Speculation is rife. The OPM hack will become a fascinating story if we ever actually learn the details – how exactly did attackers penetrate and exfiltrate millions of federal employee records? What weaknesses did they exploit, and how did they escalate access? More to the point, what protections could have or should have prevented the penetration or reduced the damage?
Right after the news of the OPM data breach broke, the advocacy for this silver bullet or that silver bullet started.
For example, the GCN article titled ‘CDM, Einstein aren’t enough, security experts say‘ advocates encryption as the missing piece. If only the data had been encrypted… Well, that might have helped but the thousands of people who legitimately need to use personnel data would each have needed access to decryption, and it certainly appears that the attackers were capable of getting access to authorized accounts.
Our stand-by defenses are definitely limited:
- The enemy is in the gates. We can’t expect Einstein to keep the enemy from getting in – that train has left the station. Of course, we don’t want to let more in, but let’s not kid ourselves about where we stand… We must behave as though we are already compromised.
- CDM is valuable, but… CDM hardens the internal targets and makes it more difficult for an attacker to wreak havoc once inside. There’s a reason why the controls that CDM addresses are the “first four” of the 20 Critical Security Controls – but it does little to detect or monitor the presence and activities of that attacker.
- Protecting data has its limits too. As noted, encryption adds another authentication and authorization hurdle for an attacker, but it’s hardly a silver bullet.
Well, do we just give up then? Of course not. Even without insight into the details of this particular attack, there are some extractable lessons.
Now is a good time to revisit the concept that every cyber attack requires multiple steps. Just because someone gets in the gate doesn’t mean that they have achieved key objectives. A successful cybersecurity program uses defense in depth (not to be confused with “buy one of everything”), and it needs to be structured around the intrusion kill chain.
The kill chain concept was originally defined in a Lockheed paper (key points have been summarized briefly and helpfully here). There are seven steps to most successful attacks, and defensive measures are valuable at each level.
Einstein and CDM are heavily focused on the first four steps, where the attacker is getting established on the network. From there, though, the attacker has to take a number of actions to achieve command and control, and malicious objectives like exfiltration of data. There are a number of ways to monitor, detect and stop the behaviors necessary to achieve these.
In short, we need to get smarter about every part of the intrusion kill chain and have techniques for “killing the kill chain” every step of the way. Dwayne Melancon, Tripwire CTO, wrote a wonderful article on how System State Intelligence can be applied to this purpose, and I’d love to see more on this overall topic.
For security vendors, we need to step up our efforts to work in partnership, to make these advanced components of defense “harder, better, faster, stronger” … and simpler to implement.