A senior official with the National Security Agency is betting identity theft is the goal of the Office of Personnel Management data breaches.
Curtis Dukes, director of information assurance at NSA, said he doesn’t know “precisely what the end objective was for the OPM breach,” but regardless of the reason, it’s a reminder that enemy objectives are not only shifting, but becoming more sophisticated.
“One school of thought was that it was done by nation-states to better understand U.S. government employees that maybe have certain roles in the intelligence field,” Dukes said, during a June 30 security briefing at the Cyber Security Summit in Tysons Corner, Virginia. “The other school of thought was it was simply to grab information potentially for identity theft. I actually think it’s going to turn out to be identity theft is the real reason behind that break in.”
The impact to millions of former and current federal employees as a result of recent hacks to federal systems, as well as the fallout felt across the departments, shows that “it pays to invest in strong defense,” Dukes said.
“If you look at the cost of [the Executive Office], State Department, Joint Staff, OPM, the incident response, the mitigation and the now having to re-architect those networks, we’re spending a lot of money in that area,” Dukes said. “If we’d only put a small investment up front, and actually been diligent about good, proper cyber hygiene, we wouldn’t have to worry about that bill. It actually pays in this case to invest a little bit of money in defense.”
But even that little bit of money would be spent in vain if agencies and industry aren’t smart about where they apply those defenses against an adaptable and intelligent enemy.
Dukes, echoing recent sentiments of many CIOs and CISOs, said having good cyber hygiene starts with accepting that a cyber attack is going to happen.
“If you think for a moment that you can architect a system and be 100 percent effective against some type of cyber exploit, you’re kidding yourself,” Dukes said. “You need to architect your network today to understand yes, there are things that are going to happen with it, you want to limit the damage that adversary has on your network.”
To do that, Dukes said companies and agencies need to build in mitigation throughout a system, not just on the boundaries.
“There’s a lot of talk about intrusion prevention systems. The bottom line here is I believe the battle is now being waged down at the end point, not at the boundary,” Duke said. “The boundary is OK, it has a role, but more and more the actual battle is going to be waged down at the end point.”
Dukes also advised limiting lateral movement as well as host-to-host communication.
It’s OK to limit the number of people who have administrative privileges, the director said. And one of the biggest lessons learned from the OPM breaches was that having a large number of networks in trusted relationships with a database also means multiple entrances and exits for hackers.
“We did it for all the right reasons,” Dukes said of the trusted partnerships. “But unfortunately, when the adversary got in, it became a very easy mechanism for them to be able to move laterally across that [database].”
Dukes laid out the lifecycle of an intrusion, and highlighted that initial exploitation is usually done through three means. There’s some type of phishing scam, hackers use thumb drives or route someone to a website by clicking a link.
From there, adversaries can establish a presence, install tools, begin to move through the system and then collect, edit or destroy information.
“Let’s not worry about who the actor is, this is the sequence they’re following,” Dukes said. “You really should be building up defensive capabilities.”
One way to do this is by taking advantage of software improvements and patches.
“Every time there’s a patch that a vendor pushes, you guys should be adopting that patch within a very short timeframe, getting it installed on your base,” Dukes said, adding that NSA has seen adversaries reverse engineer patches within 96 hours.
“That’s the window you’re operating against, as short as 96 hours,” he said. “If you’re stuck in these loops where you’ve got to test the patch, review the patch, and they’re months in duration, if you have a determined adversary, I think game over at that point for you.”
Dukes offered insight based on data collected in the past 24 months from NSA incident response for both national security systems and non-national security systems.
“The threat’s real, right now we’ve got to flip the equation,” Dukes said. “Right now, the cost to the adversary is not sufficient that they’re not going to continue to attack you. So we’ve got to flip that and raise the cost to the adversary, so they’ve either got to hurl a zero-day at you, or that they just move on to another target.”