Why The U.S. Doesn’t Immediately Halt Hackers During An Attack
Aliya Sternstein, writing in today’s (Dec. 17, 2014) edition of Nextgov.com, reveals what has long been known in U.S. cyber security circles. Some agencies and corporations allow hackers/attackers “to stay inside their networks” for a period of time — even after discovery — in order to carry out what is commonly referred to as “the honeypot trap.” “While no agency or corporation wants to be breached,” Ms. Sternstein writes, “intrusions provide rare glimpses into an adversary’s modus operandi — glances [which are] critical for preventing further damage,” and perhaps helping the company or entity to prevent, deter, or mitigate future such hacking attempts.
“This [past] fall,” Ms. Sternstein notes, “the White House, State Department, and U.S. Postal Service — each delayed fully squelching malicious activity after suffering a data breach. USPS has acknowledged using the honeypot technique, after detecting an intrusion in September. State [Department] officials said significant planning had occurred before totally pulling the plug on systems connected to the Internet, after an intrusion weeks before,” Ms. Sternstein wrote.
“An agency might use a compromised system as a honeypot,” said Jasper Graham, a 15yr. National Security Agency veteran, who worked with U.S. Cyber Command and intelligence agencies to contain network attacks. They are going to do things in a controlled manner to understand the adversary. They are by no means going to put sensitive data at risk. There’s no sense in giving up crown jewels, just to run an experiment.” Graham acknowledged that he does not have inside knowledge about the use of honeypots in these three specific cases.
“Let the adversaries break out all their sophisticated malware and poke around in government files for a few weeks — then document every technique they use. Sound dangerous? It can be, some former federal investigators say,” Ms. Sternstein writes. “The counterintelligence work can only continue for so long. Tim Ryan, a former FBI special agent who oversaw cyber crime cases, said the question the agency asks itself when deciding how long to keep the hacker inside is: “Can we mitigate the risk to people, property, assets without the bad guy finding out what we know about him?”
“Sometimes, answer might not make everyone happy,” he added.
“Lawmakers at a hearing last month, berated the Postal Service for not telling employees their Social Security numbers were stolen, until two months after unauthorized activity was detected,” Ms. Sternstein wrote. “The secret squirrel stuff — we have to figure out how sophisticated these people were; and, what information they’ve got — that doesn’t fly,” said Stephen Lynch, D-Mass., ranking Democrat on the House Oversight and Government Reform’s subcommittee on the federal workforce, which held the hearing.”
He added, “if you go with your plan, a U.S. government agency could have the Social Security numbers for all its employees compromised; and, you’ll decide based on your own interests, when the employees will be notified.” Agency officials said they held off on coming forward until November 10, because communicating the threat to the public, or disinfecting systems could do more harm than good.”
“It was critically important that the adversary not know that we were watching their activity,” said Randy Miskanic, Incident Commander on the case and the USPS Secure Digital Solutions Vice President. “Any premature leak about our remediation steps might have caused this adversary to cover their tracks, or take countermeasures that might have further harmed our network.”
“Ultimately,” Ms. Sternstein notes, “it was determined their payroll, and other personal data on about 800,000 USPS employees was stolen. The weekend of November 8, the Postal Service shut down; and, then restored certain systems for “a full scale remediation,” USPS spokesman David Patenheimer said.
“Efforts to suppress abnormal behavior on an unclassified White House network were still ongoing as of October 30, after a breach weeks before,” Ms. Sternstein wrote. “That incident occurred at the same time as the hack that hit the State Department. November 14 the State Department shut down its main unclassified system to improve security.”
How Honeypots Work
“Honeypots are good at drawing out the never-before-seen “indicators” — or telltale signs — of a specific hacking campaign that otherwise would be invisible in another agency’s system,” Ms. Sternstein notes. “If somebody uses a particular, very sophisticated technique to get into one government agency, you want to understand that as best as possible — because the fifth stage might be the only thing that’s detectable,” said Graham, now Senior Vice President of Cyber Technologies and Analytics for [cyber] security provider Darktrace. It might be the phase when the attackers, for instance, steal files, or copy data.”
“That intelligence about the hackers’ hallmarks should then be circulated internally within the government, so other agencies can make sure they aren’t also under attack,” he said.
“The Social Security Administration, a virtual CandyLand for hackers,” Ms. Sternstein notes, “buys into the honeypot method. In October, the agency began conducting market research on vendors who can produce one that, among other things, automatically alerts staff to trouble; and, controls connections in a way undiscernible to the hackers. At some point, the agency may need to notify the public, which requires another cost-benefit analysis.”
“Comparing busting hackers to taking out a narcotics ring, “every day that cartel exists, it is selling and producing more drugs. When do you say, “We’re done. The wiretaps are coming down. We’re going to arrest people?” said Tim Ryan, Managing Director with [cyber] security consultancy Kroll’s cyber investigator’s practice. “We don’t want to just successfully prosecute very bad crimes,” he added. “We want to prevent as much crime as possible.”
“But, immediately disclosing a compromise could show the hackers your hand,” Ms. Sternstein argues.
“If the agencies “just came out one day and said, ‘We have been breached,’ then the adversary is going to cease and desist all operations,” Graham said. “And, if they’re in there, and they have the ability to either destroy, or remove all their tools, they are going to, and so all of that evidence, and all of that understanding — just goes out the window.”
“Another use of the honeypot: prime the breached system with bogus government files.” “You want to consume his or her time,” Ryan said. “There’s only 24 hours in a day. If you tie up your adversary with a lot of meaningless stuff, that’s a way of neutralizing the adversary.” For example, the U.S. government could turn the tables on a foreign adversary who tries cyber spying during trade talks. Feed them false information that benefits us during the trade negotiation,” Ryan said. “You are using your computer system as a double agent.”
When Does The Public Find Out?
“After fessing up about a hack that occurred months before, how do you explain that time lapse to the public?” Ms. Sternstein asks.
“At the very end of the incident, we kind of want to be honest with ourselves, and ask, ‘Why did it take us so long to notify and was it justifiable?” Graham said. “There should be some level of transparency that kind of holds people accountable that says — there are bona fide reasons for doing this.” White House officials would not comment on their recent breach,” Ms. Sternstein noted; but said, in general, “many factors are weighed before going public about a hacking attack.”
“For example, if law enforcement officials advise that notification could tip off the adversary and cause them to hide deeper in the system, then we often hold off until we can prevent that from happening,” said a senior administration official who requested anonymity to Nextgov.
“It seems like agencies are just hanging the “Nothing to See Here,” sign; but, what’s happening internally can take six months to really understand,” Graham said.
It Is Important To Identify The Perpetrator Of The Hack; And, Sometimes Understand What They’re Going After
Attribution in cyber space is often difficult. Tracing the origin of the hack isn’t necessarily good enough information. Is the hack from a teenager in a basement? A cyber militia/patriot? A cyber thief? A cyber thief working on behalf of someone else — a corporation, individual, or nation-state — what are they really after, are they covering their tracks, is this a false-flag operation — made to look like else, or some other country is responsible — when they really aren’t, and so on. So, there is no easy, black and white way to handle a breach; nor, when to plug the plug and show your cards…so to speak. When to notify the public…is also a judgment call and is not an easy call — especially in cases where the adversary is using sophisticated cyber tradecraft, and/or a nation-state is suspected of being behind the cyber breach. These often aren’t easy calls to make (when to publicly disclose), and we all know what 20/20 hindsight means. V/R, RCP