Security Experts:

Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit

Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit

In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.

But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago. 

One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used. 

But there is also an increasing triangulation of methods that go far beyond compromising IT systems. They include much more sophisticated social engineering and phishing techniques brought about by the availability of rich data from the market-profiling capabilities of today’s social media platforms. They also include the use of stolen information not just for monetary gain, but to deceive and to advance a greater objective. They include actual “boots on the ground,” real actors behind spoofed accounts.  

The motivations for this range from simple theft to information warfare. Take the emerging picture we’re seeing of Russian influence on elections in the United States and elsewhere. There is a clear body of evidence that, despite the progress made by official U.S. investigations into the election meddling on the part of Internet Research Agency that occurred between 2014–2016 and beyond, the activity hasn’t stopped. In fact, it may have intensified. 

What’s interesting about this ongoing attack from a security standpoint is its sheer scale and comprehensiveness. Take a look at some of the tools and tactics involved, as described in the recent indictment of 13 Russian nationals involved in the scheme: 

• The group first conducted careful research into the influence of certain politically affiliated groups on social media platforms like Facebook, Twitter, Instagram and others. 

• They obtained travel visas to enter the U.S. and, while here, set up an extensive operation with a monthly budget of more than $1 million, with dozens of employees working in shifts. 

• They developed hundreds of fake email accounts, social media accounts and group pages and managed to build a substantial following — reaching hundreds of thousands, if not millions, of Americans. They also kept deep metrics of the activity, reach and influence of these accounts, continually refining messages and tactics just like any good marketing agency would. 

• They bought social media advertising and used their accounts to drive interest in and attendance at rallies and protests. 

• They stole and used American citizens’ dates of birth and Social Security numbers to obtain driver’s licenses and other identification documents.

• Using those documents, they posed as Americans, not only to promote a political agenda, but also to obtain cloud server space and set up VPNs in the U.S. that were connected directly to the parent organization in St. Petersburg. This use of VPNs kept the direct involvement of the Russian parent organization hidden. 

Ultimately, these efforts were undertaken not to enrich the organization, but to sow mistrust and discord in American democracy — both in elections and in the institutions that support them, such as the free press and the independent judiciary. 

Perhaps most alarming is a theme that anyone in the cybersecurity industry will be familiar with: Despite identifying, outing and filing indictments against this particular group, the overall effort to disrupt the U.S. political process remains. In early August, Director of National Intelligence Dan Coats held a press briefing at the White House during which he pointed out a continued and “pervasive messaging campaign by Russia to try to weaken and divide the United States.” 

What does all of this mean for security pros? Well, as citizens we should take a page from the security trainings we give to users. Be skeptical. Be aware. Question things that are out of the ordinary. And whatever you do, don’t click on that. 

But as an industry, we need to understand that attack vectors are evolving in ways we never would have imagined a few years ago. Now almost any business, whether it’s a property management firm, a cloud provider or a social media platform, needs understand all of the potential ways their services could be used, even as malicious actors continually evolve their tactics. As entire industries go digital, there will be ramifications we haven’t anticipated, simply because we are navigating uncharted territory. 

It goes to show that the industry must diversify and expand its talent base beyond technical skills to include real industry, geopolitical and other expertise. Yes, technical hacks to gain entry into sensitive systems are still an important part of the equation, but today they are just one tool in a much larger toolkit. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.