Defending Digital Campaigns (DDC) recently had an opportunity to pose some questions to Mike Schmuhl and Matt Ashburn two of the founders of LangleyCyber. LangleyCyber provides a comprehensive suite of cybersecurity solutions and services, including incident response, investigation and forensic services, and security assessments among several others. LangleyCyber’s team is unique because it brings together individuals with vast experience in the US Government as well as those with high level political experience.
We asked Mike and Matt some questions following a recent incident LangleyCyber responded to and mitigated.
DDC: You work with a variety of players in the campaign and political space. What do you see as some of the kinds of threats or vulnerabilities that most concern you leading into the 2022 election?
LC: Misconfiguration of existing networks and a lack of process and planning around cybersecurity are the biggest threats that concern us leading into the 2022 election. Most threats and vulnerabilities are focused on spear-phishing, which are targeted phishing attacks against a dispersed workforce. For many in the campaign and political space, they have the tools but often lack the expertise to configure security policy settings properly. The high rate of turnover surrounding political campaigns creates necessary turmoil that can be exploited by vigilant attackers. New hires, volunteers, and other individuals associated with campaigns for short periods of time are the most vulnerable user base. Even small organizations should look to formalize their cybersecurity programs and implement robust Identity and Access Management controls.
DDC: Recently, LangleyCyber assisted a political organization that had their website compromised. Can you tell us a little about what happened and how you were able to remediate it?
LC: In July, an attacker of unknown motivation configured one of our clients’ websites to redirect to a URL hosted on Russia Today (RT), the Russian state-controlled television network. They targeted the political organization’s website through a dormant WordPress administrator account and cracked the password in a very short period. Without multifactor authentication (MFA) enabled, the attacker removed access for all other users, made configuration changes to the sites title and tags using derogatory political language, and set up a simple HTTP 301 web redirect from the compromised site to a URL hosted on RT’s Russian-language website.
We remediated the situation by regaining control of the site, implementing a web application firewall (WAF) to prevent future attacks, and maturing vulnerability management and incident response planning to ensure the organization can face future threats.
DDC: What lessons should others take away from this incident about protecting a website?
LC: Basic cybersecurity best practices would’ve prevented this attack entirely. Tools such as Cloudflare are important, but just having them isn’t enough; They must be configured correctly for them to be useful.
Some specific lessons include:
Regularly auditing user accounts with administrative privileges, disabling unused/dormant accounts, and configuring access controls with least privilege
Using strong, complex passwords and enabling multifactor authentication (MFA)
Ensuring all software is updated on a regular basis with the latest security updates; including plugins and third-party libraries
Ensuring your organization has plans for vulnerability management, incident response, and continuous monitoring in place
DDC: Given the limited resources of campaigns and political organizations, what’s your advice for campaigns and organizations generally around responding to a cyber incident?
LC: Because resources are limited, the best advice is to establish contact with a reputable cybersecurity firm and create policies and procedures ahead of time. If you are calling once an incident has occurred, it’s too late. Cybersecurity should be taken seriously before a bad day occurs, not after. Additionally, utilize free resources and engage with experts to configure your system properly as well as to ensure you’re implementing cybersecurity best practices adhering to industry standards such as the DNC checklist, CISA guidance, NSA Top 10, etc.
DDC: Sometimes people say time is of the essence when a cyber incident takes place. Do you agree? If so, why?
LC: Yes, time is of the essence! When a cyber incident occurs, having policies and procedures in place so everyone knows their roles and responsibilities can be the difference between a minor, contained incident and a major breach. The faster an incident can be identified and dealt with, the better. It’s important that you use time efficiently, not developing relationships or creating a plan on the spot. The shorter and more contained an incident response is, the less likely there will be long-term harm to your organization.
For more information on how to protect your campaign or organization visit DDC’s Knowledge Base: www.defendcampaigns.org/resources