[BreachExchange] High-profile hacks and the asymmetry of disclosure

[Audrey McNeil]

https://fcw.com/articles/2016/08/15/comment-gleicher-dnc-cyber.aspx

The hack and subsequent leak of data from the Democratic National Committee
are an industrial-scale example of a fundamental asymmetry in our
increasingly connected world: Disclosure is easy; correction is difficult.

Although disclosure can be an important tool for transparency and advocacy,
it can also be a malicious and powerful weapon. And once records are
disclosed, there's no way to erase that image. Even if they are incorrect
or were disclosed for malicious purposes, the imprint remains preserved in
the national consciousness.

The DNC hack is hardly the first case of disclosures intended to embarrass
or undermine. The Ashley Madison hack and a number of other targeted
efforts were designed to humiliate and terrify private individuals,
prominent activists and public figures. It's not even the first example of
disclosure by a nation-state to affect public debate (consider the Sony
intrusion).

But the DNC hack shows the rapid increase in sophistication of
nation-states (and Russia in particular) in using the internet to project
power. We're seeing skilled malicious actors pushing the boundaries of what
they can accomplish.

According to several reports, some of the DNC files released in June had
metadata indicating they might have been modified before they were leaked.
There is no indication (as yet) that any pivotal information was changed,
but it is a stark reminder that sophisticated operators needn't find dirt
to be effective. They can insert additional information, modify existing
communications or release only certain portions of the stolen data.


Deterrence is an important component of any response, and it raises
immediate questions about attribution and political circumstances. But
deterrence is only one tool if we're going to reduce nation-state
exploitation of networked information. We also need to make intrusions like
the DNC hack more difficult.

Widespread and prolonged access to a network is important for attackers
seeking to steal and control information. Even if they modify the records,
intruders still need long-running access to internal deliberations to paint
the picture they want. That is partly why intruders often spend months or
years in compromised data centers.

So what can we do? Data center perimeter security will always be important,
but it's time to stop pretending we can block sophisticated actors at the
perimeter. We need to focus on reducing the amount of time intruders can
hide inside a compromised network -- so-called dwell time. Cybersecurity
researchers have estimated the average dwell time as high as 200 days. For
more sophisticated intruders, it's even longer.

Gathering large datasets requires attackers to move around in a network,
compromise a range of systems and exfiltrate data. If attackers' access was
constrained to days, they'd be forced to rush and take greater risks.
Failure rates -- and costs for intruders -- would skyrocket.

There is no magic fix or single algorithm to solve the problem, but there
are ways to shorten dwell time: segment the interior of the data center to
limit attacker movement, install communications pathways between servers to
lay tripwires and slow down unwary intruders, limit user access to create
more barriers to intruder exploration, and patch vulnerabilities to limit
attackers' options.

Together, those steps would make it much harder for intruders to establish
the kind of persistent, widespread access that disclosure operations
demand. The approach won't stop all sophisticated actors from exploiting
the asymmetry between disclosure and correction online, but it will make
the activities riskier and more difficult -- and make intrusions easier to
contain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160815/ae9aaa2a/attachment.html>