What the NASA Cyberattack Teaches Us About Simple Technologies and Advanced Threats
Ward Cobleigh
Network Performance Management veteran, Continuous Threat Exposure Management advocate, and espouser of the Oxford comma, still trying to figure out what he wants to be when he grows up. Film at 11.
In June of 2019, the NASA Office of Inspector General released a report revealing that in April of 2018, a cyberattack occurred that resulted in the compromise of data related to Mars missions.
A hacker accessed the Jet Propulsion Laboratory (JPL) network in Pasadena, CA by targeting a Raspberry Pi device that was not authorized to be attached to the JPL network. Going undetected for 10 months, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations (ITAR) information related to the Mars Science Laboratory mission.
JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, in this case the Raspberry Pi was attached to the network without the required OCIO review and approval. It seems somewhat ironic that an organization that works with some of the most advanced technology in the world was foiled by a simple credit card-sized piece of consumer hardware.
Simple technology can have a powerful impact when used the wrong way.
This event illustrates one way that an attacker and security threat can go undetected – patience. It also emphasizes the need to capture information on connectivity and communication for any and all devices, not just a select few. Moving 500 megabytes over the course of 10 months certainly isn’t going to result in a device appearing on a Top-N report. But the fact is the same technology that has been used for over two decades to produce Top-N reports has the potential to tell you:
1) You have an unauthorized device on your network
2) Where it’s connected
3) Who it’s communicating with
What is that technology? Flow data. That’s right, our tried and true friend that has been around since Cisco introduced NetFlow in 1996. But wait, you may be saying, flow data is used for “counts and amounts” for my top conversations and protocols, not to provide in-depth details on connectivity and communication for insignificant amounts of traffic.
While that may have been true in the past, like many technologies, flow data has evolved as a data source and can now serve as the foundation for providing so much more including threat and security insight. For example, flow records can be augmented to include MAC Addresses and physical connectivity information.
With proper collection, storage, reporting, and visualization techniques, flow data can be used to show you every conversation that every device is having on your network, even if it is a tiny device generating a tiny amount of traffic.
The key is enriching this data set, not pruning and summarizing it until all forensic value is lost.
Simple technology can have a powerful impact when used the right way.
While your mission may not be Viking or Voyager, it should be visibility. If you’re just using flow data for Top-N reporting and hoping that will help you uncover suspicious or malicious behavior, that is Not A Solid Approach.
Senior Marketing Leader | Chartered Marketer | Helping B2B tech companies add creativity and customer centricity to brand and demand generation programs
5 年Great piece that explains why unedited, unpruned infrastructure information is so important and relevant for forensic validity and insight.