Malicious cyber actors are often opportunistic, targeting the low-hanging fruit of networks with visible vulnerabilities and valuable assets. In the private sector, would-be attackers will often simply move on to an easier target if an organization appears to have good security and cyber hygiene.
But, because government agencies have data or other assets that malicious cyber actors want, they will often go to great lengths to get it. Due to the sensitivity of the information government holds and the persistence of many of those who are targeting it, government organizations don’t have the luxury of operating subpar cybersecurity without putting citizens’ data and potential essential services at unacceptable levels of risk.
Malicious actors are also aware that government security teams are increasingly asked to “do more with less” and that many agencies may face shrinking budgets and resources. Federal, state, and local government agencies are also connected to a wide array of contractors and third-party partners that can be targeted to steal user credentials and gain access to government networks.
The nation-state cyber actors who target government networks are typically well organized and sophisticated, but according to a recent report from FortiGuard Labs on the evolving threat landscape, cybercriminals also are becoming more organized and sophisticated. Advanced persistent threat (APT) activity can now come from nation-states, from proxy actors working on their behalf, or from criminal groups or syndicates. All of these threat actors look to exploit government organizations’ fragmented network perimeters, siloed networking and security teams, and aging legacy digital infrastructure that was stressed in supporting the pivot to remote work as well as broad technology changes such as 5G communications and edge computing.
There is good news and progress. The US Department of Justice (DOJ) charged a NetWalker affiliate, but even though the amount of attention that some operations like this have garnered has forced a few ransomware operators to announce that they were ceasing operations altogether, ransomware and RaaS are not on the decline. Regardless, the DoJ has also made remarks about remaining dedicated to fighting cyber threats and prioritizing disruption of the cybercriminal ecosystem.
It is critical for government agencies to have a full spectrum of security capabilities to protect against any threat. However, this year, they should pay special attention to three key threat areas that malicious actors are ready to exploit.
Malicious cyber actors are exploring and discovering new areas for exploitation as organizations adopt new technologies and operating patterns. As agencies continue to expand their network infrastructure to accommodate work-from-anywhere (WFA), remote learning, and new cloud services, the remote environment provides ample opportunity for malicious actors to find a vulnerability and gain a foothold. Instead of targeting only the traditional core network of an organization, threat actors are exploiting emerging edge and “anywhere” environments across the extended network, including assets that may be deployed in multiple clouds with differing security policies and capabilities in each.
Government agencies should focus on implementing zero trust principles and architectures as soon as possible. Zero trust network access (ZTNA) is critical for moving beyond the outmoded ‘moat and castle’ model of network defense or the relatively simple measures of multifactor authentication and VPN connections that many government organizations used to secure their networks during the rise of remote work. Zero Trust must be applied at a more nuanced level—by application—since access should not be evaluated and granted on a ‘one and done’ basis when a user logs on. This affords better protection to the organization’s data and supports a ‘work from anywhere’ operating posture where the new normal may include users, data, and devices connecting in increasingly innovative and non-traditional patterns.
In addition, software defined networking is becoming increasingly common, and secure software defined wide area networking (SD-WAN) is becoming increasingly important because of the organizational flexibility, cost savings, and better user experience it offers. Secure SD-WAN can both offer organizations these benefits and provide powerful and dynamic capabilities for segmenting networks and access to data to restrict an intruder’s freedom of lateral movement and keep breaches restricted to a smaller portion of the network.
The General Services Administration has stated it wants to have smart energy technology deployed by 2025 in all of the 10,000 buildings it manages for the Federal Government. The increasing popularity of green building technology and the rise of building automation (‘smart buildings’) is going to increase the need to secure operational technology (OT) in government organizations’ digital environments. The convergence of IT and OT networks has enabled some attacks to compromise IT networks through OT devices and systems in the office environment—and even through Internet-of-Things (IoT) devices deployed in remote users’ home networks.
Since networks are becoming increasingly interconnected, virtually any point of access can be targeted to attempt to gain entry to the IT network. Traditionally, attacks on OT systems were the domain of more specialized threat actors, but such capabilities are increasingly being included in attack kits available for purchase on the Dark Web, making them available to a much broader set of attackers and lowering the skill and expertise needed to launch such attacks. Many OT and IoT devices lack strong security and cannot be upgraded or patched, forcing organizations to be nimble and adopt methods such as virtual patching of such headless devices.
Given the sophisticated and often clandestine nature of the attacks directed against them, government agencies should consider the use of deception technology to help an organization discover intruders and impede their movement. Using a layer of digital decoys and honeypots, deception technology helps conceal sensitive and critical assets behind a fabricated surface, which confuses and redirects attackers while revealing their presence on the network. Studies also suggest that, if an agency deploys deception technology, it doesn’t need to use it everywhere to reap the benefit -- much as a home security sign both deters intrusion and affects how any would-be burglar proceeds if they do proceed to try to break in.
The rise in deep fake technology should be of growing concern to both public and private sector organizations. It uses artificial intelligence (AI) to mimic human activities and can be used to enhance social engineering attacks. The bar to creating deep fakes is getting lower, and it's easy to find content generation tools on code repositories like GitHub that generate output that is good enough to fool even AI experts. Phishing continues to be a serious problem for government, with many employees continuing to work remotely and relying on email to conduct business. In the case of a phishing attack, malicious actors are not only looking to steal a user’s identity and address book, but also the contents of their email inbox and outbox.
It is now possible to use such data to automatically generate phishing content that mirrors the writing style and syntax of a sender and tailors the content of each phishing email to topics they have already discussed with the target. Detecting phishing will no longer be a matter of looking for obvious indicators like bank scam subjects or awkward English usage.
Advanced technologies like endpoint detection and response (EDR) can help by identifying malicious threats based on behavior, either of any executable code associated with that email (by running it in a virtualized sandbox) or based on malicious characteristics fed to the EDR engine from other sources of cyber threat intelligence. The speed of attacks is increasing, and EDR coupled with actionable and integrated threat intelligence can help agencies defend against threats in real-time.
Agencies should look to leverage the power of AI and machine learning (ML) to act as a force multiplier to speed threat prevention, detection, and response. The sheer size and complexity of the digital attack surface is often considered one of the greatest challenges to effective network defense. This approach of AI-fueled automation turns it into a net advantage by making it into a unified collection platform that can sense potential malicious activity, assess its significance, and both respond to it at the point of attack and preemptively inoculate the rest of the network. These capabilities can be deployed pervasively across the network to determine a baseline for normal behavior so any changes can be responded to and sophisticated threats disabled before they can execute their payloads.
Government agencies provide essential services and have valuable data which citizens and partners rely on it to secure on their behalf. This is a primary reason why government networks are targeted by both persistent and sophisticated actors and by criminals looking for low-hanging fruit and easy gain.
It's critical for government networks to both do the basics in terms of cybersecurity and vulnerability management. They must embrace zero trust security principles and employ powerful and versatile tools such as EDR and deception technology. Threat actors and their attack methods are getting faster and more sophisticated, but by pursuing an integrated and automated approach to visibility and control, governments can better secure their assets.
The challenge is that locating these assets and the users and devices who need them is changing, and agencies must provide connectivity and security for on-premise computing, in the data center, in the cloud, or at the edge. Smart planning, doing the cybersecurity basics, and leveraging the increasing convergence of networking and security are keys to ensuring that organizations can operate efficiently and securely.