As certain as tomorrow's sunrise," the FBI will find whoever's responsible.
February 11, 2016 — Leo Taddeo, currently CSO of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI's New York Office, shared his perspective on the recent apparent compromise of data from FBI networks.
In a preliminary email exchange, he offered these thoughts on how he expects the FBI and the Department of Justice to respond to the recent incident involving the hackers calling themselves the "DotGovs."
"There are very few options for the FBI/DoJ. Recalling the information is not possible. The FBI may request that sites hosting the information take it down, but it would be very unlikely the FBI could obtain authority to compel a site to remove the list. Most likely, the FBI will warn employees of the loss of data and monitor for any anomalous activity that can be attributed to the loss. While the risks from this type of loss will never dissipate completely, over time, the information will become less sensitive due to employee rotations and turnover.
"What is as certain as tomorrow's sunrise is the fact that the FBI will put significant resources into finding whoever is responsible. Many criminals try to gain notoriety by embarrassing the FBI. Sooner or later, most of them wind up in a federal penitentiary. While the FBI can't catch all hackers, it can identify and arrest almost any hacker when it decides it's important enough. The hackers in this case just made a huge mistake in their risk/reward calculation.
"Organizations are forced to balance information security against user access requirements. The success of what appears to be a social engineering attack does not mean DHS and the FBI need to rethink their approach to securing unclassified data. Two-factor authentication failed, but the information lost was important, but not critical. Both agencies may, however, need to figure out what happened and fix whatever went wrong. In the end, it's likely both agencies will find they need to reexamine employee awareness, training, and help desk procedures."
The CyberWire was able to follow up with Mr. Taddeo on February 11, 2016. Here's what he had to say.
The CyberWire: Tell us—does the apparent doxing of the FBI and DHS seem real? Did the information the hackers published seem genuine?
Taddeo: I haven't seen the full load, but from the reports it seems they released names, addresses, and titles. It's the sort of information you'd be likely to find in someone's email contact list. I can't tell, of course, whether it's real, but it does look like that sort of list.
The CyberWire: So, if both the FBI and the Department of Homeland Security had information on the list, was the hack accomplished by a single intrusion?
Taddeo: It could have been a single intrusion, depending upon the contents that were obtained. If you were looking at contacts from a mid-level or senior-level person in either agency, you'd be likely to see contacts from both organizations.
The CyberWire: We read that the hackers, who apparently are now calling themselves "the DotGovs," bypassed two-factor authentication by calling a help desk and getting a second form of authentication. Is that consistent with what you know?
Taddeo: It's certainly what I've read in the reports. We know what the hackers have claimed. It's important to note, however, that they didn't actually bypass two-factor authentication in any technical sense. Rather, they socially engineered one or two of the factors necessary for access. So their success didn't represent a technical failure.
The CyberWire: Was there any sort of compromised credential that enabled the hackers to socially engineer the help desk? Presumably they'd at least have needed a name. Is there a policy gap, or was this a failure to follow policy?
Taddeo: Let's step back. We don't know how they got the first credential. They could have used a keylogger, they might have used social engineering, or they might have even done some shoulder-surfing, but it's not within any help desk's policy to give out tokens without further authentication, or without the person physically presenting himself or herself. There are all sorts of controls and policies in place to prevent that from happening. So it's conceivable, but it's important to note that this shouldn't have happened in the first place.
The CyberWire: What should the help desk personnel have been alert to, in this case?
Taddeo: IT help personnel should always be on their guard. It's unpleasant to think this way, but they should treat every caller as a potential adversary. The fact of the matter is, that an IT help desk has access to password resets and all sorts of other sensitive capabilities. Given that, it's necessary that they treat every caller as a potential threat.
The adversary studies us. They look for weak points in our systems. They try different techniques and approaches with different people. So the first step in defending yourself is to know your procedures, and to follow your procedures. Because in this case, if they'd followed their procedures, they wouldn't have given up the token they reportedly did.
It's worth noting that an adversary could conceivably have mined enough data online, and from social media, to have cobbled together enough information to defeat security questions.
