![Page 1: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/1.jpg)
GLOBAL APPSEC DCTM
Non-Political Security Learnings from the Mueller Report
Arkadiy Tetelman (@arkadiyt)
![Page 2: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/2.jpg)
GLOBAL APPSEC DCTM
Agenda● Background
● Blue Team Learnings
● Personal Security Learnings
● Questions
![Page 3: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/3.jpg)
GLOBAL APPSEC DCTM
About me● Arkadiy Tetelman (@arkadiyt)
● Head of Security at Lob
● Previously appsec at Airbnb, Twitter
● Fun fact
![Page 4: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/4.jpg)
GLOBAL APPSEC DCTM
Background
![Page 5: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/5.jpg)
GLOBAL APPSEC DCTM
Background● 2 years 8 months
● Employed:
○ ~22 attorneys & paralegals
○ ~9 support staff
● Worked alongside:
○ ~40 FBI staff (agents, analysts, accountants, etc)
![Page 6: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/6.jpg)
GLOBAL APPSEC DCTM
Background● Volume 1: Russian interference in 2016 election
○ II. “Active Measures” social media campaign
○ III. Hacking/dumping campaign
● Volume 2: Administration obstruction of justice
![Page 7: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/7.jpg)
GLOBAL APPSEC DCTM
Blue Team Learnings
![Page 8: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/8.jpg)
GLOBAL APPSEC DCTM
Timeline
![Page 9: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/9.jpg)
GLOBAL APPSEC DCTM
![Page 10: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/10.jpg)
GLOBAL APPSEC DCTM
![Page 11: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/11.jpg)
GLOBAL APPSEC DCTM
![Page 12: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/12.jpg)
GLOBAL APPSEC DCTM
![Page 13: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/13.jpg)
GLOBAL APPSEC DCTM
![Page 14: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/14.jpg)
GLOBAL APPSEC DCTM
Mr. Delavan ... said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
* https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
![Page 15: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/15.jpg)
GLOBAL APPSEC DCTM
Phished accounts● numerous email accounts of Clinton Campaign employees and
volunteers
● junior volunteers assigned to the Clinton Campaign's advance team
● informal Clinton Campaign advisors
● a DNC employee
● 118 GRU officers stole tens of thousands of emails
![Page 16: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/16.jpg)
GLOBAL APPSEC DCTM
Recommendations● Password manager / hardware (U2F, WebAuthn) 2fa tokens
● Ingest & alert on DNS
● Scan incoming emails
● Ingest mail audit log events
● Phishing exercises?
![Page 17: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/17.jpg)
GLOBAL APPSEC DCTM
![Page 18: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/18.jpg)
GLOBAL APPSEC DCTM
![Page 19: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/19.jpg)
GLOBAL APPSEC DCTM
Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.
* Report Volume 1, p38
![Page 20: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/20.jpg)
GLOBAL APPSEC DCTM
![Page 21: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/21.jpg)
GLOBAL APPSEC DCTM
Democratic Party
![Page 22: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/22.jpg)
GLOBAL APPSEC DCTM
Democratic Party
![Page 23: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/23.jpg)
GLOBAL APPSEC DCTM
![Page 24: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/24.jpg)
GLOBAL APPSEC DCTM
![Page 25: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/25.jpg)
GLOBAL APPSEC DCTM
Recommendations● “just” don’t allow 3rd party access into your network
![Page 26: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/26.jpg)
GLOBAL APPSEC DCTM
The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network.
* Report Volume 1, p38
![Page 27: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/27.jpg)
GLOBAL APPSEC DCTM
Recommendations● “just” don’t allow 3rd party access into your network
● segregate access, practice least privilege, add monitoring
![Page 28: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/28.jpg)
GLOBAL APPSEC DCTM
![Page 29: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/29.jpg)
GLOBAL APPSEC DCTM
![Page 30: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/30.jpg)
GLOBAL APPSEC DCTM
![Page 31: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/31.jpg)
GLOBAL APPSEC DCTM
● X-Agent:
○ Log keystrokes, take screenshots, gather filesystem/OS info, etc
● X-Tunnel:
○ Create an encrypted tunnel for large-scale data transfers
● Mimikatz
● rar.exe
Installed tools
![Page 32: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/32.jpg)
GLOBAL APPSEC DCTM
● keylog sessions containing passwords, internal communications,
banking information, sensitive PII
● internal strategy documents, fundraising data, opposition research,
emails from work inboxes
● exfiltrated > 70GB in election documents
Stolen data
![Page 33: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/33.jpg)
GLOBAL APPSEC DCTM
Structure of GRU● 26165
○ spearphishing○ building malware○ mining bitcoin
● 74455○ assisted with release & promotion of stolen materials○ “Officers from Unit 74455 separately hacked computers belonging
to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.” (Report Volume 1, p37)
![Page 34: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/34.jpg)
GLOBAL APPSEC DCTM
Exfiltration
![Page 35: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/35.jpg)
GLOBAL APPSEC DCTM
Recommendations● alert on mimikatz
● endpoint monitoring
● network segregation
● IDS?
![Page 36: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/36.jpg)
GLOBAL APPSEC DCTM
Blue Team Conclusions● attack vectors: spearphishing, lateral movement via overprivileged
permissions & mimikatz
● defense in depth: 2fa, endpoint monitoring, least privilege, etc
● few organizations can defend against a nation state
![Page 37: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/37.jpg)
GLOBAL APPSEC DCTM
Background● Volume 1: Russian interference in 2016 election
○ II. “Active Measures” social media campaign
○ III. Hacking/dumping campaign
● Volume 2: Administration obstruction of justice
![Page 38: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/38.jpg)
GLOBAL APPSEC DCTM
Personal Security Learnings
![Page 39: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/39.jpg)
GLOBAL APPSEC DCTM
Sources● Twitter DMs, Facebook messages, LinkedIn messages & emails
![Page 40: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/40.jpg)
GLOBAL APPSEC DCTM
Sources● Text messages
● Call records
![Page 41: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/41.jpg)
GLOBAL APPSEC DCTM
Sources● Internet search histories
![Page 42: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/42.jpg)
GLOBAL APPSEC DCTM
Sources● Company financial records
● US State Department visa records
● Hotel / flight / CBP records
![Page 43: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/43.jpg)
GLOBAL APPSEC DCTM
Sources
* Report Volume 1, p13
![Page 44: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/44.jpg)
GLOBAL APPSEC DCTM
Michael Cohen● Credit: Marcy Wheeler (@emptywheel)
● 7/18/2017: warrant on Michael Cohen’s Google activity from
1/1/2016 - 7/18/2017
● 8/8/2017: warrant on Michael Cohen’s iCloud account
● 11/13/2017: warrant on business email hosted by 1&1
![Page 45: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/45.jpg)
GLOBAL APPSEC DCTM
● Credit: Marcy Wheeler (@emptywheel)
● 11/7/2017 & 1/4/2018: pen-registers for real time communications
info
● 2/8/2018: Mueller handed off Cohen investigations to SDNY
● 4/8/2018: SDNY got warrant for stingray to figure out what room in
hotel
Michael Cohen
![Page 46: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/46.jpg)
GLOBAL APPSEC DCTM
● Credit: Marcy Wheeler (@emptywheel)
● 4/9/2018: SDNY got warrant for that hotel room, Cohen’s
home/office/hotel raided
Michael Cohen
![Page 47: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/47.jpg)
GLOBAL APPSEC DCTM
What Didn’t Work
![Page 48: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/48.jpg)
GLOBAL APPSEC DCTM
What Didn’t Work
![Page 49: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/49.jpg)
GLOBAL APPSEC DCTM
What Didn’t Work
![Page 50: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/50.jpg)
GLOBAL APPSEC DCTM
● be cognizant about what data you share
● e2e encryption works
○ expiring messages protect against physical device access
Personal Security Conclusions
![Page 51: Non-Political Security Learnings from the Mueller Report · GLOBAL APPSEC DC TM Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman (@arkadiyt)](https://reader033.vdocuments.mx/reader033/viewer/2022041519/5e2cf547feb7994e0f38a282/html5/thumbnails/51.jpg)
GLOBAL APPSEC DC
SCAN THE QR CODE TO COMPLETE THE SURVEY
Rate this Session
Thank You!
TM
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.
Non-Political Security Learnings from the Mueller ReportArkadiy Tetelman (@arkadiyt)