Question

Select a recent, within ten years, cybersecurity case in which security broke down, or were security was breached.   Target, Equifax, Home Depot, Sony, the OPM are common topics, and one may chose one of these, but I would prefer if one found a less common, but equally challenging case to evaluate.

Answer 1

In June 2013, Edward Snowden, who was working for United States government as an employee of the NSA contractor Booz Allen Hamilton, revealed thousands of classified NSA documents that eventually appeared in The Guardian and The Washington Post. Snowden was a System Administrator in NSA with official authority to access thousands of classified documents. Nevertheless, the scope and number of the documents disclosed by him suggested Snowden had wider access than would be consistent with his authority in NSA. Furthermore, he even breached the security of the sites under allied federal agencies and even the agencies of allied countries and made classified documents from those sites open to public. He probably breached the websites by stealing crednetials. Nonetheless, there is no direct evidence of how he had done it.

Stealing credentials from NSA and other federal agency websites are easier said than done. Particularly NSA follows a high end security protocol that is impossible to breach for anyone even with highest level of security access.  National Security Agency (NSA) of United States of America is always obsessive with log-watching its site access at different security levels and NSA also uses extensive psychometric analysis to predict any discrepancies in its contractual employees' behavioral pattaren. Furthermore, US federal agencies pioneered the idea that only hardware can be trusted, so they designed in the last decade a version of Linux Operating System that is called Security-Enhanced Linux (SELinux). This specially designed Operating System reduces the role of the systems administrator from the unlimited "root" superuser of standard linux/unix to a much more nuanced set of permissions that did not allow disabling logging (or modifying the logs), altering certain key system files and configuration settings, and so forth. Thus any attempt to access credentials stored by his users should have been logged, and on audit of those logs, an explanation would need to be forthcoming or that user will face punitive actions. This also implies that the security manager will know in triplicate exactly which files Snowden had accessed, where he had copied them to, and where that copy was supposed to be now for each and every file he accessed.

Snowden could have breached the system only in the following ways --

1. By fabricating the digital certificates or other types of cryptographic keys such as those used for SSH access. Such self-signed certificates are common part of the cybercriminals toolkit to enable the exfiltration of data.
2. Snowden reportedly obtained usernames and passwords from dozens of colleagues. When logging in with his colleagues credentials, he would also have access to their SSH keys and digital certificates. Since unlike passwords that are frequently required to be changed, SSH keys and digital certificates have much longer life span. Snowden could also have taken “fabricated” SSH keys and establish them as trusted against the colleagues credentials.

Using military Kill Chain analysis model, we can following interpretation about this cybersecurity breach case:

1. Researching the target—Snowden used his valid access (such as CAC with keys and certificates and SSH keys for system administration) to determine what information was available and where it was stored—even if he didn’t immediately have full access to that information.
2. Initial intrusion—Snowden gained unauthorized access to other administrative SSH keys and inserted his own to gain trusted status to information he was not authorized to access. He also took care not to set off alarms and covered his tracks.
3. Exfiltration—To get data off the NSAnet, he could not simply save it to a flash drive. Instead data needed to be moved across networks and under the radar to evade detection. Just like common cybercriminals, Snowden used Command and Control servers to receive encrypted data sessions. These sessions were authenticated with self-signed certificates.