Former Secretary of State Hillary Clinton’s email isn’t the only State Department email to make headlines in the past few months.
In 2014, the State Department found themselves in a very difficult situation. State Department emails had been breached, presumably by Russian hackers. “The hackers bedeviled the State Department’s email system for much of the past year and continue to pose problems for technicians trying to eradicate the intrusion,” reported CNN.
In Congressional reports, federal law enforcement officials called the hack on the email system the “worst ever” cyber intrusion against a federal agency.
So what happens when an agency’s email is breached? Can you really trust the network any more? Has the software and hardware booth been compromised? All of these questions can lead many organizations to consider the doomsday scenario – where you would rebuild an organization from the top to the bottom.
John Dickson, an information security analyst at the Denim Group and former Air Force Intelligence Officer, is an expert on the doomsday scenario. While Dickson can’t speak directly to the State Department situation, he did find many patterns in the Department’s response to the attack that leads him to believe a doomsday scenario is under way.
“We are aware publicly that their unclassified networks have been compromised,” explain Dickson. NextGov reported that in the wake of the attack, the State Department replaced some 30,000 keychain login fobs and asked in the FY2016 budget for more than $17.3 million dollars on “architecture services,” as well as another $10 million to support “the necessary re-architecting of the classified and unclassified networks.
In order to know if your organization needs to activate the doomsday scenario, it is best to first understand how these dangerous attacks happen in the first place.
“The nature of that particular attack was something a lot of organizations are now facing. Once you are in that type of situation it is particularly difficult to figure out what is trusted and what is not trusted,” said Dickson.
When a sophisticated attacker compromises a machine, a computer, a server, their next step is to quickly hide what they have done through something called a rootkit.
“A rootkit obfuscates their presence and essentially Trojans the prophecies that a computer has,” explained Dickson. “It hides so well that a system administrator, even one familiar with the inner workings of the compromised computer or server, would not be able to detect that it had been compromised.”
For example, a rootkit puts on a Trojaned version of a bit of software that allows you to look at files. A user can look at all these files, except for the files that the attacker says keep these off limits. In essence the rootkit hides those files. If you’re a system administrator, you don’t know that the version of that software that operating system has been Trojaned.
“If you don’t know anything has been compromised you can’t put up any defenses,” explained Dickson.
Once a breach has been discovered, organizations do what’s called intimate response. During that process, they will discover how much damage has occurred.
“An organization never wants to have to start over. But in certain instances it is the only thing to do because in addition to putting rootkits on these servers, attackers will try to do things like install malicious software in backup servers or drives,” said Dickson. “What that means is if an organization tries to back up data with an old server, then you reinstall whatever Trojans exist in the first place.”
In addition to hiding their presence on the computer, good hackers like to quickly try to breach other computers or servers in the food chain, until they come across a critical target like a mail server or access directory. “Once an attack is propagated across the network that’s when you get into the doomsday scenario,” explained Dickson.
While it might not be perfect there are a few things agencies can do to help avoid the doomsday scenario.
“The old cliché adage of people, processes, and technologies is accurate. Security is one area that you can’t just buy your way out of the problem. The starting point for any response or any defense is really talented people,” stressed Dickson. Logging or keeping track of what is on your network is really mundane and viewed as not a very sexy part of what we do, but it’s the starting point for awareness and understanding of your environment and your network.”
Defining the base level of activity in your networks is the first step for knowing that something went wrong. The process is called anomaly detection. With anomaly detection you can say here’s what a normal day looks like. Here’s how many users try to log in. If 20 percent of users have a hard time logging in that is normal. Then when the percentage jumps to 120 percent, I know something’s going wrong. “That’s why monitoring and understanding the networking is so critically important. In order to interpret those logs, you have to have people that know what is different than the norm,” said Dickson.
According to CNN, last year the State Department shut down its email system over a weekend to try to improve security and block intruders. The FBI has also been investigating the hacking activity and warning other agencies and the public to be on the lookout for Russian cyberattacks.
Nice post, Emily, with tons of good info. Cybersecurity is a major threat that everyone needs to take very seriously — from agency heads to rank-and-file feds. That’s why I recommended strengthening it as the #1 public sector priority for 2015.
https://www.govloop.com/community/blog/5-public-sector-priorities-new-year-1-strengthen-cybersecurity/
Thank you to GovLoop for keeping this critically important topic front and center!