The hard way
Earlier this month when WikiLeaks released what appears to be a repository of hacking tools and techniques used by the Central Intelligence Agency, the initial reaction was shock and awe (mostly by mainstream media), followed quickly by piqued interest (mostly from the security community), then a bit of annoyance (again in the security community) when WikiLeaks backed slightly away from its promise to help affected tech companies patch the vulnerabilities identified in the documents.
It’s important to note that the (thus far) leaked documents do not include code for exploiting vulnerabilities, which suggests that WikiLeaks does not intend to hand over attack blueprints to threat actors. What the documents do offer, however, is insight into the extent of the CIA’s capabilities and interests.
Anyone still wondering, “How could they,” or thinking, “Those sneaky ba$t@rds,” let’s not forget the CIA is, in fact, the spy agency of the U.S. Their purpose for existence is collecting, “correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence.”The agency’s stated modus operandi is to engage in “research, development, and deployment of high-leverage technology for intelligence purposes.” Keeping this in mind, it would be considerably more disturbing if the agency didn’t have the appreciable technical capability or developed strategic plans. Personal opinions about surveillance, intelligence gathering techniques, and privacy aside, what lessons can private enterprise security practitioners learn from this debacle?
Boys like you were born to waste
The first thing to consider is how this arsenal of information was obtained in the first place. Based on most experts’ assessments of the situation, it’s likely that this was either an inside job or one aided and abetted by an insider. Of course, it’s technically possible that WikiLeaks broke into the CIA’s systems to steal documents, but the organization has intimated that “former US government hackers” and “unauthorized contractors” provided the entry point.
The issue with insider threats is that they’re very hard to detect and impossible to eliminate. Employees and contractors need legitimate access to sensitive information constantly, and it’s very challenging to know when someone decides to go rogue. In the case of former employees or contractors, especially those who have been dismissed under unfavorable conditions, one could argue that those are the targets on which organizations should focus efforts. That said, if the person was provided appropriate access to his or her employment, it’s improbable that the organization will be able to ascertain what has gone out the door along with his/her employment status.
Because a company can’t control individuals’ actions, the best plan is to understand your company’s data: What you have and who has access to it at what levels. Proper controls should be implemented so that highly sensitive information, like that retrieved from the CIA, can’t be accessed by everyone, can’t be copied and pasted into other document programs, can’t be downloaded onto external storage, can’t be emailed (especially unencrypted and/or externally), etc. Further, data leak protection (DLP) tools should be used to monitor for sensitive data leaving the organization, and user behavior monitoring can help identify anomalous or unusual behavior that may indicate the need for an investigation.
You never listen to a word I say
The second lesson learned—or rather, reminder—is that patching is of utmost importance. Patching is one of the most effective defenses against exploits, but yet the industry doesn’t patch regularly or in a timely fashion (generally speaking). Yes, there are issues with patching—it can be disruptive, it can have adverse effects on certain types of systems, etc.—but the leaked documents show that the CIA was able to exploit known vulnerabilities, some of which have been open for years! The CIA isn’t exploiting these vulnerabilities for malicious gain, but if the CIA can exploit them, so too can your adversaries. Bet on it.
The good news about some of the leaked vulnerabilities (yes, there is good news), is that some of them have been patched already. Even better news is that some companies saw their hardware, software, or apps in these documents and took the kick in the pants to issue new patches for critical vulnerabilities.
The message here is clear, though: patch, patch, patch. The industry has been saying it for a long time; let’s actually do it and remove the open invitations for attackers.
And if you think you’re here to mess around
Another warning from the leaked documents is that we can’t forget IoT security. No, your home TV is likely not spying on you. Can it happen, yes…
which is why enterprises need to think about all of the non-traditional internet-connected devices inside the organization. While the average homeowner isn’t a target of a cyber attack, the inherent and unattended vulnerabilities of IoT will make attacks on these devices more prevalent in the future.
Companies should inventory assets and find out which ones are touching the network. Any found devices must be secured the same way one would a laptop or network resources: change default passwords to complex passwords with two-factor (+) authentication; if appropriate, change admin access and set to least privilege; monitor; include IoT devices in vulnerability scans and penetration testing; and update network rules and settings to detect newly added devices.
Until such time that security is baked into IoT manufacturing, security teams must be extra vigilant about compensating controls. Never will there come a time when organizations can blindly trust any device out of the box, but especially when the vulnerabilities
are well known, this is an area that cannot be overlooked.
You’re making a big mistake
In light of the FBI-tech company encryption debate, the media wanted to turn the leaked CIA documents into a firestorm about encryption and how the government can—poof—bypass it. Nonetheless, what was actually revealed in the documents (vs. what WikiLeaks tweeted on March 7, 2017, and popular news outlets picked up) was that the CIA can compromise a device that uses end-to-end encryption apps like Signal or WhatsApp. In doing so, the CIA (or any other technologically capable entity) can gain control of everything on that device, including messages that were secure in transit. Encryption can theoretically be broken, sure, but organizations should be using it wherever and whenever possible, especially for sensitive data. Much of the damage and after-effects of breaches could be avoided if companies would stop storing data in clear text. Attackers are going to go after the low-hanging fruit—because there is so much—and unencrypted data is it. If an attacker finds his way into your organization and he can’t see what data he’d be stealing, that data is less valuable. Don’t hand over your data. Encryption should be a minimum viable control.
‘Cause you’re gonna find out the hard way
Last but not least, one of the most important lessons that can be learned from the leaked CIA documents is that organizations which have or are developing significant technological capabilities are thinking like the bad guys and innovating. They’re using creativity combined with analytical skills to find different opportunities for attack, to learn how attacks are happening, and to see which permutations work. To defend against attackers, security teams have to understand how attackers operate. This means being able to simulate attacks and becoming fluent with toolsets. It means examining systems from many aspects, not just the most obvious or most familiar. It means persistence and patience. It means proactively seeking out opportunities; as it pertains to defenders, threat hunting, red team/blue team exercises, and penetration testing are perfect examples. While private companies are unlikely to be forgiven for exploiting others’ vulnerabilities, security teams should hold challenges or send staff to hacking competitions where skills can be tested and stretched. Acting in an attacker capacity sheds light on capabilities required to secure the thing that’s being broken.
Within enterprises, security teams are so focused on working hard that they are not finding ways to work smarter and drive down instances of security incidents. An element of this is evaluating what your company can already do and improve upon those things, like bolstering insider threat programs, ensuring patches are up to date, keeping a current and active asset inventory, and using encryption. Beyond that, though, there is a huge opportunity for security professionals to innovate thinking and push beyond the daily tasks list. Our adversaries are creative and adapt all the time. To keep up with even the slightest shifts in tactics and techniques, defenders need to adopt a similar mindset. While pushing boundaries didn’t keep the CIA’s (unencrypted) private documents out of the public eye, they did provide a glimpse into the extent to which they are willing to test their capabilities to achieve their goals. A similar approach—within legal and ethical limits, needless to say—should be adopted by enterprise security teams.
Click here for more information on our InfoSec World Conference & Expo in Orlando.