The media blitz about Russia’s involvement in our electoral process redefines the term “political hack.” Our fundamental right to legitimately and confidentially vote in elections, with confidence our vote counts, is not challenged by a despot, but rather by a bot. e-Voting machines are routinely analyzed and discoveries of one or another vulnerability are reported. Several studies over the past few years reveal the brittleness and insecurities of the various electronic voting machines used across America. The most recent demonstration at this year’s DefCon provides a step by step process on how to exploit and attack a particular eVoting machine . Undoubtedly other machines are also vulnerable to malicious alteration.
Protection of our voting machines is clearly a critical concern, but perhaps more worrisome are hacks against the computers used by the committees of the major political parties and citizen groups who are at the core of our deliberative political system. What really needs fixing is how our elections boards defend the systems used by political parties and election officials, to avoid the repercussions we have experienced over the last two years.
Spear-phishing won’t stop, and once a hacker gains access to credentials that are authorized to access confidential data, there’s very little visibility into what data has been compromised, how and by who. To defend our political infrastructure, new security controls are needed to detect the early stages of a successful credential theft in order to stop data loss and identify perpetrators.
Attacking our political serversClearly lessons were learned by the committees of our major political parties over the past few years about how easily political operatives and employees are subject to targeted attacks to steal credentials. Even elected officials are targeted. The unfortunate facts reveal that home laptops used by political operatives are shared, exposing critically sensitive content to any hacker. It was center stage in the reporting of what happened during our last presidential election cycle, and it is not over. Just recently another attack was detected and stopped where foreign entities are claimed to have sought the credentials of a major political candidate for a congressional office. This is clearly a new era where we face nation-state attacks against our political infrastructure, and diligence is now required to defend our democratic institutions.
Anti-phishing assessment is not enoughOur political and electoral voting system is highly distributed with no single centralized management organization responsible for promulgating safe and secure technology to protect our political system. However, as of January 2017, the Department of Homeland Security (DHS) director announced that our electoral system is critical infrastructure and hence within the scope and mission of DHS. The DHS has sponsored a number of educational meetings and a resource handbook to inform state and local election officials of the cyber threats they must be aware of and plan for and services provided by DHS to prepare officials better to secure their computers. They promulgate a handbook for our electoral infrastructure informing officials of the availability of centralizing expertise and facilities to assist in managing the cyber risks and security architectures in place to conduct our voting process. DHS will also conduct assessments to evaluate security processes and systems. The same handbook is an excellent source of informative guidance and appropriate materials that should be read and operationalized by the management of our major political parties and our election officials to better protect their own internal infrastructure. They face the real and present nation-state threat comparable to what DoD experiences each and every moment.
Of particular note in the DHS assessment: Job one is focused on phishing. If we’ve learned, or re-learned, anything from recent media reports about attacks against our political infrastructure, phishing is the most obvious method for attackers to easily gain access to critical systems and documents. The DHS handbook states:
“ The Phishing Campaign Assessment (PCA) is a no-cost, six-week engagement offered to Federal, State, Local, Tribal and Territorial (SLTT) Governments, as well as Critical Infrastructure and Private Sector Companies, that evaluates an organization’s susceptibility and reaction to phishing emails. The results of a PCA are meant to provide guidance, measure effectiveness, and justify resources needed to defend against spear-phishing and increase user training and awareness.”
The primary evaluation is focused on click rates and susceptibility of users in an organization to fall prey to phishing emails. My sense, from years of experience and reading daily reports of successful breaches, is that no amount of training will assure 100% successful prevention of credential theft. Attackers will still succeed. Then what?
Early detection is crucialVarious means of training users can be expected to have some impact in reducing the rate of successful credential theft, but various studies show there always will be errors and attackers will undoubtedly succeed - and they only need to succeed once to gain the access they need. Consider the typical attacker behavior profile:
Reconnaissance launch of the phishing campaign against a specific target) Initial compromise successful acquisition of credentials Establishing footholds slow, methodical and usually undetectable “casing the joint” ( dwell time is 99 days, on average ) Search and acquire data the equivalent of “tossing the place” for valuables Exfiltration documents are downloaded and packaged to bypass DLP before the victim is even aware of the breachThere are ways of breaking this attack life cycle before exfiltration occurs, or soon thereafter. It would be folly to depend entirely upon IRM, DLP or encryption-based methods to protect critical documents because these “solutions” are partial and rely on identity-based credentials. Not to mention, most campaigns don’t have the luxury of deploying expensive, large-scale preventative measures - deployment alone could take longer than an entire campaign. Once a credential is stolen, the attacker can carry out her or his masquerade with unfettered access to all documents the credential is authorized to access. Game over. But, what more can be done?
It is possible to identify unusual behavior by credentialed users, such as search behaviors, opening and accessing documents they have never used before, or even opening them from unusual locations. Think of this technology as a sensor that sets a tripwire for bad actors. This raises an immediate alert when a sensor has been touched or opened. Such technology embedded amongst highly sensitive documents, deployed in an intelligent fashion to avoid interference with normal operations, reduces the risks concomitant with the inevitable failures of purely prevention-based security