A few days ago, a lone hacker managed to bypass the government’s highly touted Einstein security system and get onto computers of the FBI and Department of Homeland Security (DHS). He claims to have stolen 200 GB of data. Some of this was dumped on Cryptobin. It contained the personal information of around 30,000 employees of these agencies.
I looked through the data and validated that the information on the dumps was correct, though somewhat out of date. The information will probably not cause many problems for these agencies as much of this data is readily available elsewhere. However, the fact that it was all released in one alphabetized list seems to indicate that the attacker really did breach the system. The government is correct in saying that the information is not damaging in itself, though it could be used to begin a spear phishing attack. The hacker claims that he has more incriminating information such as credit card numbers and military emails, but these have not surfaced. Although the agencies downplayed the hack, they thought it serious enough to take down Cryptobin (I can now only access it through its IP address, https://188.8.131.52) and pressure other sites posting the data to take it down.
All of this, however, is beside the point. The point is that someone breached the multi-billion dollar Einstein security system with a phishing email and a phone call. In other words, just giving your system an intelligent name does not make it fool-proof. So what exactly is this Einstein system?
Here is a simplified diagram.
The key point here is that if an intruder can get to a local work station, they can, at least in theory, have access to top secret information. The person behind the recent attack claims to have made use of such a work station, which means he penetrated the ‘secure’ network.
The problem with Einstein is that it is more reactive than proactive. As one writer noted, “it depends on its human DHS masters to tell it what exactly to look for.” Like most systems that look for unusual activity, the Einstein software spent its ‘youth’ (it was initially released in 2004) watching the network to build an idea of what normal activity was. Deviations from this base landscape would, then, trigger countermeasures. Don’t be misled. This is not a self-learning system based on neural network programming. It must be fed information on known threats, which it will then block. It can also be programmed to respond to threats that the DHS had identified on its own.
It is important to emphasize this limitation of Einstein to respond only to known attack vectors or unusual activity. This means it would not be able to respond to an attack vector that took advantage of a vulnerability that had never been seen before, that is, a zero-day attack. This is because a zero-day attack cannot be distinguished from normal traffic. As Ken Ammon, chief strategy officer at security firm Xceedium, correctly pointed out, “systems that are just based on detecting are a great compliment to other things, but if you’re betting the farm on that, it’s not a winning strategy.”
Unfortunately for the U.S. government, most nation-state attacks are in the form of zero-day attacks. The Office of Personnel Management (OPM) attack, which compromised over 21 million people, is an example of such an attack. This attack is believed to have been launched by China and remained undetected on the network for months before it was accidentally discovered. These attackers made use of an insecure endpoint, KeyPoint Government Solutions, to launch the attack and enter the network below Einstein’s radar. Once the metrics for this attack were programmed into Einstein, the malware was found to have infested the entire network.
But blaming Einstein for this isn’t really fair. It was placed upon an outdated and often un-updated network patched together with off-the-shelf security software and components randomly farmed out to various contractors without proper overall network supervision. That’s the problem of having a big network. No one really wants to scrap the old one, no matter how bad it may be, and start completely from the beginning with a more modern, more secure architectural foundation. It is often easier and cheaper to just add to this house-of-cards security and hope for the best. As Ammon states, “We have to overcome everything that we’ve accumulated from almost the advent of technology—this pile of bad practices and configurations—we have to unwind that and keep not only the hactivism guys out but well-funded state hackers out. It just takes time.” Unfortunately, the most recent audit of the OPM network found many glaring security holes still in place. The auditors concluded that another attack was likely. I’m not so sure another attack is likely for the simple reason that whoever was previously in the network probably already has all the information they want. This means they can leverage that information to attack other agencies on the network or even other networks.
It will not only take time to fix the problem. Government agencies have to overcome their own inertia. The introduction of any new security system will be bound to meet with resistance from employees who have worked for years within the old system. Retraining personnel will not be an easy or inexpensive matter. Another problem of upgrading is that, during the upgrade, agencies will be exposed to attacks. This is because the transition itself is a trial period and mistakes can be expected to be made before the changes take affect. Nonetheless, there now seems to be no other alternative than to take such drastic action.
Training employees within the agencies to identify an attack will have to take place anyway. The recent FBI hack bypassed Einstein by taking advantage of human frailty. When the attacker got an employee to open an email attachment (with malware) he got an open door to the network. You might expect that this was a well-crafted phishing email, but, since a 16-year-old has been charged with the crime, you’d have to wonder just how sophisticated his phishing email really was. That is to say, the employee seems to have been easily fooled. When the same hacker later encountered a security barrier, he called someone and posed as a new employee confused by the system and asked about an access code. They, apparently feeling sorry for him, gave him one and he was on the network and, as he reports, gained control of three work stations.
Einstein is good at what it does, analyzing and preventing known attacks. However, Ars Technica notes, “unfortunately, given the state of security at OPM and other federal agencies, this sort of post-attack forensics and remediation is about all Einstein will be good for in many cases. An Ars review of federal agency security audits found similar issues across the government with varying levels of severity. Even when security actions were taken, they were often misinformed—such as when the Economic Development Administration physically destroyed entire computers (including their keyboards and mice) when agency officials believed they were experiencing a malware outbreak in 2011.”
So will we see more attacks on government agencies? I certainly wouldn’t bet against it. But not all attacks will be like the recent ‘schoolboy hack’. Some attacks will be major breaches organized, most likely, by Russia and China. It is not so much a question of when they will get in but when they will be discovered. In the process, Einstein will learn a new attack vector and learn how to identify similar attacks in the future. Sadly, this is not enough to protect the security of the US.
Government agencies have not kept pace with the evolution of the concept of security. This evolution can best be described as an evolution from security as a necessity to security as a priority. This explains the patch-and-plug architecture that has developed over the years. In the end, these agencies have constructed an unwieldy, out-dated, and unmanageable security architecture that few probably have a clear understanding of. Simply throwing more money at the system to plug more holes is not going to change the situation. In fact, it can only make it worse. Like it or not, there is only one clear solution. A complete rebuilding of security from the ground up. Will this happen? It’s highly unlikely, therefore…
Protect your network by securing your endpoints. Create a hardware-based attack barrier that attackers cannot penetrate. There is no longer an excuse for bad security. Check it out.