Stop Hackers in Their Tracks Through a Collective Defense MARKET TRENDS REPORT
Introduction By the time news broke in December 2020 of malicious code planted in a SolarWinds Orion platform update by Russian adversaries, the massive supply chain attack had compromised 18,000 organizations, including nine government agencies. Not only could hackers access email communications at the U.S. Treasury and Commerce departments, they also infiltrated networks at the Department of Homeland Security. When details about the breach, dubbed SUNBURST, came to light, it was considered one of the most damaging nation-state cyberattacks in history. While it may have been tempting to consider the scale of SUNBURST unusual, we know that it certainly wasn’t. This March emerged another, potentially more damaging, nation-state attack presumably at the hands of a Chinese state-sponsored group along with other groups. The target? Vulnerable servers running Microsoft Exchange. At least 60,000 organizations, including government organizations, have surfaced as victims of the attack. Clearly, attackers are becoming more aggressive and powerful, often because they either are collaborating to cause the most damage or running indiscriminately over companies in the direct path of their intended target, as the SolarWinds hack revealed. That’s why government agencies need to defend collaboratively as a stronger force. It’s no longer good enough to rely on traditional cybersecurity approaches or try to defend agencies alone. By sharing anonymized threat information in real time, government and private sector organizations can work together to triage and take action against active threat campaigns early in the intrusion cycle. This collective defense approach is the most effective way to stop aggressive hackers in their tracks. To learn more about how public sector agencies can move toward true collective defense, GovLoop teamed with IronNet, a global cybersecurity leader helping agencies defend more effectively against growing cyberthreats.
2
MARKET TRENDS REPORT
By The Numbers
56%
73%
65%
61%
350%
$945 billion
of state CISOs are not very confident in the security practices of their local governments.
of state CISOs reported only limited collaboration with local governments as part of their state’s security program during the past year.
Increase in unfilled cybersecurity jobs between 2013 to 2021, leaving a talent gap of 3.5 million.
of organizations have invested in artificial intelligence or machine learning in the past 12 months.
of organizations say they won’t be able to identify critical threats without AI.
Global cybercrime losses in 2020, almost double the monetary loss from cybercrime in 2018 ($500 billion).
“The U.S. government and industry … must arrive at a new social contract of shared responsibility to secure the nation in cyberspace. This ‘collective defense’ in cyberspace requires that the public and private sectors work from a place of truly shared situational awareness and that each leverages its unique comparative advantages for the common defense.” — U.S. Cyberspace Solarium Commission Report
STOP HACKERS IN THEIR TRACKS ADD TITLE THROUGH HERE A COLLECTIVE DEFENSE
3
The Best Defense Is a Collective Defense The Challenge: Legacy Approaches Can’t Keep Up
The Solution: Identify Threats Before Damage Is Done
Agencies know the importance of quickly identifying and mitigating threats, but existing infrastructure and escalating trends have made it more difficult than ever to keep up.
Stopping attacks before they become catastrophes requires a proactive approach — one that can correlate and analyze information from a multitude of sources in real time. It’s about collective defense — a collaborative approach that knits together an organization’s existing cybersecurity tools with anonymized cyber anomalies from other sources, both public and private, and real-time analysis. This approach allows agencies to aggregate data and run higher-order analysis, and identify attackers earlier in the attack cycle.
