Earlier in June, US officials released a statement that the Office of Personnel Management had suffered a breach. Data from 4m current and former federal employees across multiple government agencies may have been compromised.
Numerous reports and security analysts have accused China of being behind what is potentially the largest data breach in US history, but government officials have been hesitant to make that claim. Members of the US Senate Intelligence Committee acknowledged that the attack appeared to be state-sponsored, but stopped short of identifying a culprit.
It is difficult to properly attribute an attack, and this one could be the result of any number of groups or state-sponsored attackers. If China is the perpetrator, it does not take a security expert to see a pattern taking place here. Most of the attacks allegedly from China over the past few years have gone after the personal information of US citizens, and there is no sign that this trend will diminish. It is fair to assume at this point in the game that China may have more accurate information on US citizens than the US itself.
The OPM manages security clearances for various government organisations. During that process, employees must provide details about every aspect of their life, which is in turn stored and kept in the same systems that were breached. According to a list of frequently asked questions from the OPM, the compromised data may have included names, social security numbers, dates and places of birth and current and former addresses – all of which are difficult or impossible to change and carry the risk of being used for identity theft. Included in the hack was data dating all the way back to 1985, which leaves even people who have long since retired from federal positions at risk.
Organisational confidence takes a long time to build, but can be eroded much more quickly. Government breaches put these trusted public institutions in the same light as all the recent private company breaches such as those at Target and Home Depot. The big difference here is that the government has much more sensitive data about its citizens, and the citizens have no choice in sharing that data.
The OPM does not seem incompetent, but it did make some major mistakes. However, I would like to give credit where it is due and acknowledge its successes.
Incident response was there, but it was not quick enough.
From a security incident response perspective, the OPM did a lot of things right. Though we do not know the extent of its security measures, which is common when dealing with government entities, it admitted in a press release that this breach was identified after the office implemented new security tools and capabilities. Considering most breaches are discovered by outside organisations, this is a win. The office also announced the breach and offered identity theft protection services to anyone whose data was compromised. Of course, it did not make the announcement until more than a month after it discovered it, but it is the government after all.
Unfortunately, these measures are not enough. In order to stay effective and relevant, security teams need to detect threat actors before they get a chance to exfiltrate data. You cannot reliably prevent intrusions, especially when it comes to high-value targets such as government records, but you can detect the breach earlier in the attack continuum before the actual data is stolen.
Gaining entry to a network is only the first step a hacker has to achieve before he can actually steal the target data. After gaining access, he still has to explore the network, identify the location of the data, gain the privileges necessary to access the data and then transport it out of the network. At any point in this process, the attacker can be identified and expelled from the network. If this is achieved before the final step of exfiltrating the payload, then the attack was successfully mitigated and significant damages were avoided.
To achieve this capability, organisations have to leverage network telemetry, and leave the hackers no place to hide. If there is a blind spot on the network, especially in government networks, there is probably someone hiding there. The OPM may have the capability to detect these threats – that may be how it identified the intrusion in the first place – but if so, it was not utilised effectively and early enough.
The most critical security failure on the OPM’s part is lack of adequate encryption. Nowadays, there are encryptions robust enough to prevent anyone from cracking it in less than a lifetime without access to the key. This is true even for state-sponsored attackers with access to extensive resources. If proper encryption was utilised, the OPM could have emailed all of this data to Chinese intelligence agencies and they still would not have been able to do anything with it.
Failing to properly encrypt sensitive data is a bad habit most people and organisations have fallen into. There is no reason this should not be standard practice at all government institutions. In this case, the OPM was either not using encryption the way it should have or it was not protecting the keys used to decrypt the data well enough. It is especially egregious because the kind of data that was stolen was perhaps the most sensitive kind of data short of medical records.
The kind of information stolen from many private enterprises often consists of passwords or financial information such as credit cards. While unfortunate, this information can be changed somewhat easily. But social security numbers, addresses, names and historical records are not easily changed and can be used to bring all sorts of harm to the victims, and this is exactly the type of information that was stolen from the OPM.
This attack once again exemplifies the need for more security resourcing in the federal government and the need for a different and more comprehensive approach to incident response as well as basic data loss prevention measures such as encryption.
The current methodologies have led to this breach – not avoided them. The OPM may be instituting good security solutions, as evidenced by its discovery of this incident, but it clearly is not happening quickly enough. Attacks are being detected much too late in the attack continuum. Effective security these days means detecting these threat actors as they operate and before they exfiltrate data, while taking measures to ensure your data is unusable in the wrong hands. You cannot win all the battles but all of these headlines suggest we are still on the losing side.
In addition, organisations need to leverage telemetry. Find the hacker hiding on your network – they are there – and remove them in a way that they cannot get back in. Then repeat this process constantly. These types of incident detection and response approaches have been vastly under-funded in the past, but as these hacks increase, we will see a shift in focus. Until organisations get better at doing this, we can guarantee that China or whichever malicious group is behind these attacks will continue to have better data on US citizens than anyone in this country does and this information superiority is what scares me the most.
TK Keanini is chief technology officer of security intelligence firm Lancope
Key points
Earlier in June, US officials released a statement that the Office of Personnel Management had suffered a security breach.
The OPM manages security clearances for various government organisations.
The kind of information stolen from many private enterprises often consists of passwords or financial information such as credit cards.
