- Villainy loves company. Cybercriminals are as keen on trends as anyone else. They tend to move from one opportunity to the next in clusters, targeting previously exploited vulnerabilities and technologies to quickly maximize opportunity. One example is open web platforms used by consumers and businesses to build web presences. They continue to be targeted — including their associated third-party plug-ins — reinforcing the point that it is critical to apply patches immediately and to fully understand the constantly evolving world of exploits to stay ahead of the curve.
- Dual-purpose threats are being exploited. Attack methods often continue to develop even after gaining an initial foothold in a targeted network. To accomplish this while avoiding discovery, threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out their cyberattacks. This “living off the land” (LotL) tactic allows hackers to hide their activities in legitimate processes and makes them harder to detect. These tools also make attack attribution much harder. Smart defenders will limit access to sanctioned administrative tools and log their use in their environments.
How Agencies Can Combat This Threat Environment
These tactics can help state and local governments respond to this complex threat landscape.
- Scan, patch, repeat: Quickly respond to threat intelligence on new vulnerabilities, especially those in newer technologies that provide access to wide swathes of users (like CMS platforms). While early adopters will be able to successfully target the most victims, don’t be fooled into thinking you are safe after the initial tide of attacks begins to taper off. Attackers will continue to scan for those vulnerabilities long after the patches have been released, even years later, to identify and exploit unprotected devices and systems.
- Defeat ransomware: Understand what ransomware attacks are targeting: geography, industry and vulnerabilities. Next prioritize patching and continue to engage in end-user training to spot things like malformed URLs and phishing attacks. Finally, establish backup, storage and recovery activities, including storing backups off of the network and scanning backups to detect hidden malware.
- Keep privileged escalation in check: Pre-installed tools like PowerShell and others can be exploited to escalate privilege and hide malicious code and attacks. Intent-based segmentation — which uses business logic to segment the network, devices, users and apps — can prevent lateral movement of LotL attacks.
- Get good intel on threats: Organizations need threat intelligence that enables them to detect and analyze threats now, and also to use that analysis to predict potential evolutionary points for malware. This means looking for threat intelligence sources that are not only broad and deep, but that also use artificial intelligence and machine learning capabilities to model future states. This external intelligence then needs to be combined with local data, such as data collected from sensors or extracted using sandbox technology, to detect and stop these “new” threats, even as they evolve.
The Cybersecurity Effort Is a Nonstop Battle
Recent high-profile attacks against state agencies, and even entire municipalities, underscore the importance of leveraging up-to-date information and technology to defeat the growing volume and sophistication of cybercrime.
CIOs in state and local government will serve their stakeholders well by tracking the latest cybercrime trends and carrying out the action items noted above.