I was talking with some friends recently in the wake of this article and general expressions of shock, dismay, and amusement about how the FBI and/or the USGOV in general had been hacked for so long without realizing it. My reaction: why are you surprised?
Look, we know that network defense is a hard task. If you have the time, watch this keynote for more anecdotes, but time and time again we find customers want to pay for a line item that says “$X,000,000 - Complete Network Security” and we have to burst their bubbles. They don’t want to have to do the hard work of actually learning, securing, and defending their network over the years. Why is government any different? We see people cycling back and forth between government and industry taking lessons in both directions, but there’s no magic bullet.
Folly of Threat Intelligence
I’m not here to bash threat intelligence (although as many have pointed out, it’s actually Threat DATA - intelligence requires analysis and targeting). But a large portion of the government network defense strategies that I’ve seen (EINSTEIN), etc. are predicated upon receiving IOCs and stopping or detecting attacks based on them. There are many use cases for IOCs that are perfectly valid and actively work to help keep networks safer. In my personal opinion, defense against APTs isn’t one of them.
As I’ve noted before, if an attacker is coming after you, they get to set the stage. They choose what infrastructure they want, they can do their research on tools, and will generally make life hard for you. And if you’re staking your network security on whether or not you have a match on a given IP address or domain name, you’re playing a losing game. Only a foolish adversary will allow themselves to be caught in this measure. That’s not to say that even world-class adversaries aren’t foolish, but you can’t depend on that. You need something more.
Three Steps To Fail
In order for an IOC to be useful at defending your network, three things have to happen. Here’s what they are:
- Some other organization has to get hacked (or you have to get hacked, but we’ll ignore that case).
- Someone needs to realize that organization was hacked and then some form of DFIR campaign has to generate IOCs
- Those IOCs need to make it out to the community (including you) fast enough so you can detect and respond but before the attackers change their infrastructure.
See the problem yet? If you’re someone like the US Government, especially an agency that might have sensitive data, you could very well be the first target. In that case, you won’t be getting IOCs from a partner organization telling you about some fancy new attacker infrastructure - you’ll be the victim in step 1. The rest of the chain falls apart at that point.
So let’s set that problem aside for a second.
Let’s wave some magic wands and assume that you have some all-powerful organization capable of observing all possible adversaries while they’re creating and launching their attack campaigns. And then let’s assume that such organization is willing to provide IOCs back down to every possible target organization within the US Government so that the government networks will be better protected. That would be pretty cool, right? And that would eliminate that steps 1 and 2 as a problem - now you’re closing the loop so that you’re getting IOCs right as the attackers stand up their infrastructure and you’re immediately reconfiguring your infrastructure so they can’t possibly succeed. Right?
Except that even if such an organization existed, we know that there’s no meaningful information sharing happening on a relevant scale or else the breaches that spawned this blog post wouldn’t have happened. Clearly no such organization told OPM and other government agencies about the attacks as they were happening and instead they got discovered over time through whatever traditional processes detect compromises.
Putting On Your Adult Pants
So what does that mean? It means that we shouldn’t expect the government to be any better at network defense than any other organization. They’re facing the same issues as everyone else and while they may (in some cases) have larger budgets or access to cooler tools or unique data sources, it doesn’t help them achieve operational network security in any kind of complete fashion.
As a consultant, I’m constantly running into clients who are still struggling with the very tenets of network defense that we’ve been pushing for 15-20 years. They don’t know the assets on their network, they don’t have a segmented network, they’re not aggressively using privilege separation for roles, they’re not doing network/host security monitoring, etc. I haven’t seen any government networks in a few years, but I feel pretty confident in saying they’re no different than any other client network.
What’s the solution? Years ago, the IAD Director Ms. Plunkett stated that we need to assume compromise and build our defenses from there. We’re still not doing that across the board, but some organizations are getting the hang of this. As an industry, we need to quit pushing IOCs as the magic solution and instead focus on the fundamentals of network defense - and start assuming that you won’t spot the bad guy on the way in.