Security Experts:

Feedback Friday: Hackers Infiltrate White House Network - Industry Reactions

Welcome back to Feedback Friday! An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.

Feedback Friday: White House Network Breached

The incident came to light earlier this week when an official said they had identified "activity of concern" on the unclassified network of the Executive Office of the President (EOP) while assessing recent threats. The official said the attackers didn't cause any damage, but some White House users were temporarily disconnected from the network while the breach was dealt with.

Experts have pointed out that while the attackers breached an unclassified network, it doesn't necessarily mean that they haven't gained access to some useful data, even if it's not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.

And the Feedback Begins...

Amit Yoran, President at RSA:

"The breach underscores the constant siege of attacks on our government and businesses. Fortunately -- by definition -- information with grave or serious impact to national security is classified and would not be found on an unclassified network. That said, there is most likely information on unclassified networks that the White House would not like public or for 3rd party consumption.


As for the profile of the adversary, the White House uses the latest security technologies making them a very challenging target to breach. Top secret clearances are required for access to networks and personnel are continuously and rigorously vetted. As such -- and acknowledging that until a thorough investigation is completed, speculation can be dangerous -- a standard botnet or phishing malware is a less likely scenario than a focused adversary with time and expertise in developing customized exploits, malware and campaigns."

Mark Orlando, director of cyber operations at Foreground Security. Orlando previously worked at the EOP where he led a contract team responsible for building and managing the EOP Security Operations Center under the Office of Administration:

"Sophisticated attackers constantly alter their approach so as to evade detection and they will eventually succeed. The best a defender can do in this case is to identify and respond to the attack as quickly and effectively as possible.

 

It isn’t at all unusual for an attack like this one to be discovered only after a malicious email has been identified, analyzed, and distilled into indicators of compromise (subject lines, source addresses, file names, and related data elements) used to hunt for related messages or attacks that were initially missed. White House defenders routinely exchange this kind of data with analysts across the Federal Government to facilitate those retrospective investigations. That may have been how this compromise was discovered and that doesn't amount to a 'miss'.


While the media points to outages or delays in major services like email at the White House, this is also not an unusual side effect of proper containment and eradication of a threat like this one- especially if there are remote users involved. Incidents exactly like this one occur all over the Federal government and increasingly in the private sector as well; the only thing different about this attack that makes it more newsworthy than those other incidents is that it occurred at EOP."

Tom Kellermann, Trend Micro chief cybersecurity officer and former commissioner on The Commission on Cyber Security for the 44th Presidency:

"Geopolitical tensions are now manifested through cyberattacks. The enemies of the state conduct tremendous reconnaissance on their targets granting them situational awareness as to our defenses in real time. This reality allows for elite patriotic hackers to bypass our defenses."

Irene Abezgauz, VP Product Management, Quotium:

"Security, cyber or physical, relies heavily on risk management. With a large operation, it is difficult to secure everything on the same level, priority is often given to the more sensitive networks. In the case of the White House hack, the breached network was unclassified, meaning it probably has slightly different security measures than classified networks.


Government systems are prime targets for hackers. Even if the breached network is unclassified and no sensitive information was exposed, all government network breaches draw attention. In public opinion, attackers gaining access to government computer systems, no matter whether classified or not, reflects badly on the ability of the US to defend itself, especially when foreign nationals are suspected. In addition, availability and integrity must be maintained in systems that involve any kind of government decision making, more than in most other systems.


The bottom line is that high profile targets must maintain a high level of security on all networks. Hackers, private and state-funded, are continuously attempting attacks on these systems. Such attacks must be blocked in order to protect data within as well as assure the public of the ability of the government to protect its cyber systems."

John Dickson, Principal at the Denim Group:

"Although initial reports emphasize the unclassified nature of the system and networks, security experts know that successful attacks against certain unclassified systems can, in fact, still be gravely serious. Given the fact this concerns perhaps the most high-visibility target in the world - the White House - and you potentially have a genuinely difficult situation.


On one hand, you have the issue of public confidence in our institutions of government. 'If the attackers can compromise the White House, what else can the possibly get into?' is a perfectly valid question from citizens who may not recognize the distinction between unclassified and classified systems. Also, sensitive information that is unclassified may traverse these systems and give attackers more context to allow them to put together a larger picture of what’s happening at the White House. Military folks call refer to this term as Operational Security, or OPSEC, and this is always a worry for those protecting the President, the White House, and the operations of the Executive Branch of government.


From a defensive standpoint, when you face a sophisticated attacker with substantial resources you have be constantly vigilant and assume certain systems will fail. It’s far too early to editorialize on theories of 'what might have happened' at the White House, but we always recommend a defense in depth approach to application and system design that 'fails open,' so that if an attacker compromises one type of defense, it doesn’t compromise the entire ecosystem."

Ian Amit, Vice President at ZeroFOX:

“Much of the conversation surrounding the recent White House hack centers on the nature of the compromised network. The network is 'unclassified,' leading many people to believe the affected information is non-critical or innocuous. It’s important to note however that enough unclassified information, when aggregated and correlated, quickly becomes classified. Isolated data points might not mean much by themselves, but enough time spent passively listening to unclassified chatter can reveal some very sensitive intelligence.


