Blog
2024 Presidential Election Security
Turn the Network into a Defensive Advantage
ExtraHop
August 28, 2024
All eyes are on the 2024 Presidential Election in the United States, and it’s not just American citizens who are interested in the results of this year’s contest. As we’ve previously noted, several nation-states are seeking to influence the outcome of the 2024 election, and U.S. election infrastructure, including networked voting and tallying machines, is at risk. Rob Mathieson, an engineering director at ExtraHop who works closely with public sector organizations, says multiple phases of the elections process are vulnerable to tampering by threat actors.
Those vulnerabilities begin far before Election Day. Adversaries infiltrate election infrastructure in advance, typically targeting emails, data stores, and online registration processes. Once the election begins, threat actors shift their focus to the ballot casting and vote tallying machines, as well as the transmission processes to and from the vote tallying process. Networked machines are vulnerable to compromise just like any other endpoint and vote tallies can be tampered with during transmission just like any other data in flight. The attempts to influence the outcome don’t end once all the votes are in. Adversaries may also deface public-facing government websites to display incorrect results and cause chaos and confusion.
During a recent webinar on election security, Mathieson explained a methodology threat actors use to break into systems and how defenders can counter them every step of the way using the power of network visibility to maintain free and fair elections.
The Six Phases of a Cyberattack
According to the NSA’s Office of Tailored Access Operations (TAO), there are six phases to a cyberattack. As Mathieson explains, adversaries rely on particular vulnerabilities during each of these phases, and count on the fact that security teams are generally understaffed and usually underfunded in order to slip past organizational defenses. But, Mathieson counters, it’s possible to turn what adversaries perceive as weaknesses into advantages. Here’s how:
Reconnaissance
During this phase, adversaries are in no rush—reconnaissance can take days or even months to complete. They’re looking to gather information about organizations’ environments and defenses without them noticing. One perceived weakness adversaries will attempt to exploit is the fact that many firewalls and intrusion detection systems (IDSs) are tuned to ignore and automatically deny activity deemed “noisy.” Logging all these denials can quickly bog down SIEM tools, and adversaries are counting on security teams not having the time to look through all the alerts.
But with the right security tools, you can turn this weakness into a weapon. If you know what to look for, there’s no such thing as too much data. Solutions that leverage machine learning for security detections can rapidly identify malicious traffic that other tools miss.
Initial Exploit
Compared to the recon phase, the initial exploit is over in a flash. This is when adversaries gain access to an organization’s network, either through social engineering or by exploiting a software or endpoint vulnerability. Bring-your-own-device (BYOD) policies and IoT devices are extremely common in many organizations, and they often don’t require special permissions to connect to organizational networks. Endpoint detection and response (EDR) solutions can be extremely useful for monitoring endpoints, but many IoT devices can’t support an agent, and installing endpoint agents on employees’ personal devices introduces unacceptable privacy concerns.
As a result, adversaries expect organizations to have poor visibility into their IoT and BYOD endpoints, granting them free rein to exploit these devices. But monitoring the network reveals everything these devices do, even if they can’t support endpoint agents.
Persistence
In this stage, adversaries install malware that enables persistent access to an organization’s environment. This malware is often exceptionally difficult to notice and remove, especially if it’s embedded in firmware, like routers. Particularly pernicious strains of malware can even remain in place after reboots, patching, and other efforts at remediation.
However, adversaries aren’t counting on organizations to baseline their typical network activity or to inspect their standard protocols for deviation. Persistence malware is designed to hide itself on unmanaged devices or in encrypted traffic, but interacting with the network always leaves a trace, if you know where to look.
Tool Installation
Once threat actors have established persistence, they need to use tools to accomplish their objectives. Although the name of this phase implies adversaries are bringing their own tools, Mathieson says that living off the land (LOTL) techniques are far more common. He recounts his own experience during red team exercises, “I never installed tools because I never had to. Everything I needed was already on the box.” Adversaries take advantage of legitimate tools that are already in place, like Powershell, virtual desktop infrastructure, and remote access tools. This makes it difficult for security teams to determine whether a user or process is acting normally or abnormally.
