Last week, the FBI released its indictment of the 11 Russian military intelligence operatives who hacked the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) in 2016. No matter what political stripes you wear, this was quite an operation and the indictment details the actions, methods and timeline of how it all played out.
There is something here for all of us to learn and take away. It’s quite a fascinating (and quick) read and I encourage everyone to take the 10 minutes. If you’re like me, your significant other will think you ate some bad sushi with all the head shaking and muttering. Here’s a link to the indictment.
The good news was that, for all its play in the news, this was a meat-and-potatoes, by-the-book cyber attack. It doesn’t mean we should relax -- quite the opposite -- but we’ve seen this movie before and there are some basic “blocking and tackling” things we can do to mitigate these things.
Yeah, it’s 2018 and phishing is still a thing. This time it was well-targeted spear phishing. For those who don’t know the difference, phishing is casting a wide net (who can I get to click this link?) and hoping (and usually getting) a small return. Which is really all they’re after.
Spear phishing is more targeted. You know who you’re going after and you expect they have something you want. Both methods of phishing have really become so easy to do that it’s become part of our lexicon. It was a little odd to hear it batted about on the evening news over the past few weeks though. It’s definitely become part of our lexicon, for better or worse... mostly worse.
First off (and yes this is a slightly shameless Duo plug), for goodness sake, protect your stuff with 2FA (two-factor authentication)! If we take one thing away from this event, it’s this. This is especially true if you’re gonna use a password like ahem... Password12345. Now, the first rule of good password hygiene is don’t do that, but if you’re gonna do that (and even if you don’t) you better use two-factor authentication.
This is your first line of defense.
And don’t take my word for it - read Google’s “hot off the presses” proclamation that since deploying 2FA AND zero trust (more on that later), they have been “phish free.”Now, I’m a cynical old fart with the grey hair to prove it and I don’t believe for a minute that Google has had ZERO phishing events, but I do believe they are safer now than they were two years ago, and we should all strive to be like that.
This was initially a spear-phishing campaign. This is how the operatives got access to the network, databases and the Exchange server and allowed them to move around the network with ease. This is the part that’s hard. Once your first line of defense breaks down, and if your network is wide open once the attacker is in, it’s game over.
You need to shrink the attack surface.
Limit what the attacker can do even when he or she does get past that first test. There are techniques and best practices that can help here too, and you should be looking at anything and everything you can do to make it as hard (and less fruitful) as you possibly can.
Concepts like a zero-trust architecture are a good place to start, and while it ain’t going to be easy (nothing is ever easy), AND it’s never a “one size fits all” proposition, you have to do something. You have to start somewhere -here are some helpful resources to get you started:
Moving Beyond the Perimeter: Part 1
This white paper explains the theory behind Google’s BeyondCorp security model (a new approach to enterprise security that mitigates the risks resulting from placing too much trust in the internal network), the different components required and the overall security architecture.
Moving Beyond the Perimeter: Part 2
Part two of this series explains how to easily build a new enterprise security model within your organization, including an outline of the maturity process.
BeyondCorp at Google
Google's research papers, principles, mission, guidelines and additional resources on BeyondCorp.
Next-Generation Access and Zero Trust A Forrester analyst’s take on the components of a zero-trust strategic initiative, including command and control over network access and other key technologies.
Zero Trust Networks from O'Reilly Media
Written by Evan Gilman and Doug Barth, this O'Reilly Media book explains how to build secure systems in untrusted networks.
Here we go again.
It’s also worth noting that we’ve just had another event hit the wire regarding a spear phishing operation targeting U.S. critical power infrastructure. We’ve also seen evidence that the GRU (the Russian acronym for the Main Intelligence Directorate of the Russian Armed Forces) are up to their old tricks and deploying the same techniques against targets for the 2018 election cycle.
So far it looks like they’ve been unsuccessful due to a heightened awareness and probably a little luck. We’ll need to stay vigilant and see how this all plays out. Stay safe out there, my friends.
< Sean shakes head frantically > but luckily he’s on a plane so his wife can’t see.