So how much time was the hacker on the network? It’s difficult to tell. Security officials alerted on 'suspicious activity.' This phrase doesn’t give us much insight into how long the network was compromised. The hacker could have been active on the network for months without doing anything to sound the alarms. It’s one thing if a hacker is caught in the act of breaking in or stealing data. That kind of event information generally gives a clear indication of the attack timeline. Triggering on passive behavior makes this much more difficult.


With that said, it’s commendable that White House security officials are looking for behavioral cues rather than overt events to detect malicious activity. Soft indicators are much more difficult to detect and means the security officials are using some advanced tools to understand traffic on the network."

Anup Ghosh, CEO of Invincea:

"The disclosure of breach from the White House this week was remarkable for its differences from a similar disclosure in 2012. It's clear from recent press releases from security companies, that Russia is the New Black now. In fact, if you get hacked by the Chinese now, it's almost embarrassing because they are considered less sophisticated than the Russians. So now, every breach seems to be attributed to Russians, though largely without any evidence.


A little more than two years ago in October 2012, the White House acknowledged a breach of its unclassified networks in the White House Military Office (which also manages the President's nuclear 'football'). The talking points at the time were: 1. Chinese threat, 2. Non-sophisticated attack method (spear-phish), 3. Unclassified network, so no harm. This week, the talking points are: 1. Russian government threat, 2. Sophisticated attack method (spear-phish), and 3. Deep concern over breach of unclassified network. The similarities between the two breaches are remarkable, but the reaction couldn't be more different.


Before we indict the Russians for every breach now, it would be great to see some bar set for attribution to a particular group. It would also be great to not use "sophisticated" threat or Russians as a scape goat for not properly addressing spear-phishing threats with technology readily available off the shelf (and shipped with every Dell commercial device)."

Michael Sutton, VP of Security Reasearch for Zscaler:

"The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to 'unnamed sources', it's safe to assume that the general public only has visibility into the tip of the iceberg. White House officials admitted that this latest breach was discovered 'in the course of assessing recent threats', suggesting that following the trail of breadcrumbs for one attack led to another.


In September, there were reports of yet another successful attack, this one leveraging spear phishing and compromising a machine on an unclassified network and earlier this month, details of the Sandworm attacks emerged, which leveraged a then 0day Microsoft vulnerability to target NATO and EU government agencies. All of these recent attacks have been attributed to groups in Russia and it's likely that they're tied together. All Internet facing systems face constant attack, but the White House understandably presents a particularly attractive target.


While all G20 nations have advanced cyber warfare capabilities and conduct offensive operations, Russia and China have been particularly aggressive in recent years, often conducting bold campaigns that are sure to be uncovered at some point."

Zach Lanier, Senior Security Researcher at Duo Security:

"U.S. government and defense networks are often the target of attackers -- and the White House is without a doubt very high on that list, regardless of the breached network reportedly being 'unclassified'. Everyone from hacktivists to foreign intelligence agencies have sought after access to these networks and systems, so this intrusion isn't a huge surprise." 

Carl Wright, General Manager of North America for TrapX Security:

"When it comes to our military, government and its supporting national defense industrial complex, the American public's expectation is and should be significantly higher. The Senate Armed Services Committee (SASC) findings in September highlighted how nation-state actors were targeting contractors with relation to the federal government so it is to be expected that actual government bodies are also being targeted.


95 percent of the security market is signature based and thus will not detect a targeted zero-day. We must operate under the notion that networks are already compromised and focus defenses on monitoring lateral movements within data centers and private networks as that is how hackers escalate their attack and access. Unfortunately, existing security technologies focus from the outside in, trying to understand the entire world of cyber terrorists' behaviors which inundate security teams with alerts and false-positives.


These breaches demonstrate how traditional security tools alone don't do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture to thwart today's nation-states or crime syndicates whether foreign or domestic. With the United States President's intranet being compromised, it truly shows the poor state of our national cyber defense capabilities."

Nat Kausik, CEO at Bitglass:

"Organizations whose security models involve 'trusted devices' are naturally prone to breaches. Employees take their laptops on the go, get hacked at public WIFI networks, and come back to the office where the device is treated as trusted and allowed to connect to the network.


The compromised device enables the hacker to gain a broader and more permanent foothold inside the network. Government entities have long favored the 'trusted devices' model and are actually more prone to breaches than organizations that treat all user devices as suspect."

Greg Martin, CTO at ThreatStream:

"It's public knowledge that Russia has been very active in sponsored cyber espionage and attacks but have recently turned up the volume since both the Ukranian conflict and given the Snowden leaks which in my opinion have given Russian and China the open door to be even more bold in their offensive cyber programs.


Recent cyberattacks on retailers and financial institutions have been riddled with anti-US propaganda. This makes it increasingly difficult to pinpoint the backers as the activity is heavily blended threats between criminal actors, hack-tivist and state sponsored activity. As seen in the recent reports, Russia APT attacks have been prevalent in targeting U.S. interests including the financial sector.


ThreatStream believes organizations should accelerate their policy of sharing cyber threat information and look at how they currently leverage threat and adversary intelligence in their existing cyber defense strategies."

Until Next Friday...Happy Happy Halloween and have a Great Weekend!

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.