Why it is Taking the State Department So Long to Root Out Hackers

Danny Yadron’s article discussing the amount of time it is taking to get attackers out of the unclassified network at the U.S. State Department is a reminder to all of us how hard this really is. We’ve heard the story before: an employee clicked on a phishing email, malware was downloaded and then it used the credentials and privileges of the initial user to start the process of moving inside the network finding additional privileged access. I have no reason to doubt that the same pervasive security detection solutions and processes are in place at the State Department, as they at any other large public or private organization that has been hacked. The amount of time this is taking hints that their automated detection systems haven’t given them an easy path to follow to know which credential sets were compromised, which systems were touched and the specifics around the information that was viewed and potentially stolen.

Working backward

That said, the forensic work of piecing together data from a wide variety of different sources and drawing some kind of conclusion is most likely a painstakingly manual process. The analyst is working backward from the time the event was discovered pulling together pieces of information linked by time, an IP address or other artifact. When the attacker switches their identity to another to escalate privileges, the trail often goes cold and the investigation needs to be restarted. Even the best log data indexing solutions force you find your own linkages across multiple data types and over months of data. One wrong assumption means wrong root cause analysis. Finally, taking down portions of the State Department network isn’t really an option. So, they are having the additional ‘fun’ of conducting the investigation as the car continues to move down the road at full speed. As has been reported by several sources, it’s believed the Russia is behind the attack.

There’s a quiet cyber war going on between the US and Russia, North Korea, Iran and Syria, among other countries. We have experts that can get into IT systems in these countries but our own defenses utilize the same detection methodologies and processes that we were popular in the late 90s and early 2000s. These policies drive technology purchases and processes that perpetuate traditional approaches to the problem. Granted, some of these traditional solutions (think firewalls, intrusion detection systems, and host based malware detection) are improved with additional features and functionality, but the core functions of these solutions really haven’t changed. It’s no secret attackers have become much more innovative in their approach getting access to data. For some reason security teams still refuse to believe that the combination of user security education programs and the technologies currently in place aren’t enough.

The missing strategy

Successfully detecting today’s (and tomorrow’s) attackers requires what is often seen as the “missing strategy.” The strategy uses initial compromise detection solutions to locate attackers already inside that are using remote controlled malware or stolen credentials to directly log into systems. This would be considered the middle portion of the traditional attack or kill-chain. User Behavior Intelligence or user behavior analytics solutions offer a new approach and new way of thinking about the problem. Today, agencies (including the U.S. State Department) are inundated with approximately100,000 alerts per day from security point solutions, operating system data and vulnerability data. These alerts are pushed into a security information and event management (SIEM) system, shaken it up like a snow globe and use static rules to weed out false-positives to reduce the number of suspicious events. This may get the agency down to 10,000 critical events per day that still need investigation. Next up humans have to take all those critical events and reclassify them before the next day’s set of events comes in—a nearly impossible error prone task. A user behavior intelligence solution:

• Monitors system and application access behaviors and characteristics watching for behavioral outliers for a user’s credential and behavioral outliers against that of their peers,
• Maintains state on the user identity and sees through identity switches, 
• Creates an additive risk score for individual behaviors and access characteristics,
• Presents a timeline of activities for a user’s session from log on to log off and;
• Attributes security point solution alerts to sessions with suspicious credential behaviors.

The identity-based approach

This identity-based approach leverages data already in a SIEM or log management data repository, exposes attackers where their behavior is divergent from that of a normal user’s, and provides a time-based visualization of the user’s anomalous activities. These are all task likely being performed manually this very minute at the US State Department.