Back To Top

Fool Me Once, Shame on You | Cybersecurity & Emails

It seems that Cybersecurity and emails are not going to leave the news cycle anytime soon.  Taking the politics out of this, there are some good insights to be gained.  Read on for a digest of important points from FBI/DHS report (no politics included).

Small Scale, Big Impact

With the release last week of the FBI/DHS Joint Analysis Report and the Office of the Director of National Intelligence’s Intelligence Community Assessment dossier on the investigation into the privacywidespread effort by Russia to influence the 2016 presidential election, cybersecurity firms and private organizations alike will have plenty to chew on. Both documents concluded that a nation state (Russia) was behind the attacks, but some of the most interesting information can be found in the FBI/DHS JAR, which is the more technical of the two documents, and describes the methods used to enact the attack against the Democratic National Committee (DNC) as well as a number of state election boards. That report includes sobering information about how seemingly small-scale phishing and spear-phishing attacks can have such broad impacts.

The FBI/DHS report – aptly named “GRIZZLY STEPPE – Russian Malicious Cyber Activity JAR” – describes both methods which were used as part of the overall attack. The two attack types are described below:

  • Advanced Persistent Threat (APT) 28 relied for the most part on a spear-phishing campaign aimed at a number of DNC members as well as members of other groups. The spear-phishing e-mail included a link to a legitimate-looking site with only a small change in the url address. Once there, users were encouraged to enter their credentials for that site. At the same time, a piece of malware was deployed by APT 28, which included a keylogging tool that began capturing every keystroke the user made. As the keylogging tool gathered information, it sent it to a pre-registered e-mail address where APT 28 could collect it and analyze at leisure.
  • Advanced Persistent Threat (APT) 29 also lured users through a spear-phishing e-mail campaign, but users were directed to a “malicious dropper” (a program containing malware). The malware was then downloaded to their devices that included a remote access tool that established encrypted communication with the device and siphon off sensitive information that, again, could be analyzed at leisure.

Both APTs stole credentials, compromised the same political party, and then used those credentials to access and pilfer sensitive information; however, they used slightly different methods in their attack strategies.


How strong are your controls AGAINST cybersecurity threats? Don’t wait until it’s too late to find out. Risk Advisory Services Team

Prevention

The report went on to lay out a number of mitigation strategies organizations can use to respond to, or prevent, cyberattacks, but there were three of the eight listed that really caught my attention:

  • Staff Training/Culture: Both attacks started with people receiving e-mails and unknowingly falling into the traps set for them. End users will always be any organization’s weakest link when it comes to assessing the security posture of the organization as a whole; however, organizations can continue to stress the importance of evaluating e-mails that are received for elements that may not look quite right as well as not clicking on links or downloading anything from a non-trusted sender.
  • Application Whitelisting: This can be a pain to implement because it’s a heavy lift on the front-end to track down all the software running on the network for a large organization and determining which ones are necessary. However, if the DNC had had this in place, the malicious files would most likely have been unable to run, which would have negated that specific wave of the attack.
  • Penetration Testing: Organizations should periodically run penetration tests on their own network and employees to determine where weak links are. This one can potentially cause embarrassment if employees fail the test, but it’s worth preventing an attacker from exploiting the gap in training or attention to detail in the future.

Joint Analysis Report

The report goes on to provide several more detailed strategies for protecting organizations against: SQL Injection Attacks; Phishing and Spear-phishing; Permissions, Privileges, and Access Controls Escalation; Credentials Exposure; and a Lack of Good Logging Practices. I would highly recommend it as a quick, insightful read. The report, in full, can be found here: FBI/DHS GRIZZLY STEPPE JAR.


Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.