More than 20 million sensitive documents were extracted from the IT infrastructure of the Office of Personnel Management (OPM). The breach enabling the extraction wasn’t discovered until more than six months later as the first indicators of malware were discovered, which triggered an incident response. That’s according to a recent webinar conducted by the Cylance team titled, Dissecting the OPM Breach (recording available with registration). The webinar walks viewers through a case study of the incident and lessons learned.
OPM is essentially the “central human resources department” for the federal government and keeps records on millions of employees and contractors. Cylance, which is the first company to incorporate machine learning into advanced cyberthreat detection and prevention, played an instrumental role in discovering and remediating this high-profile cybersecurity incident.
It took 10 days for Cylance to triage – time-to-contain – approximately 2,000 pieces of malware. However, significant damage was already done.
Personnel records, fingerprints and security clearance application documentation, known as a Standard Form 86 (SF-86), were all taken from OPM systems between July of 2014 and early 2015. The presenters noted evidence to date suggests the breach was likely performed by a nation-state for intelligence collection.
Clearance records contained background information on federal employees and military personnel, including any foreign contacts and overseas travel in which they’ve engage. This is information that can be mined, analyzed and correlated for intelligence purposes. To place the sensitivity of these documents into context, the Cylance team cited commentary from FBI Director James Comey at the time:
“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
The OPM breach highlights how the cyberthreat environment has evolved, according to Thomas Pace, a Cylance incident response consultant, and the primary webinar presenter. We’ve gone from broad brush attacks using malware like worms without a specific target, to highly sophisticated attacks, seeking specialized information and using advanced persistent threats.
The tools for launching attacks have gotten easier to use and the execution more methodical. Mr. Pace said a hacker could configure a modern hacking tool and launch an attack within an hour. Similarly, the community has largely begun to describe cyberattacks in stages akin to a military operation: reconnaissance, infiltration, actions on the objective and exfiltration.
One of the most unsettling aspects of modern cybersecurity threats is that the originating malware can disguise itself and live inside an IT environment for months without being discovered – dwell time. The attackers simply wait for the right opportunity to execute. To that end, IT organizations literally don’t know what they don’t know. To build on a famous phrase from a former U.S. Secretary of Defense, the IT security community is dealing with “unknown unknowns.”
The Best Defense is a Good Offense
The cyberthreats of today involve “persistent and motivated attackers” with a specific target in mind, according to Mr. Pace. They are using “advanced extortion tactics” and “advanced infection vectors” such as cross-platform malware. The attacks are different and so the remedy must be different as well. Sure, we still need signatures, but we also need behavioral analysis, anomaly detection and the benefit of machine learning. More importantly, the cybersecurity posture of today needs to be proactive rather than reactive – the best defense is sometimes a good offense.
This is where Bricata and Cylance share the same philosophy. As our recent announcement indicated, we’ve partnered with Cylance to embed their technology into our network appliance and virtual solution. The combined solution will integrate three detection engines, including artificial intelligence to provide advanced intrusion detection, reducing complexity, dwell time and time to containment.
“The combined approach is the only commercialized solution of best-of-breed technologies, Open Source and partner developed, in concert with our intellectual property addressing today’s zero-day market requirements of threat evolution,” said Bricata CEO John Trauth. “The reality is threats already exist inside the firewall leaving organizations at risk and security analysts with the near impossible task of keeping up in a complex infrastructure. IT Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”
* * *
What are you doing to go on the offense and hunt for the Unknown Threats? It’s not if or even when, you have already been breached. How are you hunting?
If you enjoyed this post, you might also like:
How Enhanced Network Metadata Resolution Facilitates Network Threat Hunting
Photo credit: from the Cylance webinar presentation