The White House breach and the evolving attack surface
With more than 10 million purported attempts to break into Pentagon systems and servers each day, it was not surprising when the White House confirmed that individuals thought to be working for the Russian government attempted to hack its servers. The White House is in good company with NATO, the Ukrainian government and U.S. defense contractors all detecting similar activities. Responding to the attack, anonymous officials indicated that the intruder didn’t damage any system or gain access to the “classified network.” This is typical of cyberespionage attacks, which are often motivated more by information gathering than by financial gain. Government businesses and agencies looking to defend themselves against cyberespionage attacks need IT security teams to take the fight to the new attack surface: on the network itself.
According to several news reports, in the days following the breach, the White House staff were asked to change their passwords, the virtual private network (VPN) was shut down and access to the White House Intranet was restricted. This suggests the security team likely had evidence an attacker had obtained and was using valid credentials. These credentials could in turn be used to impersonate a legitimate user to gain access through a VPN, allow an attacker to “land and expand,” and/or log into SharePoint or another intranet portal where documents could be obtained and sent back to the attacker. Email and email attachments on the unclassified network are also at risk; the extent of the damage isn’t yet known.
The Washington Post reported it was an ally that alerted U.S. officials of the attack. While it’s unclear who the alerting ally is, the attacker may have tried to gain access to the Secret Internet Protocol Router Network (SIPRNet), a system of interconnected computer networks that requires the credentials of an individual with at least a secret clearance. The SIPRNet is shared by what’s called the “Five-Eyes” group of nations, an alliance comprising Australia, Canada, New Zealand, the United Kingdom and the U.S. that is bound by a treaty for joint signals intelligence cooperation. Any activity that occurs across SIPRNet, whether it’s direct access to a portal or some part of the network infrastructure, or an email sent from the White House unclassified network with a malicious attachment, could have been viewed by the ally that notified the White House.
On November 16, the U.S. State Department temporarily suspended its unclassified email system and public websites after an infiltration of its computer systems. Besides occurring around the same time as the White House breach, there is further circumstantial evidence that suggests the State Department incident is related, as both have classified and unclassified networks, and access to SIPRNet. Incident response teams will be trying to piece together the entire attack chain of events, and determine the depth and breadth of the damage.
Just as the attack surface is evolving, so too, are the cybersecurity tools needed to protect businesses. A new class of system called a User Behavior Analysis solution automatically asks questions of data already collected by security information and event management (SIEM) solutions, and enhances it with Active Directory data. The system reconstructs all user session activity from log-on to log-off tracking, and assigns risk scores to all anomalous user behaviors and credential use characteristics. It speeds up a laborious manual investigation process, and can continuously monitor and track the user through IP changes and identity switches.
Performing a thorough inspection of email systems, as the State Department is doing, is a classic response to seeing an email with a malicious attachment destined for a classified network. Malicious email is meant to own a system and establish a foothold. From there, impersonating a user on a network requires access, but the behaviors and characteristics of that access will look different from normal users. While visibility into the entire attack with a UBA solution will not prevent an attack itself, it will provide the insight needed to speed up the road to attribution and know the extent of the damage.
Mark Seward, vice president of marketing at Exabeam, is a 15-year Internet security veteran who specializes in managed security services, SIEM and log management, and vulnerability management. Most recently, he served as senior director of Public Sector Solutions Marketing at Splunk, where he oversaw its rapid rise to become a leader in the Gartner SIEM Magic Quadrant.