Dmitri Alperovitch says there are two types of organisations: "Those that know they've been hacked, and those that don't know right now, but have been hacked anyway." For the first few months of 2016, the Democratic National Committee (DNC), fell firmly into the second category. Working flat out to make Hillary Clinton the next president of the United States, its staff ignored warnings that they'd been hacked. But, by April 2016, they acknowledged something was wrong. That was when the DNC called Alperovitch and CrowdStrike, his Washington DC-based cybersecurity company.
CrowdStrike was born out of a frustration with the traditional way of dealing with hacks: occasionally updated anti-virus programmes looking for malicious software sent by bedroom hackers. Alperovitch, 36, (pictured) who was born in Moscow and moved to the US in his teens, and his co-founder George Kurtz, 46, knew this system well - they worked on it at security giant McAfee. "The threat landscape was changing dramatically," Alperovitch says. "It was very hard at McAfee to do anything about it. So George and I got together and said there's a better way."
Up to 60 per cent of the hacks we read about don't use malware, Kurtz says. "They use credentials. They're social engineering." They're also carried out by state-sponsored groups specifically set up to engage in cyberwarfare with other countries. This new type of attack - bigger, bolder, but more secretive - goes undetected, often for hundreds of days, just as it did for the DNC.
When CrowdStrike came to the DNC, it moved quickly. Using a system called Falcon, a two-megabyte agent installed on systems without the need for a reboot, it profiled every action that occurred at a programme level on the hundreds of machines owned by the DNC. One clue might be a programme behaving abnormally; it might be the unusual transfer of millions of documents. "We're not looking at any personal data, any documents or emails," explains Alperovitch. "We're just looking at what is being executed."
Every action at a system level on the DNC's computers was recorded and checked against CrowdStrike's bank of prior intelligence (the company processes 28 billion computer events a day). "Almost immediately, Falcon started lighting up with a number of indications of breaches of the DNC network," Alperovitch says.
One question had been answered: there was definitely someone rummaging around the DNC servers. But who? CrowdStrike checked its records, seeing whether the methods used for the hack matched any they already had on record. They did. Two groups, working independently, were secreting away information, including private correspondence, email databases and, reportedly, opposition research files on Donald Trump. "We realised that these actors were very well known to us," Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. "They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government."
Both the groups had a long rap sheet. COZY BEAR - which had been inside the DNC's system since the summer of 2015 - had previously hacked the White House and the US State Department. FANCY BEAR - which had breached the network separately in April 2016 - had hacked victims across the world, including the German Bundestag. The vulnerabilities were quickly closed, but the damage had already been done.
On June 14, 2016, the DNC went public, admitting it had fallen victim to an enormous hack. The announcement became front-page news around the world, suggesting Russian state interference in another country's election. Commentators called it the start of a new cybersecurity cold war - but for Alperovitch, it was just another attack, one of 300 his firm stops every week. "The DNC was interesting in that it allowed us to come out publicly and talk about the breach," he says. "But it happens all the time."
Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.
This article was originally published by WIRED UK
