When it comes to cybersecurity, the federal government is putting out fires every day — and it can be exhausting. Like most organizations, the government has traditionally defended the network perimeter with tools like firewalls and antivirus software. Unfortunately, it has become clear that adversaries have long since broken through those barriers using modern techniques such as social engineering, phishing, drive-by downloads, identity theft and impersonation.
By Todd Helfrich, Vice President of Federal, Attivo Networks
Protecting any enterprise against today’s cybercriminals — let alone nation-state threats — is a challenging task, given the volume, variety, and age of many government systems. With the rise of third-party breaches, the government now needs to ensure its vendors and suppliers can protect their own systems. Attivo Networks works closely with the government to help them implement innovative cybersecurity technology and steers best practices and policy conversations in a more secure direction.
Collaborating with Experts to Better Secure the Government and Its Partners
It is important for cybersecurity organizations to be more than just manufacturers supplying technology to the government. Attivo Networks has built collaborative relationships with government agencies to help deliver stronger, more tailored solutions. This is essential in areas of critical infrastructure, intelligence, defense, and others that have specific needs that can only be addressed by a partner with a thorough understanding of the particular challenges they face and gaps they need to fill.
Information sharing has also become a priority within the government, and the recent executive order on cybersecurity emphasized the need to share threat information. Today’s technology is better than ever at collecting adversary intelligence, especially when an adversary is tricked into interacting with decoy assets while safely cordoned off from the rest of the network. Studying indicators of compromise (IoCs) and the related tactics, techniques, and procedures (TTPs) and sharing that information effectively can help defenders detect and defend against specific attack tactics, even if those tactics have not yet been used against them.
Active cyber defense enables enterprises to curate relevant internal threat intelligence that accelerates persistent hunt operations. Effective cyber threat intelligence sharing means the intelligence shared must be both timely and relevant. Within the government, classified indicators often don’t receive a “tear-line” in a timely fashion or receive the same aggregated data available through open-source and commercial unclassified sources. Improving cyber threat intelligence means collaborating on analysis and applying risk scores and decay windows to IoCs.
With many third-party breaches in the news, trust in third-party partners is increasingly critical for the government. This is increasingly relevant as attackers often breach vendors of widely used technology to infiltrate the software development life cycle, rather than target the government head-on. This happened with SolarWinds, which resulted in a major breach with extensive reach across government and the corporate world. Attivo has worked closely with the government to identify appropriate solutions capable of identifying attackers that have breached perimeter defenses or arrived via third-party compromise, including, and especially, increased identity detection and response capabilities.
Working Closely with Regulatory and Advisory Bodies
Organizations like MITRE and the National Institute of Standards and Technology (NIST) issue cybersecurity guidance for modern enterprises, including the government. It’s created awareness around Active Defense measures, with MITRE releasing MITRE Shield to complement its long-running MITRE ATT&CK framework. MITRE Shield highlights active defense tactics such as deception and concealment technology to trick attackers into interacting with decoy network objects while hiding real assets from view.
MITRE has now taken things one step further with the recent release of MITRE Engage beta, additional guidance centered around denial, deception, and adversary engagement, and they are far from the only ones. NIST has updated special publication 800-160, doubling down on deception capabilities as an essential way to mitigate today’s most pressing threats, and the National Security Agency (NSA) recently released guidance of its own. These initiatives affirm the value of cyber deception technology, lending further credence to the need for stronger active defense tools.
The frameworks provided by organizations like MITRE and NIST can also provide the basis for meaningful government regulations. The Colonial Pipeline hack was an eye-opener, highlighting that not enough focus has been on securing industrial control systems (ICSs) and other large-scale assets. Attivo has spent years improving the technology used to monitor programmable logic controllers (PLCs) to help secure ICS devices and has worked with the government to use that expertise to support policies that create a stronger security baseline for those systems. The White House released a memo last month intended to emphasize the importance of securing ICS assets, bringing them more in line with industry best practices. Whether an organization secures enterprise IT, ICS/SCADA, or cloud infrastructure, active cyber defense helps drive adversary activity to decoy systems and away from production assets. When it comes to critical infrastructure, adequate security measures help limit physical impacts on human safety.
Making Innovation a Priority
Attivo has worked closely with the Department of Defense (DoD) and other government entities over the years, many of which have specific cybersecurity needs and benefit from outside perspectives, expertise, and technology. By providing direct support, Attivo learned about the specific challenges facing each agency while working together to secure their systems better and educate their users. Attivo has conducted defense exercises with DoD to educate its personnel on executing denial and deception techniques while also gaining a stronger understanding of the specific environment being protected. Emulating adversary attacks has highlighted the value of quickly detecting the adversary and extrapolating valuable intelligence supporting ‘defend forward’ operations.
The COVID-19 pandemic also spurred the adoption of cybersecurity technologies to enable a remote workforce within the government and its partners. Cloud adoption significantly increased but has resulted in situations where users have access to cloud applications and resources they do not need, creating vulnerabilities. Problems like overprovisioning, group policies, orphaned credentials, and others have all become major issues. Attivo has worked with these groups to emphasize identity protection, focusing on discovering identities and entitlements and using them within the network and cloud environments. Looking across last year’s cyberattacks, nearly every compromise harnessed a legitimate credential and exploited the openness of Active Directory to accomplish the attacker’s objective. Working with the government to better understand the issues it faces has helped Attivo Networks prioritize innovative new solutions to address these unique problems.
Strong Relationships Benefit All Involved
The government is a sprawling entity, and securing it is a challenge. The need to protect against third-party breaches creates a further challenge, especially given the number of partners and suppliers the government works with across its many departments and agencies. Attivo has found that collaborating directly with the government to advise on specific technology solutions and potential regulatory measures can greatly benefit both sides.
Close partnerships have helped Attivo better understand the government’s specific needs and challenges while allowing the government to better understand the solutions available to it. The government remains a vulnerable target, but it can now take concrete steps to address many of the critical challenges it faces.
About the Author
Todd Helfrich, Vice President of Federal at Attivo Networks, has 20+ years of experience on the front lines of cybersecurity and has advanced a wide range of cybersecurity resiliency initiatives across the industry that protect commercial and federal government enterprises. In his current role, he is responsible for all federal government-related activities and the leadership of a team that supports industry mission partners across the government. His focus is on strategies for deploying active cyber defense capabilities and empowering cyber defenders through adversary management. He advises innovation technology providers and currently supports the AFCEA Cyber Committee, which is a volunteer group of public and private sector information technology and security experts that enable collaboration between government and industry. His work crosses all branches of the federal government and helps to influence government policy, requirements development, and technology adoption.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
