Research

Audits, Attacks and False Positives

Written by Reflare Research Team | Aug 24, 2018 2:16:00 PM

Recently, several security companies detected phishing pages using the name of a core DNC system. These pages attempted to trick users into providing their login credentials by spoofing the legitimate login page for a Democratic Congressional Campaign Committee (DCCC) application built on the Democratic Election Committee (DNC) infrastructure.

First Published 24th August 2018

Whether it's a pregnancy test or data reporting, false positives can cause monumental problems.

3 min read  |  Reflare Research Team\

On August 22nd 2018, several newspapers reported that phishing pages related to a core DNC system had been discovered by security vendor Lookout during routine scans. Phishing pages imitate important elements of official web applications such as login screens and are usually used in combination with phishing emails.

For example, an email may prompt the user to “reset his/her password by clicking this link”. When the link is clicked, the user is sent to the phishing page instead of the legitimate web application. If user credentials are entered, they become known to the attackers.

It quickly became clear, however, that while the phishing site was indeed real and used for attacks, said attacks were part of an awareness program carried out by volunteer group DigiDems at the request of the Michigan Democratic Party.

How to distinguish between audits and attacks?

Performing managed phishing attacks as part of regular auditing and staff training has become a very common strategy in organizational information security. Without the hands-on experience, such a simulated attack provides, it can be hard to give staff the awareness required to avoid a real attack. As with most information security auditing activities, the only differentiator between a real attack and an audit is the consent of the attacked organization.

Staff members are usually purposefully left in the dark so as not to affect the audit results and provide as much educational value as possible. Unfortunately this also means that false positive attack alerts like the one issued by the DNC can happen from time to time.

How can such false alarms be avoided?

The only way to avoid false alerts is to centrally manage information security. However since a certain degree of decentralized flexibility is beneficial for incident response purposes, there will always be a tradeoff between the two archetypes of a perfectly central, well-organized but slow and inflexible organization and a perfectly decentralized, chaotic but flexible and quick organization when it comes to information security.

More importantly, it is important to note that a false alarm is not necessarily bad. This incident gave the DNC a chance to verify that their detection and incident response teams were working as intended. The fact that the harmless nature of the page was discovered within hours further indicates a sufficient level of coordination. While the consequences of the incident can only be evaluated by the DNC itself, there doesn’t seem to be any inherent immediate need to make adjustments to their current policy from an outside perspective.

Summary

While media coverage of the incident was quite large after the high-profile 2016 DNC hacks, the incident itself is surprisingly common. Auditing and educational activities regularly raise false alarms. As long as such alarms as correctly identified in a timely manner, they can be seen as a test of the overall security strategy of an organization.