The hacker reportedly compromised the email account of a DOJ employee and then, posing as that employee, persuaded DOJ tech support to provide a token code to access the DOJ web portal. Sure, this social engineering scheme should not have worked (and will not be repeated, we hope). However, experience shows that someone else will come up with a new and even more compelling social engineering scheme to abuse tech support at an agency. These bad actors are simply the newest form of conmen.
Modern conmen aren’t the slick smiling guys who schmooze old ladies out of their retirement savings. Today’s confidence tricksters are more likely to appear as “Microsoft tech support” and “The IRS” for the average person sitting at home. And at federal agencies, the conmen are the helpless employees calling tech support because they forgot their password or token code. Remember the high profile Pentagon breaches that occurred because of well-crafted phishing emails? Again, conmen.
Security experts are trying to fight a war of wits with technology and losing.
Why is this happening? Because the left hand isn’t talking the right hand. Often the agency’s network team runs some security tools, the tech support team runs patching, and AV is separate. The security team might, but only might, own the firewall. Maybe. Yes, at least they own the SIEM, but do you think every system that should send syslogs does? Don’t bet on it.
When dealing with conmen the only way to catch them is communication. Anyone who has read the “Winnie the Pooh’s New Clothes” remembers that the reason the Sly Fox could con everyone was because they were too afraid to look “un-wise” to talk to each other. Sound familiar?
Even if you could wave a magic wand and put all the security infrastructure in the hands of the SOC, it wouldn’t solve the biggest problem; the need to synchronize all the security tools and data into one integrated, automated infrastructure. A SIEM as the only integration point is concerning. Logs from various security tools ending up in one repository that an agency can query or write correlation rules against, does not equal integrated and automated security infrastructure.
You need threats identified locally as they occur and shared across heterogeneous resources. The SDN controls need to be told to quarantine an endpoint when the malware analysis comes back convicting. The NAC needs to be told what to look for when a device re-enters the environment from the outside. (Did you see the Tripwire Airport WiFi report?!)
This system solidarity is critical, and requires that products from companies like PaloAlto, ForeScout, VMware and others are implemented to work together. The industry is doing some work on this, but not enough. Fed Agencies need to take advantage of the integrations available and also demand more cooperation as well.