Since every user behaves differently, there’s no standard to baseline all user activity against. Adversaries know this, and expect organizations to ignore administrative traffic. But with behavioral analysis powered by machine learning, anomalous activity becomes plain to see.
Lateral Movement
The trouble with detecting lateral movement is multifaceted. Firewalls don’t monitor East-West traffic, and the traditional solutions that do are typically expensive and can easily drown out useful information in a tidal wave of alerts.
But adversaries still need to control their tools while they expand their footprint, and they must interact with the network to do so. Fortunately for defenders, every action on the network leaves a trace that can always be detected.
Collect, Exfiltrate, Exploit
In the final stages of an attack, adversaries attempt to exfiltrate all the data they’ve collected so they can make use of it. The exfiltration of data is often difficult to detect because outbound traffic looks normal. Threat actors prefer DNS, HTTP, and VPN traffic to exfiltrate data for this reason. Furthermore, DNS and HTTP logs are massive and expensive to store and sort.
Defenders have an advantage, however. In order to move large amounts of data quickly, adversaries stage it ahead of time, which leaves evidence security teams can uncover. And modern network visibility solutions can sift through all the HTTP, DNS, SSL, and TLS traffic to highlight unusual spikes in outbound traffic and reveal nefarious activity.
How RevealX Gives Security Teams the Upper Hand
As Rob Joyce, former chief of the NSA TAO, put it in 2016 during his USENIX presentation, “one of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior going on, and somebody’s paying attention to it.” RevealX is that worst nightmare come to life, because it offers security teams an opportunity to identify and stop a cyberattack during each phase outlined above.
With automatic asset classification, RevealX provides security teams full visibility of every asset on the network. That includes the ability to classify vulnerability scanners, which can often trigger unnecessary alerts. This asset visibility combines with packet level visibility into network traffic to provide advanced detection of scanning and probing activity during the Reconnaissance phase.
RevealX also helps defenders stay ahead of the Initial Exploit through its advanced detections powered by cloud-scale machine learning that applies more than one million predictive models to alert on known and unknown abnormal activity. And integrations with CrowdStrike provide the latest threat intelligence and the ability to shut down managed endpoints through agents.
RevealX shines during the Persistence phase, as behavioral metrics and pattern analysis capabilities highlight deviations from observable baseline network activity for every device. Not to mention the incredible ability of the network performance monitoring (NPM) aspect of the platform to uncover unusual behavior without a detection. That’s because there’s no such thing as free RAM: attacker activity requires compute resources. With accurate baselines of network activity, it’s easy to spot sudden degradations in performance that may indicate persistence activity. Native decryption capabilities also provide unmatched insight into encrypted Kerberos traffic, which enables security teams to stop Golden Ticket attacks.
As Mathieson explains, attackers often use LOTL techniques during the Tool Installation phase. For instance, Kerberoasting attacks require nothing more than a Powershell script for an experienced attacker. RevealX can still detect this activity with detections for known command and control tools as well as the ability to analyze traffic to surface unusual behavior.
Complete network visibility makes Lateral Movement challenging for attackers. With packet-level visibility into every network conversation, abnormal user behavior or machine connections are obvious.
Should attackers make it to the Collect, Exfiltrate, Exploit phase, RevealX still provides opportunities to detect and stop them. On any network, there’s a wealth of outbound traffic flowing through protocols that are already allowed. Attackers use these protocols because they’re quick and they count on being able to hide their activity behind encryption so that it appears normal. But RevealX sees through these tactics with native fluency in more than 90 network, application, and database protocols and the ability to decrypt SSL and TLS 1.3 traffic at line rate speeds. RevealX also identifies commonly used ciphers, as well as unauthorized connections or bulk uploads to unusual external hosts. Full network visibility down to the packet level enables security teams to extract the data they need to successfully respond to cyberattacks.
Adversaries are counting on security teams to miss alerts and misconfigurations, but the network doesn’t lie. With NDR in place, organizations have multiple chances to spot and stop adversaries before they can achieve their goals.
Watch the full webinar to learn more about how to use the network to your defensive advantage.
Discover more