You can add the Democratic National Committee (DNC) to the ever-increasing list of organizations that have been breached. According to a report published earlier this week by The Washington Post, the political organization’s information regarding likely Republican presidential nominee Donald Trump was stolen in a security compromise that persisted for nearly a year.
Investigators are attributing the data breach to two different groups, both apparently backed by Russia. The DNC was first hacked last summer by The Dukes (called Cozy Bear by the investigators), a group of hackers who’s connection with Russian political interests was exposed in a whitepaper last autumn.
This initial compromise was followed by a second breach (attributed to a different group of Russian-backed attackers) that was discovered in late April. Between the two breaches, attackers were able to access all of the DNC’s information about Trump, as well as monitor all of their email and chat traffic.
The breach was fixed and cleaned last weekend, and chalked up as a case of cyber espionage. And while the high profile targets are making most of the headlines, F-Secure Cyber Security Advisor Erka Koivunen says the untold story about how the DNC figured out who was behind the attacks is something that other organizations involved in the upcoming election (as well as companies with valuable information) shouldn’t miss.
“The forensic tools they apparently used after the fact is what gave them the drop on their attackers,” explains Koivunen. “Organizations like the DNC are high-profile targets at the moment so they should have been monitoring their network carefully, and the RNC and others involved in the upcoming US election should take note and make sure they have the ability to detect attacks as they unfold. Relying entirely on forensic work has limitations, but it’s better than nothing and in this case the investigators were able to get evidence to help determine what happened and how the breach occurred, which lead to educated guesses about who was responsible.”
It might seem surprising to hear a positive spin put on this incident given that the compromise lasted for nearly a year. But studies say lengthy delays in detecting data breaches are par for the course, so the DNC is certainly not alone in struggling to catch attacks.
According to a study published this week by the Ponemon Institute, the average amount of time it takes for companies to detect a data breach is 201 days. The study also highlights that these delays escalate the costs of a breach. Incidents taking more than 100 days to detect cost (on average) over one million dollars more than those detected in less than 100 days.
So far, there’s no messy public data dump that highlighted the impact of the breach (there are reports of another hacker leaking some of the DNC’s information, although those remain unverified), which companies might think makes it seem less damaging than other security incidents that make headlines. But with the DNC’s compromise taking well over the average amount of time to detect, the need for more than “after the fact” security measures is apparent. Comprehensive internal network monitoring that collects evidence from the network and endpoints to generate threat intelligence is what’s needed to definitively counter these kinds of threats.
“Forensics are playing an important role in this case, but really what’s needed by the DNC and frankly many companies and organizations is a continuous monitoring scheme designed to catch intrusions, as well as attempts to penetrate controls and establish a persistent presence within a network,” says Erka. “The kinds of attackers targeting organizations like the Fortune 500 or DNC will try to establish persistence in a network while flying under the radar, as well as cover their tracks, misdirect investigators, and even discredit evidence that can be used against them. The value of monitoring attacks as they happen to combat these tactics cannot be overstated, and while forensics aren’t bad, they don’t replace the benefits of being ready and waiting for these threats.”
“Rob Joyce, head of NSA’s TAO, said that the worst situation for an attacker, at least an espionage organization, is to operate in an environment where they don’t realize that they’ve been silently spotted and monitored. This is good advice, and I would strongly recommend many organizations consider it in relation to their own cyber security,” concludes Erka.
You can check out Joyce’s presentation here.