Why precision attacks succeed, and what agencies need to know

The recently revealed data breach at the Office of Personnel Management affected millions of current and former federal employees, but precision cyber strikes remain a growing concern as well. Recent cyberattacks against the State Department and the White House, for example, were targeted attacks against high-powered users in government.

According to information from security researchers Kurt Baumgartner and Costin Raiu, the perpetrators -- a Russian hacking group known as CozyDuke (aka CozyBear, CozyCar or "Office Monkeys") -- targeted their victims carefully. The attack came via a phishing email that directed recipients to a legitimate, but hacked website to download a malware-laden file. One example was “Office Monkeys LOL Video.zip,” which contained a flash file that played a funny video while running an “additional [malicious] executable on their system.”

This executable would then identify the anti-virus software on the device to elude detection, and subsequently give the attacker ownership of the system. Given the shareable nature of the malware-laced video, it (along with the malware) was passed around through the unclassified network by the original targets to their colleagues and coworkers.

Once on the target system, the attacker was able to access systems and shared resources on the unclassified network. The objective, in this case and most others, was for the malware to remain quietly resident inside the unclassified network, collecting as much data as possible for as long as possible. To do this, the malware leveraged the credentials associated with the trusted user.

This hack succeeded because of failures on several levels:

1. User security education failed on two levels: with the first person to download the Zip file, and then with those who opened it after it was sent to them by the trusted user.
2. There was likely no cyber threat intelligence about the compromised site, at least none that could have been obtained fast enough to then be used to block access to the infected site that hosted the malicious code.
3. The file was either not interrogated by any network or host-based solution to discover its malicious payload, or it simply wasn’t seen as malicious. As mentioned above, the video went undetected by host-based anti-virus.
4. Once the attacker had gotten a foothold inside the agency systems, there was no way to see the behavioral divergence between actions employees would normally perform as part of their job and the activities the attackers took in furtherance of their goals.

People will always be tricked into clicking on things they shouldn’t. Given that more than 80,000 new variants of computer viruses are created each day, we can’t expect more than about a 40 percent success rate from anti-virus software. And finally, businesses and governmental agencies have no strategy or technology solution in place to find attackers that somehow get past all initial point of compromise-detection solutions. 

Yet user behavior analytics systems, a new category of security technology that watches for subtle changes in credential use behaviors and access characteristics, may provide an answer. In fact, this type of product is starting a conversation inside of security teams across the globe. If there is no longer a foolproof system to keep attackers out, then cybersecurity teams and the security expenditures they make should be focused less on prevention and more on detection and incident containment.

To some that have been in the cybersecurity profession since the late 1990s, this may seem odd or even blasphemous -- for years, vendor messaging was all about preventing attacks with perimeter defenses. But attackers have changed their techniques, the attack surface has greatly expanded and cybersecurity professionals’ attitudes are now changing.

User behavior analytics systems combine machine learning and behavior modeling to understand and fingerprint the characteristics of normal access behaviors for an IT systems user. What’s normal or not is also seen in the context who the user is, what their role in an agency is, what the user has done historically and what the user does in relation to their peers in a given department. This way what’s anomalous can stand out and be scored.

All the user credential actions, normal and anomalous, are presented on a timeline. Once a score reaches a given threshold, the user is contacted and asked a series of questions similar to what you’d hear if you were on the phone with the credit card fraud department: “Was that you using the VPN, accessing these systems you’ve never accessed before, switching identities, and downloading documents?”

Monitoring credential behaviors and access characteristics represents a new and necessary last line of defense against attackers that have obtained valid stolen credentials.