Following reports that Russia was behind last year’s State Department and White House hacks http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/index.html Ken Westin, senior security analyst at Tripwire and Dwyane Melancon, CTO at Tripwire explain why this seems to be the result of an outwardly-focused security approach and why attribution is difficult:
Dwayne Melancon, CTO Tripwire says: Once an attacker gets into your systems it can be notoriously difficult to get them out, particularly when your network and internal security controls allow the attacker to move around on your network without being noticed. That appears to be the case here, which could be the result of an outwardly-focused security approach. If you assume the enemy is "out there" you stop noticing their activities when they get "in here."
There are a few significant challenges in breaches like this. First, attribution is difficult. A savvy attacker can not only cover their tracks, they can often mislead you into believing someone else is behind the attacks. I hope the White House has strong evidence to claim Russian responsibility.
Additionally, many organizations lack a baseline understanding of what is "normal" on their internal network and systems, making it difficult to tell which systems you can trust, which systems you can't and - more importantly - how to stop the attack and prevent future compromises.
Ken Westin, senior security analyst, Tripwire notes: “The intrusion into the unclassified State Department network was assumed to be Russian by many in the government and security community. As portions of the network were shut down for long periods of time for extensive security upgrades many speculated that the extent of the intrusion may have been more severe than originally thought. That the attackers were able to use that initial intrusion as a spearhead to gain access to the White House network is rather alarming, indicating a lack of network segmentation, or compromised credentials.
“The new insights into the investigation with the US government implicating Russia would imply that there is strong evidence that the Russian government was involved. However, given the sensitive and confidential nature of US intelligence agencies methods only a few will have access to the actual evidence which may raise suspicions as to the accuracy and veracity of the accusation.
“I do not think it is a coincidence that this comes on the heels of Obama declaring a national emergency and issuing an executive order regarding cyberthreats. Those investigating this intrusion may have additional evidence that implicates a specific group and the executive order may be used to go after those deemed responsible with sanctions and other tools at their disposal.
“This is a good example of “it is not a matter of if but when,” but where we now must now also ask “for how long and how deep” a breach has occurred, as it is being revealed the hackers had access potentially for months even after initial detection and remediation attempts. The governments and businesses should take note that even networks we would expect to be impenetrable are still able to be compromised. A critical point not to miss regarding this intrusion is that it was detected and remediated, with the State Department taking a number of steps to increase their security posture and that classified systems appear to have not been compromised at this time.”