“Blue Leaker”: Law Enforcement targeted in recent breaches

The recent release of a major collection of very sensitive Law Enforcement data has been in the news recently. The trove of “roughly 270 gigabytes of data posted to the Denial of Secrets website has been referred to as ‘BlueLeaks’ and is just the latest in a long series of data breaches against government agencies that have revealed sensitive information to the public at large.”

This cache includes over a decade of sensitive data and has even been verified by the National Fusion Centers Association. Key data that was leaked includes “images of people under investigation, sensitive government and law enforcement reports, banking information, and Personally Identifiable Information (PII).” When it comes to motive, an attacker’s motivation to hijack and breach a significant government source and ultimately reveal his or her findings tend to vary widely. At times it can be political, such as a person attempting to further a particular agenda. Other times, the underlying motivation may pertain to activism, involving a group of rival leaders attempting to shift the balance of power and achieve a political or economic gain, or some criminal organizations with their personal agendas. Regardless of the specific motivation, it is the duty of information security professionals to try and limit the occurrence of such breaches and to reduce the damage as much as possible when they do occur.

Data released by Denial of Secrets was “acquired during a breach of a ‘Fusion Center’ operated by Netsential, a web development firm based in Houston, Texas. Fusion centers such as this serve as a clearinghouse to disseminate law enforcement and public safety information between partners.” A Fusion Centers’ usual partners are often law enforcement and safety organizations at the federal, state, local, county, and tribal levels.

While the timing of this breach makes it especially “relevant (during this period of civil tension), it is only unusual in character. Breaches in both the Public and Private sectors that reveal personal, business, medical, and financial intellectual property data result from similar ploys. Attackers rely on comparable tools and techniques to breach any network perimeter. “ Although the details of the breach have not been publicized, it has been confirmed that the leak was most likely caused by a “compromised user account that allowed the attackers to upload malware. That, in turn, led to the data exfiltration.”

It seems that this attack utilized fairly common tactics and the specific techniques typically used to prevent them are also common. The simplest and most logical first step is usually known as User education. This makes sense given the current work environment at hand. Take this into consideration: “While much of the workforce has gone remote since the early months of 2020, how many organizations have updated their policies and process to adapt to this shift in attack surface? How many users can identify the common attacker techniques used to steal credentials or compromise home systems? When was the last time the workforce was tested against the kinds of real-world attack scenarios they’re likely to confront? What about user authentication? How many organizations are implementing multi-factor authentication for every user login?” Although there have been some attacks targeting MFA systems, they have also proven to be significantly more effective than simply using basic passwords. In fact, Google even reported in 2018 that since the implementation of a hardware-based MFA scheme in early 2017, none of their 85 thousand users had been phished or hacked.

It is difficult to ascertain for sure from the leaked data and information at hand whether or not “Multi-factor Authentication or improved education would have prevented this particular breach. It is possible that Netsential already had multi-factor authentication in place and the users had received recent training, leading the attackers to get in through some other vector, but these are still Best Practices and worth implementing.” The organization’s Information Security team and the Security Operations Center team will often play a vital role in mitigating a breach when it happens. When a hacker or phisher is able to compromise a user or system in the environment, they still need to “identify their primary target, traverse laterally to it, and exfiltrate their target data from the network.”

Given the right tools and training, the SOC can often break the attack chain and prevent malicious actors from completing their mission. The challenge is in “identifying an attack early enough in the cycle to mitigate the effect. Unfortunately, this task has been made more complex by the shift to more remote workers and the ongoing moves to a third party and SaaS applications.” Even with the latest generation of tools and most advanced technology in place, it can still be difficult for an organization to see into the partner environments, SaaS applications, third-party vendors, contractors, and more. It’s also difficult to confirm that they are up to the same security standard as well.

Take in mind, that while difficult, it is far from impossible. By deploying the “most effective tools, educating users, and requiring partner organizations to follow the same best practices, it is possible to manage risk in our rapidly evolving environments.” It is true that we may never reach a perfect rate of effective security solutions, but by taking the right steps, we are able to keep raising the bar and reduce both the specific number and severity of security incidents going forward.