Failure of Intrusion Detection Systems

On 4 June 2015, the White House announced the Office of Personnel Management (OPM) had been the subject of a massive cyber attack. The breach, resulting in the theft of sensitive personal information of over 4 million federal employees, has exposed deep flaws in the US government’s cyber defenses. Experts report that it took the Department of Homeland Security’s Cyber Emergency Response Team (US-CERT) nearly five months to detect the intrusion. The incident has left cybersecurity experts pondering the reliability of the current intrusion defense systems (IDS) in place. It also calls into question the effectiveness of the more than $3 billion that has been invested into federal network security.

What Went Wrong

The US government currently employs two major cyber defense programs, Continuous Diagnostics and Mitigation (CDM) and EINSTEIN. CDM is a vulnerability management system that focuses on endpoint security and identity management. CDM manages the network infrastructure by searching for system vulnerabilities while IT professionals patch them. EINSTEIN, on the other hand, is an intrusion detection and prevention system that identifies attackers by screening Internet traffic.

EINSTEIN is only able to detect threats that have been previously identified. This limitation allowed hackers, widely believed to be based in China, to infiltrate OPM’s network after they initially gained entry via a “zero day” exploit. The attackers, after successfully breaching the network undetected, were then able to operate with impunity. Experts argue this breach reveals the US government has an over reliance on perimeter defense systems. Adding to OPM’s vulnerability was a lack of data encryption and multi-factor authentications for external users accessing the system.

In response to the breach, OPM has made improvements to their network security through deploying anti-malware technology and restricting remote access for network administrators. White House officials have also decided to accelerate the timeline of EINSTEIN 3 Accelerated’s implementation and will be deploying it to all federal agencies as soon as next year. EINSTEIN 3A, which is still being tested as a pilot program, is unique in that it incorporates supplemental signatures developed by the National Security Agency and uses a real-time deep packet inspection (DPI).

Some experts are still wary of this system. They warn that even this enhanced version would not have necessarily prevented hackers from penetrating OPM’s network defenses. This is because EINSTEIN 3A suffers from the same basic flaw as its predecessor in that it too is only able to search for previously identified threats.

Lessons for Industry IDS Practices

The OPM breach has unsettling implications for US enterprises. Government cybersecurity practices, upon which many private businesses model their own network defenses, are proving to be outdated and ineffective. The failure to protect the personal data of millions of federal employees also has civil society groups and corporations wary about what could happen to their private data if the Senate passes the Protecting Cyber Networks Act. The information-sharing bill would expand legal protections for private businesses to share threat patterns in cyberspace with the federal government. Many fear such collaboration could leave private businesses exposed to the same sorts of attacks being launched against the government.

In response to the breach, cybersecurity experts are saying that good cybersecurity practices are not just about protecting the system but also protecting the data. Once a hacker breaches a system, in order to prevent further damage, companies should establish a second line of defense such as using data encryption. Furthermore, US entities still need a stronger emphasis on detecting and responding to intrusions, rather than focusing too heavily on cyber hygiene and CDM. Intruders will inevitably return to accomplish their mission, so the focus for cyber defense should be on finding the intruders on the network, removing them, and conducting counter-intrusion campaigns.