Want to Stop a Cyberattack? Try a Fake Phishing Scam to Train Your Employees

There’s never been a better time to be a cyberspy attacking the government — or a busier time for anyone whose job is to keep them at bay.

The past two years have included some of the worst data breaches in the country’s history, including hacks at the intelligence community and across several civilian agencies.

As cyberthreats expand and the United States becomes a more tempting target, federal IT workers find themselves in the crosshairs.

“All you need to become a legitimate threat is an internet-connected device, a search engine to access online training, and malicious intent to present a threat to others,” said Gregory Touhill, who was appointed the United States’ first federal CISO in September.

Few agencies are more familiar with this predicament than the Department of Homeland Security. With a network of 250,000 employees and 350,000 users spread across 17 agencies, DHS is a virtual bull’s-eye for the bad guys.

Jeff Eisensmith, the CISO at DHS, says attackers come in all shapes and sizes and with varying levels of finesse. The spectrum runs from political activists and script kiddies (those who hack using existing scripts rather than writing their own) to organized criminals and nation-state saboteurs with the means to launch sophisticated, persistent attacks.

Photo credit: Jonathan Timmes 

In response, DHS deploys a “defense in depth,” following the guidelines contained in the Cybersecurity National Action Plan (CNAP) released by the White House in February 2016.

This means, on top of all other security measures, department employees receive a federally compliant Personal Identity Verification card to access secure facilities and log in to DHS networks. Protection software scans each email message three times to eliminate potential threats, and then sandboxes and examines suspicious attachments for malicious code. Intrusion detection systems filter the flow of network packets looking for anomalies, harden endpoints, and encrypt data on mobile machines. Any new device attempting to connect is quarantined and examined before a security officer will allow it to log on to a network.

DHS also relies on “red team” exercises with the National Protection and Programs Directorate, probing for weaknesses and applying patches before potential enemies exploit them.

“You can’t just rely on one layer,” Eisensmith says. “Everything has to work as a synchronous machine.” But the human element remains the weakest link in building an impenetrable defense.

Going on Phishing Expeditions to Target Users

Eisensmith says the biggest threat to DHS is spear phishing: targeting specific individuals with cleverly crafted emails designed to steal their access credentials.

“With the breach of OPM, credit card and healthcare records, there’s a large amount of information available about us for an attacker to use,” he says. “It would not be difficult to craft a spear phishing attack that’s hard to detect.”

DHS’s solution is to create a savvier workforce. Several times each year, the agencies send faux phishing emails to their employees. Feds who click the links in the emails are pushed to a website where they’re taught how to distinguish between a legitimate message and a malicious one. Employees who continue to be duped receive additional training and may lose some of their access privileges, Eisensmith says.

The system appears to be working. The number of successful spear phishing attacks has declined in the past year, he says — in part because DHS has kept more of them out of employee inboxes and in part because users are better at recognizing them.

“You’ve got to work with the users and help them understand,” he says. “You don’t want to paralyze them into a state of fear, but you want them to develop a healthy sense of paranoia so they think things through before they act.”

Tomorrow’s Cyberattacks, Yesterday’s Technology

Agencies face an additional level of difficulty in fighting cyberthreats because of complex federal procurement processes and lengthy vendor approval procedures, says Avivah Litan, vice president and distinguished analyst for Gartner Research. That makes it harder to deploy the latest and greatest technology.

As a result, defense and intelligence agencies tend to be ahead of their civilian counterparts, she says, largely because they have more money to devote to the cause. And while cyberdefense gets more expensive every year, the cost curve is moving in the opposite direction for attackers, Touhill says.

“The cost to attack networks has decreased over the years, while the cost to defend them has increased,” he says.

Worse, many agencies are saddled with aging, highly vulnerable IT ­systems. Maintaining these legacy machines is expected to consume nearly 80 percent of the federal government’s $82 billion technology budget in this year's budget.

In April, the White House formally proposed a $3.1 billion IT Modernization Fund to replace older systems with more secure modern hardware; at publication time, Congress had yet to approve the spending measure.

"We have too many antiquated computer systems that are increasingly expensive to maintain and difficult to defend,” says Touhill, who resigned in January before the new administration took over. “The time to modernize is now, and the IT Modernization Fund provides the way forward.”

Since the massive OPM breach, which exposed the personal data of some 22 million current and former federal employees, the government has taken repeated steps to shore up its defenses — from kicking off the continuous monitoring of potential attacks to improving how agencies coordinate their response to cyberincidents. But much work remains.

How to Guard Against Phishing Attacks 

Government CISOs are especially conscious of phishing and distributed denial of service attacks, which have created significant security concerns in recent years.

Phishing attacks are growing more sophisticated and complex, Touhill says. To combat that trend, agencies are holding more regular training exercises to respond to the breaches. Some agencies also are segmenting their systems so that even if attackers gain entry to one part of a network, they won’t be able to access all of the information the organization stores.

As an extra precaution, agencies are conducting regular training for administrators to help identify vulnerabilities.

However, Touhill says early notification from employees that something on federal networks may be awry — essentially, the digital equivalent of “if you see something, say something” — is an important indication from users that an attack may be imminent.

“We all need to be focused on the goal of supporting an open and transparent government that protects the people’s information while preserving privacy, civil rights and civil liberties,” Touhill says. “We can only achieve that if we harden the workforce, treat information as an asset, do the right things the right way, continuously innovate and invest wisely, and make informed cyber-risk decisions at the right level.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.