Malicious cyber actors are often opportunistic, targeting the low-hanging fruit of networks with visible vulnerabilities and valuable assets. In the private sector, would-be attackers will often simply move on to an easier target if an organisation appears to have good security and cyber hygiene. But, because government agencies have data or other assets that malicious cyber actors want, they will often go to great lengths to get it.
Due to the sensitivity of the information government holds and the persistence of many of those who are targeting it, government organisations don’t have the luxury of operating subpar cybersecurity without putting citizens’ data and potential essential services at unacceptable levels of risk.
Malicious actors are also aware that government security teams are increasingly asked to ‘do more with less’ and that many agencies may face shrinking budgets and resources. National, provincial and local government agencies are also connected to a wide array of contractors and third-party partners that can be targeted to steal user credentials and gain access to government networks.
The nation state cyber actors who target government networks are typically well organised and sophisticated, but according to a recent report from FortiGuard Labs on the evolving threat landscape, cyber criminals also are becoming more organised and sophisticated. Advanced persistent threat (APT) activity can now come from nation-states, from proxy actors working on their behalf, or from criminal groups or syndicates. All of these threat actors look to exploit government organisations’ fragmented network perimeters, siloed networking and security teams and ageing legacy digital infrastructure that was stressed in supporting the pivot to remote work as well as broad technology changes such as 5G communications and edge computing.
It is critical for government agencies to have a full spectrum of security capabilities, but they should pay special attention in addressing these three key threats.
1. Continued growth in the digital attack surface
Malicious cyber actors are exploring and discovering new areas for exploitation as organisations adopt new technologies and operating patterns. As agencies continue to expand their network infrastructure to accommodate work-from-anywhere (WFA), remote learning and new cloud services, the remote environment provides ample opportunity for malicious actors to find a vulnerability and gain a foothold. Instead of targeting only the traditional core network of an organisation, threat actors are exploiting emerging edge and ‘anywhere’ environments across the extended network, including assets that may be deployed in multiple clouds with differing security policies and capabilities in each.
Government agencies should focus on implementing zero-trust principles and architectures as soon as possible. Zero trust network access (ZTNA) is critical for moving beyond the outmoded ‘moat and castle’ model of network defence or the relatively simple measures of multifactor authentication and VPN connections that many government organisations used to secure their networks during the rise of remote work.
Zero Trust needs to be applied at a more nuanced level – by application – since access should not be evaluated and granted on a ‘one and done’ basis when a user logs on. This affords better protection to the organisation’s data and supports a ‘work from anywhere’ operating posture where the new normal may include users, data and devices connecting in increasingly innovative and non-traditional patterns.
In addition, software-defined networking is becoming increasingly common and secure software-defined wide area networking (SD-WAN) is becoming increasingly important because of the organisational flexibility, cost savings and better user experience it offers. Secure SD-WAN can both offer organisations these benefits and provide powerful and dynamic capabilities for segmenting networks and access to data to restrict an intruder’s freedom of lateral movement and keep breaches restricted to a smaller portion of the network.
2. Increase in OT attacks
The General Services Administration has stated it wants to have smart energy technology deployed by 2025 in all of the 10 000 buildings it manages for the US Federal Government. The increasing popularity of green building technology and the rise of building automation (‘smart buildings’) is going to increase the need to secure operational technology (OT) in government organisations’ digital environment. The convergence of IT and OT networks has enabled some attacks to compromise IT networks through OT devices and systems in the office environment – and even through Internet-of-Things (IoT) devices deployed in remote users’ home networks.
Since networks are becoming increasingly interconnected, virtually any point of access can be targeted to attempt to gain entry to the IT network. Traditionally, attacks on OT systems were the domain of more specialised threat actors, but such capabilities are increasingly being included in attack kits available for purchase on the Dark Web, making them available to a much broader set of attackers and lowering the skill and expertise needed to launch such attacks. Many OT and IOT devices lack strong security and cannot be upgraded or patched, forcing organisations to be nimble and adopt methods such as virtual patching of such headless devices.
Given the sophisticated and often clandestine nature of the attacks directed against them, government agencies should consider the use of deception technology to help an organisation discover intruders and impede their movement. Using a layer of digital decoys and honeypots, deception technology helps conceal sensitive and critical assets behind a fabricated surface, which confuses and redirects attackers while revealing their presence on the network. Studies also suggest that, if an agency deploys deception technology, it doesn’t need to use it everywhere to reap the benefit – much as a home security sign both deters intrusion and affects how any would-be burglar proceeds if they do proceed to try to break in.
3. Increased use of AI by malicious actors
The rise in deep fake technology should be of growing concern to both public and private sector organisations. It uses artificial intelligence (AI) to mimic human activities and can be used to enhance social engineering attacks. The bar to creating deep fakes is getting lower and it’s easy to find content generation tools on code repositories like GitHub that generate output that is good enough to fool even AI experts. Phishing continues to be a serious problem to government, with many employees continuing to work remotely and rely on email to conduct business. Look for malicious actors to not only steal a user’s identity and address book, but also the contents of their email inbox and outbox.
It is now possible to use such data to automatically generate phishing content that mirrors the writing style and syntax of a sender and tailors the content of each phishing email to topics they have already discussed with the target. Detecting phishing will no longer be a matter of looking for obvious indicators like bank scam subjects or awkward English usage.
Advanced technologies like endpoint detection and response (EDR) can help by identifying malicious threats based on behaviour, either of any executable code associated with that email (by running it in a virtualised sandbox), or based on malicious characteristics fed to the EDR engine from other sources of cyber threat intelligence. The speed of attacks is increasing and EDR coupled with actionable and integrated threat intelligence can help agencies defend against threats in real-time.
Agencies should look to leverage the power of AI and machine learning (ML) to act as a force multiplier to speed threat prevention, detection and response. The sheer size and complexity of the digital attack surface is often considered one of the greatest challenges to effective network defence. This approach of AI-fuelled automation turns it into a net advantage by making it into a unified collection platform that can sense potential malicious activity, assess its significance and both respond to it at the point of attack and pre-emptively inoculate the rest of the network. These capabilities can be deployed pervasively across the network to determine a baseline for normal behaviour so any changes can be responded to and sophisticated threats disabled before they can execute their payloads.
The need for complete protection
Government agencies provide essential services and have valuable data which citizens and partners rely on to secure on their behalf. Government networks are targeted by both persistent and sophisticated actors and by criminals looking for low-hanging fruit and easy gain. It’s critical for government networks to both do the basics in terms of cybersecurity and vulnerability management and to embrace Zero Trust security principles and employ powerful and versatile tools such as EDR and deception technology.
Threat actors and their attack methods are getting faster and more sophisticated, but by pursuing an integrated and automated approach to visibility and control, governments can better secure their assets. The challenge is that the location for these assets and the users and devices who need them is changing and agencies must provide connectivity and security for on premise computing, in the data centre, in the cloud, or at the edge.
Smart planning, doing the cybersecurity basics and leveraging the increasing convergence of networking and security are keys to ensuring that organisations can operate efficiently and securely.
The FortiGuard Labs report is available via the short link www.securitysa.com/*fort2
© Technews Publishing (Pty) Ltd. | All Rights Reserved.