USPS Played Cat And Mouse With Cyber Attacker - InformationWeek
IoT
IoT
Government // Cybersecurity
News
11/24/2014
10:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
RELATED EVENTS
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

USPS Played Cat And Mouse With Cyber Attacker

Postal Service takes restrained, methodical approach to cyberattack. Was this the right strategy?

H-1B Visa Program: 13 Notable Statistics
H-1B Visa Program: 13 Notable Statistics
(Click image for larger view and slideshow.)

When US Postal Service (USPS) officials received word about a major network intrusion earlier this year, one of its first instructions was to take no immediate action.

In an effort to prevent the intruders from knowing they had been discovered, the postal service's Office of the Inspector General advised the USPS's corporate information security officer Charles McGann not to initiate any mitigation measures. That included such actions as network scanning, reimaging systems, resetting passwords, taking systems offline, or searching for IP addresses.

Instead, for several weeks investigators from the postal service, the US Computer Emergency Response Team (US-CERT), and the FBI Service worked quietly to determine the scope and nature of the intrusion before finally shutting it down almost two months later.

[What should you keep to yourself about a hack? Read NOAA Blames China In Hack, Breaks Disclosure Rules.]

Randy Miskanic, VP of the secure digital solutions group at the postal service, outlined details of the high-stakes cat-and-mouse game to a subcommittee of the House Committee on Oversight and Government Reform this week.

"From the technical perspective, experts within the Postal Service and from supporting agencies provided prudent warnings that short-term remediation efforts would be seriously compromised if the threat actor became aware that the intrusion had been discovered," Miskanic said in written testimony.

"If provided advance warning of network actions intended to expel and block the intruder from the Postal Service network, the adversary could take bolder steps to further infiltrate or sabotage systems," he added. The potential of greater damage or sabotage heavily influenced the postal service's decision to delay notification and public disclosure of the breach.

(Source: USPS)
(Source: USPS)

It's unclear if Miskanic's explanation will help assuage criticism that has been directed at the USPS over its handling of a breach that exposed data on some 800,000 employees and 2.9 million customers. But his testimony provides a glimpse into the struggles that organizations face dealing with an intrusion by a sophisticated adversary.

According to Miskanic, the US Postal Service first learned of a potential intrusion on Sept. 11, after being alerted to it by the Inspector General's office.

Over the next several days, members of the investigative team quietly installed monitoring devices and performed forensic imaging on the four servers that were initially believed to be the only affected systems. They later configured and installed what Miskanic described as the "technical architecture and tools" necessary to understand the full scope of the breach.

That effort revealed another 29 servers and three Postal Service user accounts that had been compromised. Because of the broadening scope of the incident, the Postal Service then decided to seek the help of the US Department of Defense's Cyber Crime Center.

It wasn't until October 7, nearly a month after being first alerted to the intrusion, that investigators found signs that a large encrypted data file had been copied from one of the compromised systems and transferred to an external system.

It took another several days for investigators to determine that the file potentially contained personally identifiable information on all postal service employees, as well as recent retirees. Around this time, the postal service finally decided to bring in private sector experts in intrusion detection and remediation to assist in the effort to shut down the breach.

Around mid-October, postal services CIO James Cochrane decided to invoke the Mass Data Compromise Response Plan and set up a formal incident response center for coordinating investigation, mitigation, and incident communication activities. Also in mid-October, the FBI's cyber unit provided a Top Secret briefing to command center leadership, again emphasizing the sophisticated nature of the adversary and the need for operational secrecy, Miskanic said.

The FBI also warned that "implementing mitigation activities or communicating the threat to employees or the public at that point could result in the threat being further embedded into the Postal Service network," he said.

On November 7, Cochrane's organization finally activated a remediation plan, developed in conjunction with US-CERT and private firms, to remove the threat.

