In cybersecurity, knowing your adversaries’ techniques and tactics can help you better defend and prevent successful attacks. It’s an important part of your strategy. But when attribution becomes the focus of the story, we risk not examining how an attacker was successful. Looking at a breach from a “whodunit” point of view makes for better headlines and helps sell threat intelligence services. However, it fails to address how the compromise was possible and how to address those gaps.
In the case of the Office of Personnel Management breach, it is now reported that a privileged user account was compromised and then used to gain a greater foothold in the network and steal information from 18 million accounts. For me, that raises questions about the management of identity and access controls and failure to identify anomalies in user behavior. This is much more mundane than pondering which nation-state is behind an attack and what their motivation is.
Good cybersecurity is predicated upon people, process and technology. The best way to approach access control is make sure each individual is only given the amount of access necessary to perform his or her job. Users should also understand that their account is tied to them, all activity generated by that account is being recorded and they should never let someone borrow their account credentials (think Edward Snowden).
Behavioral analytics should be used to spot anomalous activity. Alerts can be generated when an account is used outside of normal parameters, such as time of day the account is active or unusually large amounts of data being copied by a user. Streaming network analytics that examine entity behavior for variances are far more valuable than the most advanced signature or pattern matching Intrusion Detection system (think EINSTEIN 3).
We have to know what is normal versus not normal on our networks. Until we do that, we will not know about an attack until after it happens.