Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.

1. Elections, Deceptions and
Political Breaches
What High-Profile Attacks Teach Us
About Enterprise Security
John Bambenek, Internet Storm Center &
Fidelis Cybersecurity

2. Who am I?
• Handler with the Internet Storm Center
• Manager of Threat Systems with Fidelis Cybersecurity
– Helped to Investigate DNC Breach, Did Research on DCCC, John Podesta
and En Marche! Breaches
• Part-Time Faculty at University of Illinois in Computer Science
• Provider of open-source intelligence feeds, Run several
takedown oriented groups and surveil threats

3. So What Exactly Happened
During the US Elections?
• In June 2016, CrowdStrike released a report
on a breach at the DNC they attributed to
Fancy Bear and Cozy Bear (GRU and FSB in
Russia).
• Data was shared with us (Fidelis
Cybersecurity), SecureWorks and FireEye, we
verified the tools used are the same as those
in previous attacks attributed to GRU/FSB.

4. DNC Breach
• Fancy Bear attacks began in summer of 2015,
Cozy Bear in April of 2016.
• In March of 2016, misdepatrment.com was
registered (MIS Department is a service
provider of the DNC).
• Phishing attacks making use of this “brand
impersonation” were targeted at key staff and
lead to the breach.

5. DNC Breach
• June 15, 2016, “Guccifer 2.0” claimed credit for the breach
and began to leak documents via wordpress and direct to
journalists and others via e-mail and twitter.
• Documents had metadata that gave clues as to who had
touched them and their intentions.
– Widely discussed as it happened in various technical blogs.
• DCLeaks began to also release other stolen data related to
elections and other items.

6. DCCC Breach
• In July 2016, it was announced DCCC was also breached.
– DCCC is the Democratic Congressional Campaign Committee responsible for
campaigns for the US House of Representatives.
– Attack had similar characteristics of DNC breach.
– N
• Documents were relatively quickly released by Guccifer as
well.
• E-mails were leaked by Wikileaks in July as well.
• Some data included credit card info and social security
numbers.

7. John Podesta E-mail Breach
• E-mail account was breached via “google password reset”
phish.
– Podesta’s assistant asked IT to validate the e-mail and they responded with
“This is legitimate. Change your password.”
• E-mails leaked in batches in the final weeks of the race by
Wikileaks. US intel stated e-mails were given to Wikileaks by
an intermediary by Russian intelligence.
– No, it wasn’t Seth Rich and Kim Dot Com had nothing to do with it.

8. GOP Breaches?
• The DNI (Director of National Intelligence) report suggested
there were successful attacks on Republican organizations.
– DC Leaks did leak some GOP e-mails, for instance.
– No major dumps though.
• There was an incident I looked at in Illinois, looked like
commodity phishing.

9. Election Authority Hacks?
• Throughout the election there were reports of individual
election authorities having incidents (the US has over 8,000
different election authorities):
– Illinois Online Voter Registration (SQL injection)
– Local election authority in Arizona
• A recent classified report leaked to The Intercept lays out
possible Russian hacking attempts on voting system vendors
and election authorities days before the attack.
• Was also reported a voter website for Brexit may have been
hacked.

10. DNI Report
• In December 2016, the outgoing administration published an
intelligence report that outlined Russian goals.
– To help defeat Hillary Clinton and help Donald Trump.
– To diminish confidence in US institutions (they didn’t believe Trump would win
and staged a #DemocracyRIP twitter campaign for day after election)
– Obvious geopolitical motivations.
• This also was a rather unprecedented step. The US is still
talking about this.

11. Was there a repeat during
French elections?
• Trend Micro and Threat Connect reported on phishing
domains they attributed to Fancy Bear was targeting En
Marche! (the political party of Macron).
– Onedrive-en-marche.fr
– Mail-en-marche.fr
– Accounts-office.fr
– Portal-office.fr
• All had same registrant (johnpinch@mail.com).
• Just before media blackout, emails from 7 individuals were
leaked online.

12. Was there a repeat during
French elections?
• E-mails leaked via bittorrent and spread online with bots and
some “alt-right” figures in the US.
– For instance, reddit.com/r/The_Europe
• Macron campaign responded that they seeded fake
information and fake accounts when they spotted the
phishing.
• While some in security industry attributed this to Russians,
the French government said the attacks were too generic to
be sure and it could have been anybody.

13. UK Elections?
• Not really (though reports suggested probing
of utilities happened around the same time).
• All votes counted by hand in the various UK
constituencies.

14. Fake News?
• There has been a lot of talk about twitter bots
and the spreading of fake news on social
media.
• I’m not convinced this is a serious problem
(but I could be wrong).
• But that part of it is probably its own talk.