The CyberWire: Like, "what's the name of your junior high school," that sort of thing?
Taddeo: Actually, the Government doesn't use the standard sorts of security questions your bank might have. Their questions are much more involved and harder to defeat, but it's conceivable they could have been defeated. Still, subversion of IT protocols is more likely.
The CyberWire: How sensitive were the data? It sounds as if a staff directory or an address book was compromised. If that's the case, should agencies affected by the breach go on higher alert for further attacks?
Taddeo: No, there's really no need for additional controls, not at this point. You've got to balance access controls against the sensitivity of the information being protected, and it seems to me that two-factor authentication is appropriate for this sort of information.
Instead, what's needed is training, employee awareness, a reminder to stick to the procedures.
There are technologies out there that can enhance two-factor authentication. In particular, digital identification of and around endpoints can be useful. That makes it easier to defend against bad user behavior, too, whether that behavior is deliberate or unintentional. So we might call this two-factor-plus.
But in this case, I think training and heightened employee awareness are in order, not an overhaul of the system.
The CyberWire: What can you tell us about the hackers? The DotGovs seem reminiscent of the CrackazWithAttitude who doxed senior members of the Intelligence Community last year, at least insofar as they seem to be talking to Motherboard.
Taddeo: Well, we know what their claimed motive is. But sometimes hackers will claim to be aligned with some political cause, whether they're really aligned or not. In this case, we don't know whether they're really aligned with the cause of Palestine.
And we've certainly seen denial-of-service attacks and hacktivism as cover for financially motivated network intrusions.
In this case, it's impossible to know their motives with any certainty, at least until they been arrested and charged, and then we could ask them.
So we only know what they've said, but we've seen examples of obfuscating your real goals by claiming some political motive.
The CyberWire: Any examples of that kind of misdirection you'd care to point out?
Taddeo: Sure—the Sony PlayStation hack in April 2011 is a good example, when a lot of credit card information was taken. There were posts saying that Anonymous had committed the hack, but eventually credible representatives of Anonymous came out and denied, credibly, that they had anything to do with it. So criminal hackers may well have been using the Anonymous brand to cover simple crime, stealing easily monetized credit card information.
The CyberWire: So what can an enterprise do to protect itself against this sort of attack?
Taddeo: I would recommend continuing two-factor authentication. And I would recommend supplementing that by checking additional attributes on endpoints. I'd recommend checking things like geolocation, time and date, a machine's patch status, whether an endpoint has anti-virus software running, and so on. You can check multiple attributes to achieve a higher level of confidence that the user is who they say they are. So to move beyond two-factor authentication, the bottom line is you should check other attributes.
The CyberWire: Finally, tell us something about your company, Cryptzone.
Taddeo: At Cryptzone we have a secure enterprise gateway that creates a digital identity around endpoints, and that checks other user attributes. Our product is AppGate, and basically it does these things: First, it creates a digital identity. Second, it checks that identity against dynamic policies that form a risk profile. Third, it creates an encrypted tunnel, and fourth, it establishes a one-to-one connection that prevents an attacker from executing lateral movement. This, with its auditing and logging capabilities, effectively helps prevent reconnaissance, lateral movement, and escalation of privileges.
The CyberWire: And how are you enjoying the private sector after a career with the Bureau?
Taddeo: Well, of course you miss the Bureau and many friends you make over a twenty-two year career. But when I did leave for the private sector, I wanted to continue to make a contribution to the security of networks. I think Cryptzone is a great company with caring leadership and a great suite of products that are effective and efficient. I feel good about our mission—I think we change the equation: we transfer cost from the defender to the attacker.
The CyberWire: Is there anything else you'd like to tell our readers?
Taddeo: I think I'd like to emphasize that perimeter defenses aren't giving us a good return on investment. We have to be able to harden the interior. You've got to assume the adversary will get valid credentials, and that they'll get in. And that's where the fight is—in the interior.
The CyberWire: Thank you, Mr. Taddeo.