After DISA breach, experts say US agencies must stop lateral movement of hackers

Attackers shouldn't have been able to remove sensitive data like Social Security numbers from military networks, according to cybersecurity experts.

What business leaders can learn about cybersecurity from the OPM hack
34:26:40

Cybersecurity experts have a lot of questions for the US Department of Defense after it was announced that the personal information, including Social Security numbers, of 200,000 people had been "compromised in a data breach on a system hosted by the Defense Information Systems Agency."
 
Last week, dozens of military officials and people affiliated with military departments began posting on social media about a letter sent out on Feb. 11 from the Defense Department that said the agency tasked with handling secure communications for President Donald Trump, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the Armed Forces had been hacked in May or June of 2019.
 
In a statement released to a number of different news outlets, Defense Department spokesman Chuck Prichard said DISA began issuing letters to people whose information may have been compromised but that there was "no evidence to suggest that any of the potentially compromised PII was misused."
 
DISA's chief risk officer and chief information officer, Roger Greenwell, wrote in the letter that credit monitoring services will be provided to those affected and people can also place fraud alerts with credit reporting companies. But little information about the actual breach has been released and questions have been raised about why it took so long for the letters to be sent out considering the breach happened in at least June. 

The DISA comes after another massive government breach of the U.S. Office of Personnel Management in 2014 and 2015, which led to the release of data belonging to more than 21 million current and former government employees.

TechRepublic spoke with cybersecurity experts about what may have happened and what other government agencies could potentially do to prevent similarly damaging breaches.
   
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

Vigilance and modern security systems required

Joe Lareau, senior security engineer, Exabeam, said that as political tensions around the globe continue to rise, government agencies have to be vigilant and create modern security systems that can handle a variety of attacks. 

"We recommend building and using 'defense in depth'—multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program. As part of this, these entities should also consider utilizing behavioral analytics technologies on the network, which track and learn users' baseline behavior and immediately notify security analysts of anomalous behavior that could be indicative of a breach or infiltration."

Many other security experts suggested similar systems that could monitor parts of the network and notify security teams when there was suspicious activity. 

In addition to general system upgrades, Rosa Smothers, senior vice president of cyber operations for KnowBe4, said government agencies had to get better at defending against attack vectors that adversaries are known to routinely utilize, including social engineering and password spraying. 

All enterprises, but especially government agencies, should train users to spot and report social engineering attempts such as phishing and ensure users aren't reusing known breached and commonly used passwords. Smothers added that sensitive information like Social Security numbers should have been encrypted regardless of where it was held within the DISA network.

"It's a question mark how the personally identifying information of DISA employees is at risk — that information should be wrapped in strong encryption, encrypted both at rest and in motion. Once these breaches occur and the personal data is in the wild the best companies can do for their personnel is, at the very least, provide free credit monitoring and leverage cybersecurity companies who can alert when personnel's information like Social Security numbers are found on the Dark Web," Smothers said.

Put sensitive info on lock-down

Tal Zamir, CTO and founder of Hysolate, echoed Smothers' comments, saying sensitive information needed to be isolated on locked-down servers and stringent access requirements needed to be put in place. In some cases, Zamir added, that kind of information should only be accessed via dedicated privileged access workstations.

Zamir noted that there has been a significant rise in attacks against government and defense agencies not just in the US but globally. If a nation-state was behind the DISA hack, as opposed to regular cybercriminals, it could be far more impactful than data theft or monetary loss attacks because of the potential long-term damage.

According to Ilia Kolochenko, founder & CEO of the security company ImmuniWeb, an in-depth investigation should be urgently conducted to ascertain whether other systems or devices have been impacted outside of the one system hosting employee data that had been breached.  

"Frequently, nation-state attackers commence their attacks by breaching the weakest link accessible from the internet and then silently propagate to all other interconnected systems in a series of chained attacks. Worse, access to personal data of the agency staff greatly facilitates a wide spectrum of sophisticated spear-phishing and identity theft attacks capable to bypass virtually any modern layers of defense," Kolochenko said. 

"The present disclosure timeline seems to be impermissibly protracted given that the breach reportedly happened almost a year ago. This may be an indicator of attack sophistication, and what has been reported so far may just be the tip of the iceberg."

Marcus Fowler, the director of strategic threat at the security firm Darktrace, said there is an increasing expectation from the public that whether you're MGM Hotels or you're DISA, you have an obligation to own up to a breach and people in a way that showed nothing but an attempt to make victims more secure, rather than damage control for brand. 

Another aspect of the DISA hack that was concerning was the assistance provided to those affected. Ray Kelly, principal solutions architect and alliances for WhiteHat Security, wondered how the Defense Department planned to repair the damage done to the victims whose Social Security numbers were stolen. 

The U.S. Office of Personnel Management is still paying for credit monitoring services for those affected by the 2014 breach. The government agency renewed the 18-month credit monitoring contract in February 2019 at a cost of about $400 million. While that breach was much larger, the cost of potentially permanent credit monitoring services for millions of people will start to become onerous as more breaches occur.  

An evolving cybersecurity threat landscape

Fowler, a former CIA executive, said the DISA breach represented more holistic issues that government agencies have with cybersecurity as the threat landscape continues to evolve. 

"People constantly underestimate how often they need to think about evolving their approach to cybersecurity. The federal government kind of views cybersecurity much like they view counterterrorism or the military. Very centered on understanding threat actors and what they're doing rather than evolving to think about security from an internal perspective. They need to think about how they understand their own digital environment and how they protect it appropriately rather than trying to defend it against things they try to predict," Fowler said.

Government agencies should be far more cognizant of anomaly detection, predictive behaviors, and enforcing normal digital environment trends, Fowler noted, adding that at this point, government security systems should be sophisticated enough to predict what data should be moving where and how it should be moving within an organization's system. 

Security systems should be able to know that information like Social Security numbers should not be moving anywhere, much less out of the network entirely, he said. Artificial intelligence and machine learning are key tools that many cybersecurity systems use to tell when there is unusual activity within a specific server or part of the network. 

DISA officials said the breach happened sometime in May or June of 2019, meaning the data exfiltration happened over some period of time. This kind of activity showed that the security system wasn't looking at lateral, east-west movement of attackers within the network.

An opportunity for artificial intelligence

Artificial intelligence and machine learning help security teams understand their digital environment, give them greater visibility across an entire network and are better at detecting anomalies that the human eye may not catch. 

"At some point, something in your network pushed data to an eternal node that is totally unique to your digital environment. AI would have been able to say 'This has never happened before. You need to look at this as a potential breach of our normal behavior.' The AI will be able to understand something is occurring and identify responses that can occur to disrupt it in seconds, providing the security team more time to respond to what's happening," Fowler said.

"If AI is watching a single server all day and night, learning it down to the minutiae of 0s and 1s, all it has to do is watch that and enforce that. It becomes very difficult for an attacker. We're at a very unique point where AI for defense is further along than AI for offense but that is right around the corner and that is really going to become a real challenge for those industries that remain stuck in that traditional space of signatures, behaviors and perimeters rather than  breaking the mold of it and thinking about cybersecurity differently."

Editor's Note: This article has been updated to correct the origin of DISA. It was created in its current form in 1991.

Also see

Data Breach concept

wildpixel, Getty Images/iStockphoto