When Cyberattacks Get Physical

The events of January 6th, 2021 have had some profound consequences both political and social.  From our perspective in the cybersecurity community, regardless of our politics, the event put a razor focus on how physical security can influence what we do and how we do it.  All the firewalls, secure VPN tunnels, multi-factor authentication, and a host of other security tools are considerably less effective when an attacker gains physical access to a device.  Which is what happened when a crowd of protestors stormed the US capitol in an effort to disrupt the certification of 2020’s presidential election.

This is the kind of physical attack that is in the disaster recovery and business continuity plans the Security Operations team has in place, but they rarely get used.  While we frequently have to exercise our “Lost or Stolen Laptop” plan, or the equivalent version for external storage, and sometimes have to deal with a physical intrusion, the wholesale breach of a facility is something most information security teams have never had to face.

Loose on The Inside

In the capitol attack, the intruders had largely unfettered access to several parts of the building and were able to make off with at least some laptops and external devices like drives and memory sticks.  What is not publicly known is what else the intruders might have done during the attack.

For a lot of attacks, physical access makes the job dramatically easier.  I don’t need to crack remote access and bypass firewalls, multi-factor authentication, and the rest, when I can sit down at an unlocked keyboard and go to town.  The same goes for keystroke monitoring when I can plug a tiny USB device in line with your keyboard, or network monitoring when I can physically tap your ethernet cables.  If I can gain physical access to your machine, the chances are good I can copy files onto an external device with little effort or, if I have the opportunity, I can take your laptop with me.  A desktop might take a little longer and be physically more difficult, but if there’s time I can yank the drive which is much easier to abscond with than even a compact desktop.

But Wait, There’s More

That’s just the tip of the iceberg.  Most office spaces have multiple places where an attacker could tap into the network and gain physical access.  There are also the phone systems, video conferencing systems, and various IoT devices that have become so commonplace as to be ubiquitous.  That’s not even counting placing old-school conventional bugs in people’s offices.  Whether any of the capitol intruders did anything to compromise the networks or connected devices, or plant bugs, is hard to say.  But they could have.  And that’s the assumption the capitol’s security operations team will have to go on.

The question is: what will they do about it?  While an Ellen Ripley quote from Aliens comes to mind, it’s unlikely they’ll go quite to that extreme with their IT infrastructure.  They almost certainly started with an assessment of what could have happened.  Where did they lose control of physical access?  That will tell them what devices, systems, or network taps could have been accessed and compromised.  What devices were known to be lost?  That will let them hunt them down as needed and possibly recover them.  They will have swept for bugs and checked every device for possible physical compromise.  At least we hope they will have.

It’s Like Ripley Said

To be sure, every device really should be scrubbed down and restored from a clean slate.  As Ripley said, it’s the only way to be sure.  But even then, any device that was uncontrolled should remain suspect.  There are multiple infections that can persist after a clean OS install.  While, again, we don’t have evidence that a compromise like that happened, we can’t prove the negative.

Now, what else could they do?  And, to a parallel point, what can your organization do to help guard against a similar attack?

Compromised Hosts Phone Home?

Any equipment that was compromised in the attack will likely retain some signature of the attack.  For example, it will “phone home” in some way, or become a landing point for a remote attacker.  Fortunately for us, those behaviors have a distinct fingerprint that a security analytics platform like ours can ferret out from the data it receives.  That same platform can identify unusual user behaviors from any account that may have been compromised during the breach, such as unusual logins or outbound traffic to unexpected sites.

These same capabilities benefit any organization that faces internal, or external, threats.  Whether an attack originates inside or outside, and whether or not it’s accompanied by a physical attack, behavior analytics can help identify potential issues in the aftermath.  Especially when scrubbing every system down to bare metal and starting over isn’t a practical option.