15. But what does this have to do with enterprise
security?

16. Lesson #1 – Threat sharing
• It is unprecedented that direct competitors
shared info and worked on the same investigation
(DNC breach).
• There are common threats and specific threats…
and most are common threats.
• You are not likely to be the first victim, but you
don’t have to be the next one.
• As security professionals, we also (I argue) have a
duty to society that transcends our current
employment.

17. Lesson #2 – Soft Targets
• The political parties were not the true objective,
they were the means to the end (influencing the
direction of a foreign country, adjusting
geopolitical realities).
• Political parties are not government… but they
are were the first draft of government policies are
written.
• The spend little to nothing on security but have a
direct pipeline into elected leaders.
• They have always been targets of intelligence
agencies.

18. Lesson #2 – Soft Targets
• When enterprises come under attack, the successful attacks don’t
usually try to brute force their way through your firewall.
• Vendors, partners, and third-party organizations are used to pivot
into an organization.
– Target example.
• Using “security questionnaires” is not sufficient to protect your
organization.
• Ability to have context-aware devices that collect metadata is
important. (Google password reset phish sent from an IP not
originating at Google)
• Brand monitoring with DomainTools or Farsight Threat Sentry to
alert on uses of your “brand” in DNS AND your third-party partners.
– Mail-en-marche.fr spotted easily.

19. Lesson #3 – Mine your Spam
• Lots of companies can provide you threat
intelligence for things the entire world sees.
None can provide you intelligence on attacks
only targeting you.
• Attacks won’t try attacks only once, but they’ll
usually re-use something between attacks.
• Important to data-mine spam you receive (and
other traffic you discard) so that you can find
patterns.

20. Lesson #3 – Mine your Spam
• We provide mined malware configs with Barncat
and publish tools to mine e-mail called Yalda:
https://github.com/fideliscyber/yalda
• Barncat rips out configs from malware which we
distribute via MISP. This approach can be used to
find correlation in malware attacks against your
organizations.
• Key is to find abstract items in metadata you can
create alerts/prevention based on.

21. Lesson #4 – Role of Deception
• En Marche! claimed to give fake documents
(and certainly some obvious fake ones were in
the dump).
• The difficulty in doing this is you have to
create “fake but believable”.
• If you can get an intelligence service to believe
a fake document… won’t the public believe
that same fake document?

22. Lesson #5 – Role of PR in
Incident Handling
• In high profile breaches, it doesn’t matter what’s true, it
matters what people believe.
• Credibility is supremely important and easy to lose.
– DHS Grizzly Steppe indicators example.
– Some organizations are not “sympathetic” in the public’s eye against hacktivist
attacks
• Contrast French vs US response.
• Time is running against you but speed is your enemy.
– Recall Podesta’s IT staff saying the phishing e-mail was legitimate.

23. Lesson #6 – Security Awareness
Works, Training Matters
• Unfairly, John Podesta is criticized for doing
exactly all you can hope an end user to do…
ask “is this right?”.
• Contrast this with IT response.
• CIO of Hillary for America was Shane Hable,
prior to this he was a systems engineer for
DNC and MIS Department, security engineer
for Obama for America, and IT support prior
to that.

24. Lesson #7 – Organizational
Complexity
• How do you secure thousands of
geographically disparate independent
agencies?
• We discussed this problem in June of 2016, we
couldn’t even figure out how to solve the
logistics of interacting with all of them.

25. Lesson #8 – Automation /
Machine Learning
• Threats are constantly evolving, security is “underfunded” and
staff is overworked.
• Important for staff to not only know what’s going on, but
what’s important without too much heavy lifting.
• Machine learning can help, but classes of data don’t exist in
vacuums (IP addresses, hostnames, file characteristics, SSL
certs, etc).
– Need to move towards multi-domain / context-based machine learning.

26. Lesson #9 – The Risks of Too
Much External Communication
• Because of the high profile nature of the US political
breaches, every security researcher and vendor starting
weighing in on their findings.
• For instance, metadata leakage in Guccifer 2.0’s documents
was published.
• There is no training like on-the-job training. Criminals, when
unchallenged, will continue to get better.
– The influence operation lacked media sophistication and fine-grained
understanding of the target’s political processes. But they’re learning.

27. Lesson #10 – Risks of IoT /
Embedded Devices
• In many countries, the adoption of electronic
voting devices has been done for convenience…
risks have not been properly assessed.
• Many embedded devices / IoT are made by
manufacturers with no experience in operating
systems or networking.
• Strong risk assessments need to be done by those
who can look at these devices with a “criminal
mind”.

28. Free Data
• To get access to our Fidelis Barncat
intelligence database with malware configs
(MISP), send me an email or Google “fidelis
barncat” to get to our signup form:
https://www.fidelissecurity.com/resources/fid
elis-barncat
• To get my DGA feeds, simply go to
http://osint.bambenekconsulting.com/feeds

29. Questions?
Thank you!
John Bambenek
John.bambenek@fidelissecurity.com
@bambenek