Audits, Attacks and False Positives
On August 22nd 2018, several newspapers reported that phishing pages related to a core DNC system had been discovered by security vendor Lookout during routine scans. Phishing pages imitate important elements of official web applications such as login screens and are usually used in combination with phishing emails.
For example, an email may prompt the user to “reset his/her password by clicking this link”. When the link is clicked, the user is sent to the phishing page instead of the legitimate web application. If user credentials are entered, they become known to the attackers.
It quickly became clear however, that while the phishing site was indeed real and used for attacks, said attacks were part of an awareness program carried out by volunteer group DigiDems in at the request of the Michigan Democratic Party.
How to distinguish between audits and attacks?
Performing managed phishing attacks as part of regular auditing and staff training has become a very common strategy in organizational information security. Without the hands-on experience such a simulated attack provides, it can be hard to give staff the awareness required to avoid a real attack. As with most information security auditing activities, the only differentiator between a real attack and an audit is the consent of the attacked organization.
Staff members are usually purposefully left in the dark as not to affect the audit results and provide as much educational value as possible. Unfortunately this also means that false positive attack alerts as the one issued by the DNC can happen from time to time.
How can such false alarms be avoided?
The only way to avoid false alerts is to centrally manage information security. However since a certain degree of decentralized flexibility is beneficial for incident response purposes, there will always be a tradeoff between the two archetypes of a perfectly central, well organized but slow and inflexible organization and a perfectly decentralized, chaotic but flexible and quick organization when it comes to information security.
More importantly, it is important to note that a false alarm is not necessarily bad. This incident gave the DNC a chance to verify that their detection and incident response teams were working as intended. The fact that the harmless nature of the page was discovered within hours further indicates a sufficient level of coordination. While the consequences of the incident can only be evaluated by the DNC itself, there doesn’t seem to be any inherent immediate need to make adjustments to their current policy from an outside perspective.
While media coverage of the incident was quite large after the high-profile 2016 DNC hacks, the incident itself is surprisingly common. Auditing and educational activity regularly raises false alarms. As long as such alarms as correctly identified in a timely manner, they can be seen as a test of the overall security strategy of an organization.