The operation required a "network brownout" that limited the US Postal Service' Internet connectivity, virtual private network (VPN) connections, and remote network access, Miskanic said. All email from non-postal accounts was blocked and workstation administrator rights were revoked during the brownout. To mitigate the risk of spear-phishing attacks, all access to personal email accounts such as Gmail and Yahoo was also blocked, and continues to be blocked, according to Miskanic.

"Direct database access is now enabled only to technology support staff, and a number of business applications have been retired," he noted, adding that the safeguards will be periodically reviewed and updated if needed.

Without knowing the exact causes, it is difficult to speculate on why the USPS's initial response was to allow the attack to continue, said John Pescatore, director of emerging security trends at the SANS Institute. "In order to be prepared to respond rapidly and effectively to an incident, you need to have some processes and controls in place," he said in an email to InformationWeek.

Pescatore also recommended that organizations need to have a baseline, or a known good state that they can revert back to quickly in an emergency. "[It] sounds like some or all of that was missing with USPS, or they were depending on contractor services that couldn't start right away."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
H Kaur
50%
50%
H Kaur,
User Rank: Apprentice
11/25/2014 | 10:26:17 AM
Re: USPS no longer offers tracking for International Registered mail...
Common misunderstanding. We are referring to INBOUND registered mail and other service classes shipped TO the USA, that were previously tracked by USPS.com from the time they entered the country, until they were delivered to their USA destination. As of November 17, 2014, that service is no longer functioning and appears to have been "retired".

There was an update to the BSN service on November 17, 2014, the exact date the service stopped functioning: https://www.usps.com/nationalpremieraccounts/bsn.htm

Without the ability to confirm delivery to the USA destination from abroad, small international businesses are taking a tremendous risk shipping to their USA customers. Customers can file an INR (Item Not Received) complaint and be refunded for a product they did in fact receive. Without "Proof of Delivery", eCommerce sites such as Amazon, Newegg, eBay and Etsy, to name a few, will likely take the buyer's side and withdraw the refund directly from the Seller's account.

Small businesses can not afford DHL, which is about the only service offered other than their country's national post system.

Small overseas suppliers and small businesses depend on USA sales to keep them afloat. Approximately 60% of their sales (my guess, nothing official) are to US customers. This can turn into a nightmare for these smaller foreign businesses.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
11/25/2014 | 9:51:38 AM
Re: USPS no longer offers tracking for International Registered mail...
International registered mail was not as comprehensive as the domestic service because of the other postal systems involved. You might be better shipping with FedEx or UPS or another USPS product. I've been doing this for years with ebay sales.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
11/25/2014 | 9:49:55 AM
Smart Steps
An excellent article. Enjoyed reading it. It is good to see the government actually took the right steps to identify, plan and destroy this type of attack. Too often people are tempted to go in and clean up what they see which is easily restored. These steps allowed law enforecement and IT experts to see how the hackers were functioning and respond in such a way that would destroy the operation. Well done.
H Kaur
50%
50%
H Kaur,
User Rank: Apprentice
11/24/2014 | 3:35:42 PM
USPS no longer offers tracking for International Registered mail...
In light of the newly released information in this article, can the author further verify if the sudden suspension of INBOUND International Mail tracking, which began one week ago on November 17, after a system update at USPS, is one of the systems affected in this statement,  "Direct database access is now enabled only to technology support staff, and a number of business applications have been retired..." ?

Sometime after 6:00 PM (EST), on November 17, all tracking for inbound international mail went from the normal blue updates, which may read, "In Transit" or "Origin Post is Preparing Shipment", to an amber ALERT which is now reading, "USPS Tracking is unavailable for this product for (insert any country name)".

There are numerous Twitter posts from @USPShelp that are reading:

"Unfortunately, the USPS no longer offers tracking for International Registered mail."
"Unfortunately the USPS no longer tracks inbound international mail. Sorry."

This is a terrible blow to international sellers abroad and their customers in the USA. To suspend this system right before the busiest time of the year with aabsolutely no notice to customers is bordering on unforgivable.

Thank you.

 

 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll