Ransomware defense for local governments
- By Sameer Dixit
- Dec 19, 2019
Cyber attackers often focus on networks and systems that are vulnerable and lack the security resources to mount an effective defense. Recently, hackers have homed in on a new favorite target: government networks. The past few months have seen coordinated attacks on local city and county government offices across Texas and Florida and in Atlanta and New Orleans.
Local governments = prime targets
City and county networks are particularly vulnerable, due to limited budgets and finite cybersecurity resources. Governments simply don’t have the funds to invest in all of the available tools and services, and they may lack the security knowledge and skills to defend against attacks effectively. At the same time, government networks are a treasure trove of valuable personally identifiable information. They generally include information such as names, addresses, birth dates and phone numbers, and sometimes even yield driver’s license or Social Security numbers.
Even if attackers don’t locate juicy information on a local agency or municipal network, those networks are typically trusted by and connected to larger government networks at the state or federal level. If attackers can successfully compromise a system on the local network, they may be able to pivot to other networks. They may also be able to capture user names and passwords -- or obtain these credentials through social engineering -- and elevate local network privileges or log in to related networks.
The problem isn’t just that attackers are able to exploit vulnerabilities to access networks and data -- it’s that they are able to remain undetected for a considerable amount of time. Average dwell time for such attacks -- the time between initial compromise and detection -- is two to three months.
Flying under the radar for maximum effect
Dwell time is crucial. Early ransomware campaigns simply encrypted data on the compromised endpoint. But as long as current backups of crucial systems and sensitive data were available, everything could be restored without having to pay a ransom to decrypt files.
Attackers are aware of the prevailing wisdom advising regular backups. While there are certainly still ransomware variants in circulation that randomly compromise any vulnerable system they can find, attackers are increasingly infiltrating a network and taking their time before actually executing the ransomware. By flying under the radar and remaining undetected for as long as possible, attackers can spend their time conducting reconnaissance inside the network, finding online backups and cloud storage systems they can damage to maximize the attack's impact. By the time the ransomware attack is executed and the attacker’s presence is revealed, backups may have been corrupted or encrypted, and victims are left with little choice but to pay the ransom and hope they can recover their data.
What can municipal agencies and local government offices do to defend themselves? While there is no such thing as perfect cybersecurity, there are established best practices that will improve the overall security of agency infrastructure and speed recovery from an attack. More importantly, with the right tools and processes, agencies can detect suspicious or malicious activity faster, reducing dwell time and minimizing the damage resulting from a successful compromise.
For one thing, a solid disaster recovery plan is crucial. In the event of a security compromise (or even a technical malfunction or natural catastrophe), it’s important to be able to resume normal operations as quickly as possible. One of the most important elements of disaster recovery, especially given the pervasive threat of ransomware attacks, is to have current backups of critical applications and data, because some recent attacks have included steps to disrupt or eliminate backups. To make sure the backups themselves are not compromised, they should be encrypted. Recovery backups should be stored offline, in a location where they can’t be accessed or tampered with by attackers and from which IT staff can quickly restore an operational system on a new, bare-metal server.
In addition, although an effective strategy will help agencies recover after an attack, they also have to realize that they have been attacked. Organizations should perform periodic penetration testing, continuously scan and monitor their networks to detect suspicious or malicious activity in real time and exercise a vulnerability scanning or data breach emulation capability to identify weak spots in their security posture before they are exploited.
While some organizations engage third-party penetration testing services or conduct red-team exercises to expose holes in their cybersecurity, those efforts are generally sporadic and infrequent. And cyber attacks don’t adhere to a timeline. It’s important to be able to automate the process and conduct data breach emulation continuously.
Back to basics
Municipal agencies and local governments are prime targets for cyber attacks, but most don’t have huge IT security teams or massive budgets. It would be impractical to try to do everything, so it’s prudent to ensure that the fundamentals are covered -- the basic tactics that will help defend against or detect most cyber attacks.
The combination of a solid backup and disaster recovery plan with an effective vulnerability scanning and data breach emulation strategy will go a long way toward both preventing attacks and recovering from successful attacks.
With the addition of a continuous scanning and monitoring capability to detect suspicious or malicious activity quickly, agencies can be confident that their defenses are up.
Sameer Dixit is vice president, security consulting, at Spirent Communications.