3 Major Threat Trends Federal Agencies Need to Know

The U.S. federal government includes over 430 departments, agencies and subagencies comprised of millions of employees and tens of millions of devices. And yet, in spite of these resources, it probably comes as no surprise that there is great disparity in the cybersecurity resources available. 

Because the scope of centralized management and control systems tend to be limited to specific agencies, and even specific solutions, cross-collaboration between agencies can quickly become a challenge. Not only does the lack of a single management solution reduce visibility, but the security profile of an interconnected cross-agency system is reduced to the risk profile of the weakest link in the overall cybersecurity chain. 

Trends to Watch 

Though the task of maintaining consistent federal cybersecurity can be daunting, efforts will be more successful if they are informed by a common set of data derived from current attack tactics. Agencies can know where to fortify their networks and which controls should be a priority in their modernization initiatives. 

Fortinet’s most recent Threat Landscape report found three significant trends that agencies should keep in mind. 

1. Threats tend to share public infrastructure. 

Around 60% of threats share at least one common public infrastructure element. In addition, when threats share infrastructure, they are likely to use those resources at the same stage of the kill chain. With this information, IT teams can proactively search for and block or monitor traffic headed to or from those common domains. Careful observation can also reveal threat patterns that can help agencies predict how similar attacks might function or how classes of threats may evolve. 

2. Ransomware is becoming more targeted.

For example, during the first quarter of 2019, threat actors deploying the LockerGoga ransomware used deep reconnaissance to pre-target victims and evade detection. In the second quarter, RobbinHood and Ryuk ransomware variants have expanded on this strategy by targeting specific municipalities. RobbinHood can also disable data encryption and prevent systems from disconnecting from shared drives, while Ryuk uses advanced evasion tactics, including destroying its encryption key and deleting shadow copies from infected systems to ensure that defenders are unaware of its presence. 

Federal IT teams should secure common ransomware entryways—like email—and teach employees how to spot and respond to phishing emails and other tactics. Agencies need to conduct regular data backups, scan them for malware, and store off-network. Data restoration drills should also be conducted to ensure that data restoration is efficient and accurate.

3. Attackers “live off the land.”

This tactic exploits pre-installed tools on targeted systems to install malware, escalate privilege, and deliver malicious payloads. This strategy makes attacks particularly difficult to identify because they look like legitimate traffic. PowerShell, which comes pre-installed on Windows machines, is commonly exploited for these types of attacks, as it can be executed from memory, is easily obfuscated, and is usually trusted—allowing it to bypass security efforts like whitelisting. However, while PowerShell is one of the highest-profile targets for this attack type, many other, similar tools are also being frequently compromised. 

This is an important trend for federal agencies to be aware of, particularly because they run so much legacy IT. Federal IT teams must know which tools are running within the network, including tools pre-installed on devices, as part of an application suite or embedded in operating systems. They then need to implement dynamic trust policies and intent-based segmentation so that when a previously trusted tool acts suspiciously, it is immediately identified and isolated to a quarantined network segment until it can be determined to be secure. 

Intelligence is the Key

With a wide range of headcounts, needs, and often siloed resources, cybersecurity can be a particularly difficult task for federal agencies. But it is also a crucial one that cannot be handled haphazardly; the privacy and safety of too many citizens and too much vital data is at stake. Agencies that can leverage up-to-date threat intelligence and convert it into actionable threat mitigation will be able to better develop policies, acquire tools, and develop the comprehensive and integrated strategies necessary to combat the latest threats.

Bob Fortna is president and board member of Fortinet Federal Inc.