Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.
SANSFIRE - Elections, Deceptions and Political Breaches
1. Elections, Deceptions and
Political Breaches
What High-Profile Attacks Teach Us
About Enterprise Security
John Bambenek, Internet Storm Center &
Fidelis Cybersecurity
2. Who am I?
• Handler with the Internet Storm Center
• Manager of Threat Systems with Fidelis Cybersecurity
– Helped to Investigate DNC Breach, Did Research on DCCC, John Podesta
and En Marche! Breaches
• Part-Time Faculty at University of Illinois in Computer Science
• Provider of open-source intelligence feeds, Run several
takedown oriented groups and surveil threats
3. So What Exactly Happened
During the US Elections?
• In June 2016, CrowdStrike released a report
on a breach at the DNC they attributed to
Fancy Bear and Cozy Bear (GRU and FSB in
Russia).
• Data was shared with us (Fidelis
Cybersecurity), SecureWorks and FireEye, we
verified the tools used are the same as those
in previous attacks attributed to GRU/FSB.
4. DNC Breach
• Fancy Bear attacks began in summer of 2015,
Cozy Bear in April of 2016.
• In March of 2016, misdepatrment.com was
registered (MIS Department is a service
provider of the DNC).
• Phishing attacks making use of this “brand
impersonation” were targeted at key staff and
lead to the breach.
5. DNC Breach
• June 15, 2016, “Guccifer 2.0” claimed credit for the breach
and began to leak documents via wordpress and direct to
journalists and others via e-mail and twitter.
• Documents had metadata that gave clues as to who had
touched them and their intentions.
– Widely discussed as it happened in various technical blogs.
• DCLeaks began to also release other stolen data related to
elections and other items.
6. DCCC Breach
• In July 2016, it was announced DCCC was also breached.
– DCCC is the Democratic Congressional Campaign Committee responsible for
campaigns for the US House of Representatives.
– Attack had similar characteristics of DNC breach.
– N
• Documents were relatively quickly released by Guccifer as
well.
• E-mails were leaked by Wikileaks in July as well.
• Some data included credit card info and social security
numbers.
7. John Podesta E-mail Breach
• E-mail account was breached via “google password reset”
phish.
– Podesta’s assistant asked IT to validate the e-mail and they responded with
“This is legitimate. Change your password.”
• E-mails leaked in batches in the final weeks of the race by
Wikileaks. US intel stated e-mails were given to Wikileaks by
an intermediary by Russian intelligence.
– No, it wasn’t Seth Rich and Kim Dot Com had nothing to do with it.
8. GOP Breaches?
• The DNI (Director of National Intelligence) report suggested
there were successful attacks on Republican organizations.
– DC Leaks did leak some GOP e-mails, for instance.
– No major dumps though.
• There was an incident I looked at in Illinois, looked like
commodity phishing.
9. Election Authority Hacks?
• Throughout the election there were reports of individual
election authorities having incidents (the US has over 8,000
different election authorities):
– Illinois Online Voter Registration (SQL injection)
– Local election authority in Arizona
• A recent classified report leaked to The Intercept lays out
possible Russian hacking attempts on voting system vendors
and election authorities days before the attack.
• Was also reported a voter website for Brexit may have been
hacked.
10. DNI Report
• In December 2016, the outgoing administration published an
intelligence report that outlined Russian goals.
– To help defeat Hillary Clinton and help Donald Trump.
– To diminish confidence in US institutions (they didn’t believe Trump would win
and staged a #DemocracyRIP twitter campaign for day after election)
– Obvious geopolitical motivations.
• This also was a rather unprecedented step. The US is still
talking about this.
11. Was there a repeat during
French elections?
• Trend Micro and Threat Connect reported on phishing
domains they attributed to Fancy Bear was targeting En
Marche! (the political party of Macron).
– Onedrive-en-marche.fr
– Mail-en-marche.fr
– Accounts-office.fr
– Portal-office.fr
• All had same registrant (johnpinch@mail.com).
• Just before media blackout, emails from 7 individuals were
leaked online.
12. Was there a repeat during
French elections?
• E-mails leaked via bittorrent and spread online with bots and
some “alt-right” figures in the US.
– For instance, reddit.com/r/The_Europe
• Macron campaign responded that they seeded fake
information and fake accounts when they spotted the
phishing.
• While some in security industry attributed this to Russians,
the French government said the attacks were too generic to
be sure and it could have been anybody.
13. UK Elections?
• Not really (though reports suggested probing
of utilities happened around the same time).
• All votes counted by hand in the various UK
constituencies.
14. Fake News?
• There has been a lot of talk about twitter bots
and the spreading of fake news on social
media.
• I’m not convinced this is a serious problem
(but I could be wrong).
• But that part of it is probably its own talk.
15. But what does this have to do with enterprise
security?
