The 29-page indictment was the most detailed accusation by the American government to date of the Russian government’s interference in the 2016 election, according to The New York Times.
From a security perspective, the attack itself was unsurprisingly simple. The techniques used in this case are what everyday attackers use, requiring very little financial or time investment — i.e., you don’t need the resources of a nation state to launch one. Similarly, the challenges the victims faced in discovering and responding to those attacks are not unique either. And its important to point out the techniques are the same whether you are trying to influence an election or steal sensitive personnel data.
What Happened
For the Clinton campaign, the compromise all started with a spear phishing email dressed up as a security warning from Google that ultimately gave the attackers access to several mailboxes and over 50,000 emails.The process used in compromising individuals in the Clinton campaign also worked on at least one staffer at the Democratic Congressional Campaign Committee in which malware gave the attackers remote access and the ability to steal screenshots, record keystrokes, upload files and more, as well as the ability to maintain their presence in those networks even if passwords were changed.
Using stolen credentials captured with keystroke logging, a total of approximately 33 computers in the Democratic National Committee (DNC) were compromised over several months. Despite being detected, attacker access survived for a few additional months in the DNC environment due to a Linux server that had the X-Agent malware but was not identified during the incident response process.
What Can We Learn?
Examining the attack, there are several core lessons that government security professionals should take away from this case:1. Get a clear view of your network. Several key assets appeared to be unmanaged — invisible in a sense — leaving these organizations vulnerable. A DNC Linux server still had X-Agent on it four to five months after the initial response to the compromise. Similarly, the DNC’s analytics computers were hosted on a third-party cloud computing service that was compromised about four months after incident response began. Solely relying on endpoint and log-based approaches wouldn’t capture these assets. It is vital to also have a high-fidelity network view of these devices and their behaviors.
2. Threat model around your most critical assets. Trying to protect everything, against everyone, all of the time, isn’t effective. Prioritize your crown jewels and make sure you have the right protective controls (network segmentation, strong authentication and authorization, audit trails and more) around those. It’s also important to monitor and flag any events tied to these critical assets and red team to uncover any weak points.
3. Keep an eye on suspect domain destinations. With typosquatting playing a key role in this and many successful modern breaches, it’s easy to see why uncovering suspicious destinations and redirects is important. How to do that is more difficult, since it is isn’t about just blocking known bad domains based on threat intelligence. Security teams should ensure they have visibility into traffic to “lookalike” or “typosquatted” domains and set up alerts for “red flags” such as destinations with uncommon hosting or registration characteristics. All of these are indicators that something might be wrong.
4. Consider protecting personal email accounts. Business and personal online presence often blur together. Should your organization’s security team be involved in protecting employees’ personal email and social media accounts, as well as their corporate ones? Policy and privacy issues may limit the preventative measures an enterprise can take, but it’s important to be able to detect threats to “unmanaged” accounts in the organization’s network quickly and respond as necessary. Because most enterprises do not analyze use of personal email on corporate resources, many attackers are now choosing to target key executives through their personal accounts.
5. Ensure visibility into the late attack life cycle. As in these cases, an initial compromise may take just a few days, but an attack can continue for weeks, months or years afterwards. Security teams need to be able to discern attacker activities from regular business-justified activity. For the late attack life cycle, this means the ability to detect remote access, lateral movement and privilege escalation, data exfiltration and “cleanup” attack completion activities.
Months and years later, it’s incredible how precisely investigators were able to retrace the attackers’ steps. Hopefully this level of detail provides something we can all learn from to better protect our organizations moving forward.
