authentication or dynamic identity verification on anything that uses administrative credentials. “The thing that these Russian APTs do is steal administrative privileges, so their efforts look like trusted network traffic,” says Kellermann. Limiting and protecting the appearance of those credentials would have helped the DNC.
Use a vetted, authorized email encryption tool that uses strong encryption and is not itself vulnerable to attack so that criminal hackers can’t simply hack the encryption tool itself to bypass the encryption. Encryption would have offered another layer of email security for the DNC.