Ask the Expert: How to Defend Against Advanced Threats

Imagine a cyber attacker going through everything from your agency’s organizational information to your personal social media presence. They’re looking for clues in this public information—from the websites you frequent, to the software you use and the topics that interest you the most.

What these criminals are collecting can be used in an advanced attack that is sophisticated and directed at you and other individuals.

Increasingly, these sorts of advanced threats target state and local agencies, says Tony Cole, Vice President and Global Government Chief Technology Officer at FireEye. He says agencies can avoid these attacks by improving their cybersecurity with training and infrastructure.

But, it’s not always easy to identify an advanced threat, and this type of attack can dupe even the most well trained staff. To better understand what’s at risk for agencies, Cole offered his insights into some common questions surrounding advanced and persistent threats.

What exactly is an advanced threat? How does it stand as a risk to state and local governments?

In the last 15 years or so, we’ve really seen attackers shift away from the older style of many different types of attacks looking for any vulnerable systems. This was through a number of various delivery mechanisms however the primary point here is that the attacks were opportunistic and not targeted typically against specific individuals.

Today, attackers will go through and create a comprehensive picture of what a target looks like, pulling it all together into a picture of who they would want to compromise that would likely have access to the material they wish to steal. At that point, they develop an attack designed specifically for that individual—not the entire organization.

What’s the most common sort of breach or attack to a federal, state or local agency?

The most common today is spear-phishing email… We’re all possible victims. I’ve been in this industry a long time and very experienced, and say I have a young child, and let’s also say that I’m the CIO of a very large state and local organization. I’m pretty up to speed on cybersecurity practices, but somebody sends me an email that’s spoofed from my local news agency where I happen to already subscribe to their newsletter so it looks real, and it says that there’s a fire at the daycare where my child goes daily. Think I’ll open it?

Human nature says the attacker typically succeeds. Most of us are going to click on that link to look at that story to see what’s going on and make sure your family is okay. We’re seeing significant levels of sophistication like this, where it’s well thought out by the attacker to play on our humanity to ensure their success in compromising our systems.

What, in your mind, is the government’s degree of cyber preparedness?

In reality, it’s a completely mixed bag across the board. Some government agencies are doing pretty well… other government agencies, not so much. It really depends on how much level of effort they put into this. I will tell you, if you look across the U.S., we’re probably doing better than a lot of governments outside of North America. However, there’s still a long way to go to minimize the effects of these attacks. We’ll never keep them out, but we can minimize the impact of these attacks by identifying the compromises very quickly, close those newly identified holes in our enterprise, and immediately stop the exfiltration of data.

What steps can state and local governments take to protect assets and improve their posture?

It’s critically important they understand that it’s an adversary that is doing the attacks. It’s not a malware problem, it’s not a vulnerability problem—there’s an adversary out there that’s been hired to break into the systems.

That means we need to be agile in our processes, we need to be agile in maintaining and constantly evolving our infrastructure. The days of building a security perimeter—making it hard and crunchy on the outside and thinking you can forget it now and look to your work—are long gone. So you need to be agile across the board because you’re continuously trying to counter attackers that are continuously looking for vulnerabilities in your network.

So is cybersecurity primarily about security training for individuals, or is it mainly about putting in place proper processes and a secure infrastructure?

It’s definitely all of the above. Users are how we get compromised today. Obviously that’s the reason we have the infrastructure—it’s for the users so they can do their mission.

But it’s everybody’s responsibility to be part of the solution and not the problem, so we need a continuous process to train these users on what proper processes are in maintaining a secure posture. That being said, users are one component of the required training, you still need a very agile process for your acquisition, so contracting staff needs to understand cyber security. There’s also the processes everyone involved with a breach needs to understand. Do you have an incident response process? Do you test it frequently? Does everyone know who to call when something happens? How do you mitigate the problems in your system? How do you stop the exfiltration of data? What systems house critical data?

What would you recommend for agencies looking to improve their cybersecurity posture?

The first thing to do is just bring in some outside expertise. When you live inside an environment, you get so deep in it that sometimes you miss the forest through the trees. It’s a great idea to have an outside organization come in, do a compromise risk assessment and an architecture assessment to see where your gaps are, where your holes are. This field is so broad today, there’s no one single person who’s an expert across the board on everything. You’ve actually got to bring in expertise from a number of different areas to ensure everything is adequately covered.

Anything else?

I think one of the most critical pieces is for all of us to really understand that everyone is a target. Our own analysis has shown that everyone is a target, and even if you don’t think you have valuable data, quite often either you’ll have personally identifiable information or you’re potentially a stepping-stone off to another target because of the trusted relationships you have in place with other organizations. One other thing that happens quite frequently and is also very bad, you may become compromised to become part of the attackers infrastructure, and you don’t want to be part of any of that since your infrastructure may be used to attack other organizations.

Will being compliant protect my agency against APT threat actors?

No, compliance requirements do not evolve fast enough to prevent a well-resourced adversary that’s trying to get access to your network.  An organization must focus on reducing their attack surface and leveraging emerging adaptive defense capabilities to keep pace with APT threat actors. In return, this risk based focus will lead you towards compliance.

Is my organization safe from APT since we have fully deployed and frequently updated AV and IPS solutions?

No, APT’s craft targeted campaigns that routinely bypass signature based detection capabilities like AV and IPS technologies. Case after case has shown us these technologies do not stop these targeted attacks.

So, Government Executives are the primary targets of APT threat actors?

Key scientists, researchers, system administrators, etc. are primary targets of APT threat actors, and even roles such as administrative assistants are routinely targeted to get initial access and then move laterally to other accounts that may have access to sensitive data.

About FireEye

FireEye protects the most valuable assets in the world from those who have them in their sights. Our combination of technology, intelligence, and expertise combined with the most aggressive “boots on the ground” helps eliminate the impact of security breaches. We find and stop attackers at every stage of an incursion. With FireEye, you’ll detect attacks as they happen. You’ll understand the risk these attacks pose to your most valued assets. And you’ll have the resources to quickly respond and resolve security incidents. The FireEye Global Defense Community includes more than 2,200 customers across more than 60 countries, including more than 130 companies in the Fortune 500.

This content is made possible by FireEye; it is not written by and does not necessarily reflect the views of Nextgov's editorial staff.