16. Lesson #1 – Threat sharing
• It is unprecedented that direct competitors
shared info and worked on the same investigation
(DNC breach).
• There are common threats and specific threats…
and most are common threats.
• You are not likely to be the first victim, but you
don’t have to be the next one.
• As security professionals, we also (I argue) have a
duty to society that transcends our current
employment.
17. Lesson #2 – Soft Targets
• The political parties were not the true objective,
they were the means to the end (influencing the
direction of a foreign country, adjusting
geopolitical realities).
• Political parties are not government… but they
are were the first draft of government policies are
written.
• The spend little to nothing on security but have a
direct pipeline into elected leaders.
• They have always been targets of intelligence
agencies.
18. Lesson #2 – Soft Targets
• When enterprises come under attack, the successful attacks don’t
usually try to brute force their way through your firewall.
• Vendors, partners, and third-party organizations are used to pivot
into an organization.
– Target example.
• Using “security questionnaires” is not sufficient to protect your
organization.
• Ability to have context-aware devices that collect metadata is
important. (Google password reset phish sent from an IP not
originating at Google)
• Brand monitoring with DomainTools or Farsight Threat Sentry to
alert on uses of your “brand” in DNS AND your third-party partners.
– Mail-en-marche.fr spotted easily.
19. Lesson #3 – Mine your Spam
• Lots of companies can provide you threat
intelligence for things the entire world sees.
None can provide you intelligence on attacks
only targeting you.
• Attacks won’t try attacks only once, but they’ll
usually re-use something between attacks.
• Important to data-mine spam you receive (and
other traffic you discard) so that you can find
patterns.
20. Lesson #3 – Mine your Spam
• We provide mined malware configs with Barncat
and publish tools to mine e-mail called Yalda:
https://github.com/fideliscyber/yalda
• Barncat rips out configs from malware which we
distribute via MISP. This approach can be used to
find correlation in malware attacks against your
organizations.
• Key is to find abstract items in metadata you can
create alerts/prevention based on.
21. Lesson #4 – Role of Deception
• En Marche! claimed to give fake documents
(and certainly some obvious fake ones were in
the dump).
• The difficulty in doing this is you have to
create “fake but believable”.
• If you can get an intelligence service to believe
a fake document… won’t the public believe
that same fake document?
22. Lesson #5 – Role of PR in
Incident Handling
• In high profile breaches, it doesn’t matter what’s true, it
matters what people believe.
• Credibility is supremely important and easy to lose.
– DHS Grizzly Steppe indicators example.
– Some organizations are not “sympathetic” in the public’s eye against hacktivist
attacks
• Contrast French vs US response.
• Time is running against you but speed is your enemy.
– Recall Podesta’s IT staff saying the phishing e-mail was legitimate.
23. Lesson #6 – Security Awareness
Works, Training Matters
• Unfairly, John Podesta is criticized for doing
exactly all you can hope an end user to do…
ask “is this right?”.
• Contrast this with IT response.
• CIO of Hillary for America was Shane Hable,
prior to this he was a systems engineer for
DNC and MIS Department, security engineer
for Obama for America, and IT support prior
to that.
24. Lesson #7 – Organizational
Complexity
• How do you secure thousands of
geographically disparate independent
agencies?
• We discussed this problem in June of 2016, we
couldn’t even figure out how to solve the
logistics of interacting with all of them.
25. Lesson #8 – Automation /
Machine Learning
• Threats are constantly evolving, security is “underfunded” and
staff is overworked.
• Important for staff to not only know what’s going on, but
what’s important without too much heavy lifting.
• Machine learning can help, but classes of data don’t exist in
vacuums (IP addresses, hostnames, file characteristics, SSL
certs, etc).
– Need to move towards multi-domain / context-based machine learning.
26. Lesson #9 – The Risks of Too
Much External Communication
• Because of the high profile nature of the US political
breaches, every security researcher and vendor starting
weighing in on their findings.
• For instance, metadata leakage in Guccifer 2.0’s documents
was published.
• There is no training like on-the-job training. Criminals, when
unchallenged, will continue to get better.
– The influence operation lacked media sophistication and fine-grained
understanding of the target’s political processes. But they’re learning.
27. Lesson #10 – Risks of IoT /
Embedded Devices
• In many countries, the adoption of electronic
voting devices has been done for convenience…
risks have not been properly assessed.
• Many embedded devices / IoT are made by
manufacturers with no experience in operating
systems or networking.
• Strong risk assessments need to be done by those
who can look at these devices with a “criminal
mind”.
28. Free Data
• To get access to our Fidelis Barncat
intelligence database with malware configs
(MISP), send me an email or Google “fidelis
barncat” to get to our signup form:
https://www.fidelissecurity.com/resources/fid
elis-barncat
• To get my DGA feeds, simply go to
http://osint.bambenekconsulting.com/feeds