Building real cyber resiliency in government
- By Stephen Kovac
- Nov 30, 2020
Across the country, government teams are pushing through roadblocks and finding new ways to get the job done while working remotely. The challenge is that as “how” and “where” work happens evolves, cyber threats likewise adapt. Adversaries are exploiting vulnerabilities and finding new ways to attack government networks and data. These attacks include an alarming rise in ransomware, phishing, smishing and vishing, with agencies experiencing upwards of 6.5 million attacks a day, up from 150,000 daily attacks before the pandemic.
I recently moderated an ACT-IAC panel of experts from the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Education and the Federal Risk and Authorization Management Program to discuss how organizations can take a threat-based approach to cybersecurity, paving the way for expanded use of cloud services and resiliency for the future. Here are some takeaways from that discussion:
The state of the threat landscape
Today’s adversaries have a variety of attack motivations. Goals include gaining permanent residence on systems and networks, stealing government information and encrypting data to weaponize for a ransomware attack.
Traditionally, adversaries rely on vulnerabilities in a web browser or send email to carry out attacks, but the focus has shifted to targeting individuals and scanning cloud systems to look for misconfigurations. Botnets targeting individual workstations are leaving payloads behind waiting for unwitting users to click on the nefarious link.
New strategies include creating fake social networking profiles to gain trust and then coercing users to click harmful links. Smishing attacks, which leverage text or SMS messages to gather information, and vishing attacks that use phone or voice messages to encourage users to visit fake sites to capture their credentials are also rampant.
“As we look at our threatscape, it’s important for us to understand that [attacks are] evolving at a rapid pace … and we have to evolve and adapt faster than they do,” Education Department Chief Information Security Officer Steven Hernandez said. “We have a greater [resilience] in a few areas: technology, our people -- investing in them to ensure that they're the best that they can be -- and then building the coalitions so that we can outflank those threat vectors.”
The pillars of cyber resilience
While threats are constantly evolving, Branko Bokan, a cybersecurity specialist at CISA, said the tactics, techniques and procedures are actually the same -- the real change is in the distribution type and frequency of these attacks. “Regardless of how well we try to prevent cyberattacks, they will always happen, and we have to be ready and able to detect bad things when they happen, or as soon as possible after they happen,” he said.
Often, organizations think of cybersecurity as preventing/protecting networks against cyber threats – but that is just one element of the cybersecurity framework, as outlined by the National Institute of Standards and Technology.
NIST framework includes five functions, which match the pillars for cyber resiliency: identify, protect, prevent, respond and recover.
By dividing cybersecurity into these five stages, agencies can identify cyber actions adversaries might take. It can also help them create a coverage map of the threat landscape to see how their current capabilities can protect, detect and respond to each one of these actual threat actions – and identify where the gaps are.
Cloud for long-term resilience
As agencies take a threat-based approach to security, cloud is also playing a large role in resiliency plans. The Department of Education, for example, doesn’t own a data center, Hernandez said. “We are 100% reliant on cloud in almost all of our major mission workloads,” he said.
Cloud is ideal for agencies’ continuity of operations planning because of its elasticity, which allows them to expand resources and support more users as needed. Cloud also provides real-time visibility across the network, making it as secure as, if not more secure than, a traditional data center environment.
In addition, cloud provides a modern solution for patching across agencies’ many endpoints and secure access service edge (SASE)-based solutions. Rather than backhauling traffic through traditional on-prem software patch management solutions, multi-tenant clouds can offer agencies an important benefit. This cloud effect -- as we at Zscaler call it -- allows cloud service providers to immediately detect attacks and, within seconds, push hundreds of thousands of security updates a day to every user on any device, anywhere.
To assist agencies with patching roaming devices, CISA also released remote patching guidance to align with the updated Trusted Internet Connections guidance. TIC 3.0’s flexibility allows agencies to take advantage of much-needed remote work solutions, such as cloud-based, secure web gateways and zero trust architecture.
“We start to use these concepts together and give this roadmap for how you can apply these concepts to not only that old traditional TIC model … but it's flexible enough to apply the same concepts to new architectures and new possibilities,” said Sean Connelly, CISA’s TIC program manager and senior cyber security architect.
Sharing guidance, sharing information
Building resilience requires continuous refinement, evolution and the ability to gain situational awareness. Analysis tools to identify, protect, prevent, respond and recover to threats will be critical.
Agencies can also take advantage of government programs -- TIC 3.0, Einstein, and Continuous Diagnostics and Mitigation (CDM) to secure cloud connections, gain visibility and better identify and mitigate threats.
One of the many unspoken benefits of the new TIC 3.0 policy is that all providers stream telemetry data to the Einstein and CDM programs, providing a new, more innovative approach. For example, the current Einstein program may report on eight to 10 fields, where a cloud-based provider can deliver up to 10 times as many fields of log/threat data.
While these resources are federally focused, state, local and tribal governments -- and even industry -- can benefit from the strategies and guidance.
“Being able to get these folks together in common forums is a great way to make sure that we’re sharing information, because we all have common goals of protecting our missions,” Hernandez said. “But it's also interesting that we discover new things all the time.”
Stephen Kovac is vice president, global government and compliance at Zscaler.