Limitations of existing tools: As threat actors become more sophisticated, they find more creative ways to circumvent any defenses organizations put in place. Legacy tools can get you part of the way there – by identifying a threat so you can block it or take other action. Today, it’s increasingly important to be able to analyze behaviors in real time. Also, while legacy tools are effective at their specific function, they often can’t work together in a security ecosystem to create a more comprehensive threat picture. Lag time in detection, alert triage and response: Existing tools also can be overwhelmed by the amount of data that must be analyzed quickly, resulting in unacceptable lag times and too many false positives. Think about it like going through a TSA checkpoint: You place your bags on the conveyor belt and pass through the scanner. But that’s just one checkpoint. The second consists of TSA agents who scrutinize passenger behaviors to determine whether anything seems awry or anomalous. These points aren’t correlated and analyzed until later, potentially well after a bad actor has reached the intended destination. Limited capabilities around sharing and correlating threats in real time across the public and private sectors, and limited ability to gather intelligence on threats that other agencies can learn from: While agencies today have some ability to share and correlate threats, they often can’t do that in real time, or even nearreal time. Instead, information-sharing is occurring manually through reports, email, phone calls and instant messaging. By the time the dots are connected, it’s often too late. In addition, it’s often virtually impossible to gather intelligence on threats that might not be present in the agency’s environment, but that have cropped up in other agencies and might present a future threat to the agency.
4
Incorporating behavioral analytics into the network infrastructure and cybersecurity process can go a long way toward identifying truly potent threats. Unlike signaturebased analytic tools, which compare incoming information with a list of known indicators of compromise, behavioral analytics can look more deeply into individual networks and detect anomalies that couldn’t be identified otherwise. Behavioral analytics become even more powerful when combined with anonymized metadata from other organizations. For example, a behavior may appear benign when analyzed on its own, but when combined with information from other organizations that have observed the same behavior, it may now appear to be suspicious and warrant further investigation. To pinpoint the most relevant emerging threats even more specifically, add a third component: a team of threat hunters and security analysts tied into the same information-sharing hub from a cybersecurity operations center. “You might not see anything out of the ordinary if you look at your network traffic, but by looking at the behavior from different points of view, and with input from different organizations and analysts, you might reach a different, and more correct, conclusion,” said Gareth Owen, Vice President, IronNet. “More important, a collective defense approach allows you to proactively remove the threat before real damage is done.”
MARKET TRENDS REPORT
Best Practices for Cybersecurity Realign your strategy to meet today’s realities. While there is no doubt that every agency needs effective cybersecurity tools, those tools aren’t as effective without the right strategy surrounding them. In fact, cybersecurity should be regarded as inherent to the agency’s strategy instead of just a technology tool or compliance requirement. One resource that might help is the U.S. Cyberspace Solarium Commission, a federal organization that published a report last year to improve cybersecurity. The report consists of more than 80 recommendations to improve cybersecurity collaboration with the private sector, reform the government’s structure and organization for cyberspace and reshape the cyber ecosystem. It recommends a new strategic approach to cybersecurity called layered cyber deterrence that aims to reduce the probability and impact of cyberattacks of significant consequence.
Move beyond signature-based analytics to effectively detect and mitigate unknown threats. Signature-based threat detection, which compares traffic with known threats, is a valuable way of identifying and analyzing malicious network attacks, but it’s no longer enough. Agencies looking for ways to identify and analyze unknown threats in time to prevent them from doing damage are looking at behavior-based threat detection and analytics, which can spot abnormal patterns of data in a network, detecting the unidentified and more sophisticated attacks that evade traditional preventative techniques. Unknown threats include modified or recompiled known malware with minor changes, the use of open communication protocols for malicious purposes, system access via stolen credentials and data or IP loss through legitimate cloud services.
Address risks in the remote work environment. Many of the public sector employees who have been working remotely for the past year probably will continue to do so, at least part of the time. While this “new normal” offers many benefits in terms of employee satisfaction and productivity, it also challenges agencies to find ways to ensure full security in unprotected environments over time. That means taking a fresh look at the unsecured technologies and network environment remote employees are using to connect with agency resources. One survey, for example, found that roughly 40% of public sector employees working remotely use personal laptops, tablets or smartphones to get their work done. And then there are the myriad other devices that could be connected to the home network: printers, hard drives, keyboards, mice, gaming devices and even a spouse’s work device. To address these issues, treat home networks as hostile public networks and consider supplying users with agency-configured devices that enable them to more securely manage their networks. It’s also important to conduct cybersecurity training and simulations for all employees and engage in tabletop exercises involving compromised credentials, ransomware, insider threats and other types of data breaches. With this approach, agencies can help ensure that all gaps are covered.
