By Salvatore Stolfo on Aug 6, 2018 10:02:48 AM
Everything old is new again, and Russia’s involvement in the U.S.’s electoral process has put the old attack vector of spear-phishing back in the limelight. Spear-phishing is back with a vengeance for one simple reason: it works. And once a hacker gains access to the user credentials they’ve been targeting, the security team charged with protecting that information has little to no visibility into what data has been compromised, and by whom. If we are going to get serious about defending our political infrastructure, new security controls are required to detect the early stages of a successful credential theft in order to stop data loss and identify perpetrators.
It has become painfully obvious how easily political operatives and employees can fall victim to targeted attacks to steal credentials. Just recently, Microsoft confirmed that they had identified and foiled spear-phishing campaigns targeting the campaign workers for three elected officials. Two of them have been identified as sitting U.S. Senators. One of the Senators, Claire McCaskill, issued a statement confirming the attack but said it was “unsuccessful.” But the question is, how can she be 100 percent sure? Unless her campaign workers can state with 100 percent certainty that they never clicked on a link that led them to a highly convincing but phony Microsoft website, she can’t be sure.
In January 2017, the Department of Homeland Security (DHS) announced that our electoral system qualifies as critical infrastructure, which means it falls under the oversight of DHS. The agency has since sponsored a number of training sessions and a resource handbook to inform state and local election officials of the cyber threats they must be aware of and plan for. The top priority is focused on identifying and thwarting phishing.
My sense, from years of experience and reading daily reports of successful breaches, is that no amount of training will assure 100% successful prevention of credential theft. Attackers will still succeed. Then what?
The life cycle of a phishing attack
While the media has been focused on the early stage of a phishing attack (phony websites set up to steal usernames and passwords), little has been explained about what happens after. It’s isn’t always clear immediately that you’ve been “phished.”
Consider the typical attacker behavior profile, once an adversary has successfully stolen credentials from the unsuspecting victim of a phishing attack:
- Casing the joint: Attacker pokes around in file folder names and architectures, looking for enticing document names.
- Search and acquire data: Once enticing file names are discovered, the equivalent of “tossing the place” for valuables
- Exfiltration: Documents are downloaded and packaged to bypass any data loss protection (DLP) deployment before the victim is even aware of the breach
- Fencing the goods: Stolen data is shopped around and validated by a buyer before a transaction is completed.
Unfortunately, solutions such as IRM, DLP or encryption-based methods are powerless to break this cycle because they rely on the very identity-based credentials that phishing attacks compromise. In the case of political campaign workers, most don’t have the luxury of deploying expensive, large-scale preventative measures - deployment alone could take longer than an entire campaign. Once a credential is stolen, the attacker can carry out her or his masquerade with unfettered access to all documents the credential is authorized to access.
There are ways of breaking this attack life cycle before exfiltration occurs, or soon thereafter. It is possible to identify unusual behavior by credentialed users, such as search behaviors, opening and accessing documents they have never used before, or even opening them from unusual locations; essentially, a tripwire for bad actors.
These tripwires, or Allure Decoy Documents, provide real-time alerts when a document is opened. Such technology embedded among highly sensitive documents, deployed in an intelligent fashion to avoid interference with normal operations, fills in the security gaps left by the inevitable failures of purely prevention-based security technologies or DLP systems. It’s the equivalent of putting an alarm directly on the targeted goods.
Political campaigns will continue to be high-priority targets for both foreign adversaries and domestic opponents. And users will continue to lose or give up their credentials, giving attackers full access to sensitive political documents. Detecting the attacker penetration early in the life cycle with Allure Decoy Documents is a more practical approach to foiling phishing schemes.