The OPM Breach and Why You Should Fire Your Cyber Janitor
- In June of 2015 the United States Office of Personnel Management (OPM) announced they had been the target of what became one of the largest breaches of government data in history.
- When the dust settled, it was determined that over 20 million people were affected.
- The data stolen from individuals was Social Security numbers, names, addresses, relatives, and even fingerprints.
The 120 page SF-86 form asks for very sensitive data about you, your family members, neighbors, foreign contacts, and even psychological history. This data is then entered into a database that is controlled by the OPM. It was this very database that was hacked by what the United States assumes was China.
The attackers used both social engineering and malware to target employees at the OPM. The targeted malware was then able to gain credentials to access the OPM records database. There were many post mortem discussions that maybe the firewall or other intrusion detection devices were not adequate enough. There were even discussions about how the OPM database didn’t have the proper encryption to prevent this breach from taking place.
Learn more: How Bromium protects the government.
However, those discussions are simply shortsighted and wrong.
These theories are immediately debunked when dealing with Nation State created malware. First, in most cases malware doesn’t get prevented at the perimeter firewall. Malware is commonly sent via email inside of what appears to be a normal office productivity document.
Clever, targeted malware will even make the end user believe it is a real email with an attachment directed at them. Why wouldn’t they click it and open it? Once opened, the malware creates a backdoor for the attackers to be on the inside of the network. At this point you’re thinking, why wouldn’t software on the user’s computer detect that this document has malicious code executing inside of it? Well, herein lies the problem with traditional detection-based solutions.
Detection is based on something that is known. Essentially, there are several cybersecurity products that live on the end user’s computer that make millions of dollars by updating databases of known malware. Once a user has been hit with some type of new malware, these companies are quick to update their database with the information to stop it thereafter. But, what if you were that first person? What if you were Patient Zero? After infection, an AV solution that is the equivalent of a cyber janitor must be utilized. These tools simply clean up after the mess has happened.
And of course, it’s better to stop an event before it even occurs.
Welcome to the OPM breach. They were Patient Zero for this malware. There was not a single detection-based company around that could have stopped that malware. Why? Because it was custom created and targeted for that attack. This is the way most Nation State attacks work. They fully understand the current detection-based solutions and write something that won’t be detected by it.
So maybe now you’re thinking, I have heard of this really cool thing called Next-Gen AV (anti-virus). These Next-Gen AV solutions are not based on databases of known malware. They are based on looking for abnormal events that are happening on the end user’s computer. Essentially, they know what products like Microsoft Word are supposed to do. As soon as they act “out of character”, they step in and stop the attack. Sounds like the answer to the problem, right?
Not exactly. Sophisticated attackers (especially unfriendly foreign governments with lots of money for R&D) are always finding a way around this artificial “intelligence” of Next-Gen AV. Of course, as soon as these covert attempts are detected by this companies, they are quick to update their product to stop it. Again, there had to be a Patient Zero and no agency wants to testify in front of Congress because they were Patient Zero for yet another sophisticated attack.
So what is the solution? How can malware be truly stopped before it ever attacks? How can anyone fully stop something if it is very sophisticated and bypasses all detection methods?
The answer is you don’t stop it: let the malware run and execute.
Let it fully play out and do what it wants to do. Sounds exactly opposite of what anyone would want, right? Well, not exactly. There is a way that this can be done: that each time any document from an untrusted source was sent to a user’s computer, it can be executed in a completely isolated way that had zero impact on the actual computer. In this case, detection is completely taken out of the picture and anything from an untrusted source is placed into isolation to run and be executed.
This is exactly what Bromium provides. We leverage extensions built into the hardware CPU to run any untrusted task in an isolated virtual machine (VM). This hardware-isolated VM has zero access to the host operating system or the other VM’s running on the host. Even better, this is all seamless to the end user.
By isolating untrusted content, the host machine will never be infected by any potential virus, malware, or ransomware. From the user perspective, each of these tasks look identical to opening them with natively installed software.
Had the OPM employed Bromium Secure Platform on all of their endpoints, the breach never would have happened. The attachment with the malware sent to the OPM employee would have simply opened in a hardware-isolated VM separate from the host operating system with zero access to the OPM network. This means that 20 million people would not have had their sensitive information stolen by a foreign country. This also means that the postmortem security solution that the OPM brought in to clean up the breach would never have been needed.
And the cyber janitor could have been fired.
To gain a deeper understanding of how Bromium protects the endpoint by using hardware isolation, watch the video below.