STOP HACKERS IN THEIR TRACKS THROUGH A COLLECTIVE DEFENSE
5
Case Study: Collective Defense Proves Its Value
Defense agencies wanted a way to ensure that their contractor and supplier partners could work together more safely. IronNet worked with contractors supporting the DoD mission to stand up a pilot to create a private supply chain IronDome supporting the Department of Defense. Based on IronNet’s IronDefense network detection and response platform, the resulting solution allows the community to collect, share and analyze anonymized threat information and receive advanced warnings of nation-state activity. The pilot showed several threats that went undetected by other tools, and proved that existing tools would not have been able to detect activity that attackers had recently deployed. The approach also is effective at the state level. For one state court administration agency, a ransomware attack launched in the days surrounding the recent administration
transfer prompted decision-makers to make some changes. Goals included improving visibility into network behavior and identifying and investigating network behavioral anomalies that were not immediately recognized by existing defense-indepth tools and strategies. To determine its vulnerabilities, the agency implemented IronNet’s network behavioral detection toolset, which showed evidence of nation-state activity, along with holes in the existing network defense that allowed for data exfiltration. Findings also included evidence of data exfiltration, periodic beaconing and phishing. As a result of these findings, the agency is committed to reviewing its log retention policy, creating a culture of testing updates from a security as well as functionality perspective and implementing behavioral network analytics to help to find threats.
HOW IRO N N ET I MPROV E S T HRE AT V IS IB IL IT Y The IronNet Collective Defense platform combines network detection and response capabilities based on behavioral analytics (IronDefense) with collective threat intelligence through anonymized alert sharing (IronDome). This combination of technologies provides deep network insights, including early detection of unknown network threats, enhanced by the insights and experience of peers across the industry and beyond. This ability to crowdsource knowledge helps organizations identify new and novel threats, see things others might miss and find hidden threat actors. This collective defense approach is a force multiplier for helping analysts and threat hunters in the security operations center (SOC) to better detect and prioritize threats. In fact, 60% of a SOC team’s alerts are already
6
being worked by others in an IronDome. By improving any SOC’s effectiveness in this way, analysts can take action more quickly, while giving cyber decision-makers the ability to better use existing resources, assess cyber risk on an ongoing basis and prioritize cyber projects and spend. “The underlying concept of collective defense isn’t new; agencies have been collaborating for some time,” said Heather Young, Senior Director at IronNet. “The problem is that traditional collaboration is occurring too slowly to be useful, hence the need for real-time, anonymized threat-sharing to detect threats early in the intrusion cycle using analytics and correlations.” Learn more: https://www.ironnet.com/contact
MARKET TRENDS REPORT
Conclusion For government agencies working hard to maintain strict cybersecurity boundaries, the concept of collective defense is especially relevant. The ability to crowdsource knowledge in an anonymized, real-time fashion helps agencies identify new and novel threats, see things others might miss and find hidden threat actors, while giving cyber decision-makers the ability to plan for current cyber risks and better use existing resources. Collective defense serves as an early warning system for all community members. Real-time feedback is essential for gaining the visibility and insights required to immediately react to active threats and adjust defenses to combat the threat. By banding together and working with peers, the public and private sectors are better able to pool and optimize resources so they can achieve “defensive economies of scale” that allow them to keep up with and counteract cyber attackers.
A B O U T I RO N N E T
ABOUT GOVLOOP
Founded in 2014 by General (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a high number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
For more information, visit IronNet.com
For more information about this report, please reach out to info@govloop.com.
STOP HACKERS IN THEIR TRACKS THROUGH A COLLECTIVE DEFENSE
7
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop