This Report by DHS linking Russian Civilian and Military Services to recent compromises of services and endpoints related to the 2016 United States Election is an interesting read.
It outlines two different threat actors APT28, and APT29, leveraging SpearPhishing campaigns, and using URLS that connect to the initial Droppers. From there, the compromised systems no longer belong to the United States.
What is interesting about the report are the tactics used by both threat actors. SpearPhishing is particularly effective because of the amount of data that is available about a particular individual through both social media and data from previous compromises, removing some of the friction from detailed reconnaissance efforts needed to craft an effective SpearPhish email.
The problem is that just about any human being living can be fooled by a well crafted SpearPhish, constructed perfectly using elements from our most detailed personal lives, written to create urgency so we click click click on that link.
The DHS report lists the ‘Top Seven Mitigation strategies’ – stuff us Security folks all recommend, patching, whitelisting, least privilege, input validation on web forms, etc. . . Good advice, but not a lot of new things there.
There are TWO BIG Mitigation strategies they are missing. The first, addresses the true weakness, the human. Human Training as a mitigation strategy. Every Government Employee should undergo both Social Engineering and Security Awareness training programs as a mandatory part of employment.
The second mitigation step is . . . ( and forgive me if this seems old fashioned and impractical, but), Don’t allow html embedding in emails; or if that is too restrictive, don’t allow html embedding from EXTERNAL emails. Why is that needed? I am a Security guy who GETS that business needs to be done; and Security cannot stand in the way of business, but I believe I Government could run just fine using non-HTML formatted emails. How do I know? Because we’ve done it for over 200 years.
Take those two mitigation steps, plus some that were touched on in the report, using Web Application Firewalls, validation and error checking, the APTs would have a little harder time getting in. Because the APTs would have to knock on more doors; this in turn could potentially make more noise and allow a higher chance of detecting APT activity.
Let’s keep our Government Secure.