By Richard Bejtlich, Principal Security Strategist, Corelight
Elections have two critical components. The first is the conduct of the election as visible to the participants. The second is the hidden aspect, that which is not visible to the participants.
Voters have seen how computers have become more important to the election process, whether for collecting individual votes, tallying totals, transmitting results, or displaying outcomes. What they have not seen is how these processes take place.
It’s impossible to address all network security monitoring components of the election process in several hundred words, but the overarching role of the network is worthy of an assessment.
Any election infrastructure that transmits information from one computer to another is using a network, unless some sort of human or mechanical interface physically moves digital storage media between them.
The creation of any network is likely to result in that network being connected to the global Internet. This concept undoubtedly bears some sort of formally named “law” promulgated by network scientists, but for now it is important to accept that even networks not designed for connection to the Internet usually end up linked to it. This means that every election network, whether designed for Internet access or not, likely ends up within the global reach of every other Internet-connected actor, whether in a nearby town or across the globe.
In such a circumstance, it becomes necessary to know how the network is being used. Even for simple troubleshooting, without the presence of threat actors, network and security administrators should be asking and learning how their networked resources are performing. Once they acknowledge the interest of threat actors, it becomes a necessity to monitor the network.
However, it is critical to realize that it is insufficient to simply deploy some sort of security appliance on the network that blocks what it considers to be suspicious or malicious traffic. It’s also not sufficient to deploy the same or another security appliance that generates alerts when it detects suspicious or malicious activity. These are both helpful, but it is also important — and perhaps primarily so — to install a passive system that conducts an audit of the traffic it sees, silently recording the use of the network in a format that allows later inspection and validation to assure voters and administrators that the network performed as expected, and was, or was not, abused by threat actors.
In this capacity, a network-based solution can work in concert with other sources of security data, such as infrastructure and application logs, and endpoint system logs and security software. Because the network itself is the lowest common denominator in any networked environment, it is the last best hope to detect suspicious or malicious activity. Anything that uses the network can be seen, and potentially evaluated for misuse, based on how it interacts with the network. This applies to mobile devices that connect to WiFi, or operational technology, or anything else that communicates with the Internet.
If one waits until the month or week of the election to install this monitoring infrastructure, it will be too late. Threat actors are likely already probing election networks for weaknesses. With six months left before the election, now is the time to ensure they are properly instrumented with network security monitoring solutions. This time window allows analysts to collect data, investigate it for signs of compromise or tampering, and introduce improvements and safeguards to frustrate the intruders when they try additional intrusion campaigns. These remaining six months will give red teams chances to demonstrate what sort of vulnerabilities the election networks still possess, and whether blue teams can identify and respond to real intruders as well as red team campaigns. Finally, once the election happens, the necessary network security monitoring processes, tools, and personnel will be tested and ready.
Even if the personnel or processes are lacking, deploying the proper instrumentation will provide outside election officials or consultancies with the data they need to conduct spot checks or in-depth analysis of worrisome situations. Just as we want elections themselves to have an audit trail in the event of recount, we also want an “audit trail” for network access to election systems — and this applies to whatever hybrid method of voting occurs.
Only by having the proper data provided by network security monitoring systems will voters and election officials gain the information needed to validate trustworthiness and develop confidence in the election process.
*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Richard Bejtlich. Read the original post at: https://corelight.blog/2020/05/07/instrument-election-infrastructure/