How Macron's Team May Have Changed Cybersecurity Forever

Up until today I could only look up to Russia for conducting advanced information operations in cyber security. Now, I can look up to French President Emmanuel Macron and the security professionals behind him and admire them. Finally, someone uses cyber deception to beat attackers at their own game. I am not alone, and Cymmetria’s ideas have been vindicated yet again.

Just before the campaigning ban was imposed in France ahead of the upcoming presidential elections, someone dumped nine gigabytes of emails and documents supposedly obtained from Mr. Macron’s presidential campaign organization.

With the lessons learned from Hillary Clinton's presidential campaign still fresh, Mr. Macron took immediate control over his campaign's messaging, issuing a statement about the hacking just before the media blackout hit, and saying the that many of the documents dumped and reposted on Wikileaks were fake

Wikileaks in their own statement doubted Macron’s ability to go over the documents so fast, but it didn’t matter. That narrative controlled the short news cycle. Mr. Macron cast doubt on the reports and showed leadership, actually providing reporters data which they could use to write their stories. That by itself is a lesson for the future.

If all Mr. Macron did was throw doubt on the validity of the leaks, that’s already a powerful win. Wikileaks themselves cast a doubt on the source, saying in a tweet that several of the files have Cyrillic meta data, “by design, incompetence, or Slavic employee”.

There were few such marked documents, all from a limited time period. Regardless — they served their purpose in timelines to assist Mr. Macron in his crisis response.

French President Emmanuel Macron

The doubt cast on the origins of a few documents stopped Mr. Macron’s opponents in their tracks. Attention to obviously fake documents on French social media stopped supporters of Mr. Macron’s opponent, Marine Le Pen, from making use of “all these damning emails”.

Creating fake documents that look real, at scale is hard. This case shows we don’t necessarily need to. The next time a threat actor attempts this, they may have to sift through all the data first. Cyber deception increases the cost of the attacker, shifting the economics of cyber security and thus changing the asymmetry between attacker and defender.

This analysis however misses one critical aspect: this might have happened by design.

The Daily Beast reported that part of the strategy applied by Mr. Macron’s team against hacking efforts was planting bogus information on landing pages sent via phishing attacks.

“You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out,” said Mounir Mahjoubi, the head of Mr. Macron’s digital team, according to the The Daily Beast report.

The technique described is similar to one used by some banks who counter phishing attacks by seeding phishing sites with fake credentials they could monitor for access.

Mr. Mahjoubi, who I want to make sure and meet one day, claims to have fed hackers false data in a “counteroffensive”. Maybe he has, maybe he hasn’t. By plan, or by luck, Mr. Macron’s team scored a big media win.

Mr. Macron’s team could have potentially planted false Cyrillic flags in the documents. Assuming that the campaign organization was indeed hacked, and that his team indeed planted false flags in leaked documents, it’s awesome.

The obvious fakes in the data dump were enough to achieve the strategic goal of reducing the data dump’s success.

My takeaways?

Cyber security has been on the defensive for a very long time. Finally seeing people think like I do and take control of the battle ground, not just sitting and waiting for the adversaries to bypass our static defences, but using the attackers’ very predictable methodologies against them is very exciting.

If things happened this way by design, this may be the first public and soon to be famous counterintelligence attempt against a cyber propaganda campaign, meant to affect a nation’s politics and policies.

There is nothing worse as a cyber security professional than going to work every morning knowing you’re going to lose. It’s a defeatist industry. Seeing a live and public example of successful resistance, which is complex and interesting, show that not only can we win, but it is as interesting, if not more so, than the attacking side.

This article was first published on Medium.

Gadi Evron is the founder and CEO of the cyber security startup Cymmetria. Before founding Cymmetria, Mr. Evron, a veteran of Unit 8200, served as vice president of cyber security strategy at Kaspersky Labs.