Security

How to Defeat the Latest State and Local Government Cybercrime Trends

State and local agencies face threats ranging from ransomware to dual-purpose attacks, but they do have ways to fight back.

Anthony Giandomenico

Anthony Giandomenico, a senior security strategist/researcher and CTI lead at Fortinet, is an experienced information security executive, evangelist, entrepreneur and mentor with over 20 years of experience. In his current position at Fortinet, he is focused on delivering knowledge, tools and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security.

The data-rich environments of state and local government networks make them ideal targets for attack. To illegally acquire that highly valuable data on individuals, financial transactions and critical infrastructure, cybercriminals are creating increasingly complex attacks.

To successfully combat these threats, CIOs need timely intel on the latest threats, combined with advanced tools and trained teams that are up to the task of preventing, detecting and responding to such attacks.

Below are insights from Fortinet’s “Q1 2019 Global Threat Landscape Report” that provide an analysis of some of the more popular and malicious trends that CIOs in the state and local arena need to understand if they are to properly protect their networks.

Key Cybersecurity Trends Affecting State and Local Agencies

Ransomware is still very much alive. Ransomware may not be as prevalent as in the recent past, as it has been replaced with more targeted attacks, but it is not out of the picture. Instead, multiple attacks from the first quarter of the year demonstrate it is now being customized for high-value targets to give the attacker privileged access to the network.
Attackers are keeping to the work week. After comparing web filtering volume for two cyber kill chain phases during weekdays and weekends, it became clear that precompromise activity is roughly three times more likely to occur during the work week, while post-compromise traffic shows less differentiation. This is primarily because exploitation activity often requires someone to take an action, such as clicking on a phishing email. In contrast, command and control activity does not have this requirement and can occur any time.
Let’s all share … infrastructure. The majority of threats leverage community-use infrastructure more than unique or dedicated infrastructure. Nearly 60 percent of threats shared at least one domain, indicating the majority of botnets leverage established infrastructure from the same set of public providers. IcedID a Trojan targeting the banking industry, is an example of this “why buy or build when you can borrow?” behavior. In addition, when threats share infrastructure, they tend to do so within the same stage in the kill chain; however, it is unusual for a single threat to leverage a domain for exploitation and then later leverage it again for its command and control traffic. Understanding which threats share infrastructure, and at what points in the attack chain this happens, enables organizations to look for specific traffic headed to or coming from a known destination, as well as to predict potential evolutionary points for malware or botnets in the future.

Nearly 60%

The percentage of threats shared at least one domain

Source: Fortinet’s “Q1 2019 Global Threat Landscape Report”

Villainy loves company. Cybercriminals are as keen on trends as anyone else. They tend to move from one opportunity to the next in clusters, targeting previously exploited vulnerabilities and technologies to quickly maximize opportunity. One example is open web platforms used by consumers and businesses to build web presences. They continue to be targeted — including their associated third-party plug-ins — reinforcing the point that it is critical to apply patches immediately and to fully understand the constantly evolving world of exploits to stay ahead of the curve.
Dual-purpose threats are being exploited. Attack methods often continue to develop even after gaining an initial foothold in a targeted network. To accomplish this while avoiding discovery, threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out their cyberattacks. This “living off the land” (LotL) tactic allows hackers to hide their activities in legitimate processes and makes them harder to detect. These tools also make attack attribution much harder. Smart defenders will limit access to sanctioned administrative tools and log their use in their environments.

How Agencies Can Combat This Threat Environment

These tactics can help state and local governments respond to this complex threat landscape.

Scan, patch, repeat: Quickly respond to threat intelligence on new vulnerabilities, especially those in newer technologies that provide access to wide swathes of users (like CMS platforms). While early adopters will be able to successfully target the most victims, don’t be fooled into thinking you are safe after the initial tide of attacks begins to taper off. Attackers will continue to scan for those vulnerabilities long after the patches have been released, even years later, to identify and exploit unprotected devices and systems.
Defeat ransomware: Understand what ransomware attacks are targeting: geography, industry and vulnerabilities. Next prioritize patching and continue to engage in end-user training to spot things like malformed URLs and phishing attacks. Finally, establish backup, storage and recovery activities, including storing backups off of the network and scanning backups to detect hidden malware.
Keep privileged escalation in check: Pre-installed tools like PowerShell and others can be exploited to escalate privilege and hide malicious code and attacks. Intent-based segmentation — which uses business logic to segment the network, devices, users and apps — can prevent lateral movement of LotL attacks.
Get good intel on threats: Organizations need threat intelligence that enables them to detect and analyze threats now, and also to use that analysis to predict potential evolutionary points for malware. This means looking for threat intelligence sources that are not only broad and deep, but that also use artificial intelligence and machine learning capabilities to model future states. This external intelligence then needs to be combined with local data, such as data collected from sensors or extracted using sandbox technology, to detect and stop these “new” threats, even as they evolve.

The Cybersecurity Effort Is a Nonstop Battle

Recent high-profile attacks against state agencies, and even entire municipalities, underscore the importance of leveraging up-to-date information and technology to defeat the growing volume and sophistication of cybercrime.

CIOs in state and local government will serve their stakeholders well by tracking the latest cybercrime trends and carrying out the action items noted above.

Chainarong Prasertthai/Getty Images