OPM Hack - What IT Can Learn | ExtraHop


The recent revelations about the data breach at the U.S. Office of Personnel Management (OPM) are alarming, to put it mildly. During the year that attackers went undetected, attackers stole the forms used for most federal employees' security clearances, among other information.

What can IT learn from the OPM hack? Every IT organization needs some healthy paranoia. The best mindset from which to approach security today is to assume a breach has already occurred. It is no longer a question of "if" or even "when," but rather "How long have we been compromised and how do we prevent the next breach?"

The sophisticated nature of the attack and timeline shows the type of adversary that federal government agencies and other organizations are up against. These are state-sponsored entities with the resources, personnel, and expertise to develop and execute zero-day attacks. Having gained a foothold inside a network, these teams then have the patience to carefully entrench themselves, perform reconnaissance, and stealthily exfiltrate data.

Traditional security tools that rely on threat signatures, though still necessary, are no longer adequate defense against these types of advanced persistent threats. This point was underscored by the revelations that the security research firm Kaspersky Labs had been hacked. "We have never [seen] anything similar to this attack," Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference on June 10. "This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and it's almost invisible." (Emphasis mine.)

Signature-based security products such as those from Kaspersky absolutely have their place, but the focus needs to shift from just "protecting the castle" to rooting out the bad guys inside of the castle. This is where ExtraHop fills the gap left by intrusion detection systems (IDS) such as the Einstein program developed by US-CERT.

What Is Operational Intelligence in a Security Context?

Let me explain how we fit into your security ecosystem and strategy. ExtraHop does not replace existing security tools, and is not even a security tool. Rather, it is an "operational intelligence" solution that provides visibility into what is transacting on your network.

Consider a very typical threat lifecycle:

  • A user downloads malware from an email message and their system is compromised.
  • The compromised host downloads a rootkit over HTTP, which then replaces common utilities and disables all logging.
  • The rooted host builds an outbound SSH connection to use as a reverse tunnel for command and control. Although firewalls block inbound SSH connections, outbound connections are often allowed.
  • The malicious actor scans the network for potential database targets using, for example, an Nmap TCP-SYN scan, a type of stealth port scan that avoids the full TCP three-way handshake.
  • Once an unsecured, internal database is found, the malicious actor tries common username/password combinations to identify possible points of access.
  • With successful credentials, the malicious actor queries the database for sensitive data.
  • After the sensitive data is found, the attacker uploads it to a hosted FTP server.

At each stage of the process described above, transactional activity occurs over the network. This activity is observed by ExtraHop, similar to the way that a CCTV camera would record a robbery. With this information, the IT security team can detect anomalous activity and quickly investigate.

Say, for example, that the above scenario works out but that the organization has ExtraHop installed. The security operations team would know that an attacker is probing databases when failed authentication attempts match a suspicious pattern. They would also detect attempts to exfiltrate data when database responses exceed a 10MB and new FTP connections are established with IPs outside the network. The ExtraHop platform's detection capabilities focus on anomalous activity, not on threat signatures. This is a missing piece of the puzzle for many Infosec practices.

The real magic happens in how ExtraHop enables forensic investigation. Once an anomalous pattern is detected, the IT security team can identify the clients and servers involved, and then go back in time to see which other systems the attackers may have breached. Visit the How It Works section of our site to learn how ExtraHop's unique technology makes this application-fluent analysis possible.

When the extent of the OPM hack became public, Eric Kavanagh of the Bloor Research Group urged us to get in touch with federal agencies. That's why we wrote this post.

We really need to get you guys in here! Did you ever connect with DoD CIO? We made a suggestion a while ago http://t.co/NkyXhQcmik @extrahop1

— Eric Kavanagh (@eric_kavanagh) June 11, 2015

If you believe that your federal agency could benefit from wire data analytics, please contact me at tonyg [at] extrahop.com. I focus on the federal agencies and our team would be glad to walk you through a demo of the platform. Alternatively, you can explore our hands-on online demo here: https://www.extrahop.com/demo/.

Want to learn to detect and prevent data breaches in real time? See how in our free, interactive Enterprise Edition demo.

This is a companion discussion topic for the original entry at https://www.extrahop.com/blog/2015/what-it-can-learn-from-the-opm-hack/