Yes, Donald Trump, you can catch hackers not in the act
SAN FRANCISCO — Cybersecurity professionals respectfully disagree, President-elect Trump: You can catch hackers even when they're not in the act.
In tweets sent Monday morning discounting U.S. intelligence agencies' assertion that Russia was behind attempts to interfere with the U.S. presidential election, Trump said it was almost impossible to determine who was actually behind a hack unless they were caught in the act.
That's not a view embraced by the thousands who have made their job ferreting out hackers.
"Cyber criminals always leave evidence behind and forensic cybersecurity capabilities have advanced to the point where we can identify and analyze hacks faster than ever before,” said Barak Klinghofer, co-founder and chief product officer at Hexadite, a Boston-based company that does cyber-threat incident response.
No less an authority that Kevin Mitnick, a hacker who spent five years in prison for computer-related crimes, tweeted that Trump was wrong and that hackers can be caught after the act.
"Take it from someone who knows this fact very well," said Mitnick, who now has his own consulting company, Mitnick Security.
Some criminals are, indeed, caught in the act. Security firm CrowdStrike, which was hired by the Democratic National Committee to investigate a hack attack in May, says it watched the hackers while they were in the system.
The company was, “able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network," said the company’s chief technology officer Dmitri Alperovitch, CrowdStrike CTO.
One clue: Time off for Russian holidays
But hackers leave plenty of clues cyber security professionals can use to identify the perpetrators after the fact.
Knowing who’s behind an attack involves combining forensics, data and psychology, said Nick Rossmann, a senior production manager at FireEye iSIGHT Intelligence. FireEye is often brought in to do post-attack forensics in large breaches.
“Threat intelligence is an art form,” said Rossman.
Analysts look at what software the attackers are using, what platforms and what address they’re coming from.
“You look at what tools they’re using. Is it a certain kind of malware that requires skill to use? Was it custom-built to penetrate a specific network?” he said.
They also look at motivations, what information was stolen and who it might be useful to.
Finally, timing is often a clue. In an investigation of one hacking group, FireEye observed that all the activity took place during the work hours in St. Petersburg and Moscow, and the attackers also took Russian national holidays off.
Rossmann added that U.S. intelligence agencies are well-supplied with staffers who have the necessary knowledge and background to do these types of investigations.
“We hire people right from the government for a reason. They have the skills to do this,” Rossman said.
Trump disagrees with U.S. intelligence community
The CIA concluded in a secret assessment that Russia intervened in the 2016 election on behalf of Trump.
Trump's transition team responded t, "these are the same people that said Saddam Hussein had weapons of mass destruction."
Senate Majority Leader Mitch McConnell said Monday that two Senate committees will investigate the CIA's allegations.
Republican leaders join outrage at Russia, will investigate hacks
President Obama on Friday ordered the nation's intelligence agencies to conduct a full review of attempts by foreign hackers to influence U.S. elections.
The entire U.S. intelligence community, which includes 16 different agencies, as well as at least three private computer security companies, have independently investigated security breaches associated with the U.S. presidential election, concluding that the Russian government was behind the hacks.
In a joint statement from the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security released on October 7, U.S. intelligence agencies said they were "confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations."
The specific instances outlined in the statement included:
► Emails stolen from the Democratic National Committee.
► Emails from that hack given to WikiLeaks.
► Scanning and probing of state election-related systems.
On Sunday, Trump dismissed the link as "ridiculous," telling Fox News Sunday "I think it's just another excuse," adding "I don't believe it ... Every week it's another excuse."