Cybersecurity remains a top focus for the Trump administration, and the Department of Homeland Security will soon unveil a new national cybersecurity strategy. Yet it’s clear that agencies are bedeviled by a series of IT security threats, according to a recent report from Cisco Systems.
The report, Cisco’s 2018 Annual Cybersecurity Report: Impacts on Government, which the networking vendor released a few weeks ago, makes plain that government is under assault from encrypted malicious traffic, that the cloud services that agencies are being urged to adopt can be weaponized against them, and that email security remains a key challenge.
To counter these threats, agencies need to ensure that they are building cybersecurity features and tools into their networks and systems as they deploy them, and not after the fact, says Will Ash, Cisco Systems’ senior director of security for the U.S. public sector. “We strongly believe it’s about baking it in at the front end,” he says. “That’s core to our strategy.”
Top Concerns: Encrypted Traffic, Cloud Threats and Phishing
Although the report calls out seven specific threats, Ash says there are three that really stand out when it comes to the federal IT security landscape.
The first is the rise in encrypted malicious web traffic. Cisco threat researchers report that 50 percent of global web traffic was encrypted as of October. As that volume grows, the report says, “adversaries appear to be widening their embrace of encryption as a tool for concealing their activity.” Cisco says its threat researchers “observed a more than threefold increase in encrypted network communication used by inspected malware samples over a 12-month period” and that its analysis of more than 400,000 malicious binaries found that about 70 percent had used at least some encryption as of October.
“It’s interesting, as with most advancements in digital technology, encryption is a means to be more secure, and that’s why it’s being embraced, but with the [malicious] actors innovating the way they do, it’s also given them a powerful tool to commit their acts,” Ash says.
Encryption is meant to enhance security, Cisco notes, but it also allows attackers to conceal command-and-control (C2) activity, “affording them more time to operate and inflict damage,” the report says.
Cloud services also pose a threat. Although cloud service providers and cloud advocates within agencies have been promoting the security features of public cloud services, and initiatives such as the Federal Risk and Authorization Management Program have been set up to authorize and monitor the security of federal cloud services, they still can pose a threat, Cisco says.
“Attackers are taking advantage of the fact that security teams are having difficulty defending, evolving, and expanding government cloud and IoT environments. One reason is often the lack of clarity around who exactly is responsible for protecting those environments,” the report says. “To meet this challenge, public sector agencies may need to apply a combination of best practices, advanced security technologies like machine learning, and even some experimental methodologies, depending on the cloud services they use and how threats in this space evolve.”
When threat actors use legitimate services for C2 activities, “malware network traffic becomes nearly impossible for government agencies to identify because it mimics the behavior of their legitimate network traffic,” the report says. Using legitimate cloud-based services for C2 appeals to malicious actors because it’s easy to register new accounts on these services, set up a web page on the publicly accessible internet, adapt and transform resources on the fly, and reduce overhead and improve their return on investment of attacking.
Phishing and email attacks also remain a huge problem for feds, Cisco says. Ash says such attacks are still the “largest single” vector for attacks because they get right to the endpoint and user. DHS has mandated that agencies adopt an email security protocol known as DMARC, or Domain-based Message Authentication, Reporting and Conformance.
Ash says agencies need “powerful and comprehensive email security and defense” strategies that include technologies that can understand, monitor and block suspicious email traffic, and conduct remediation at the endpoint. Such solutions, he advises, should be able to communicate with an agency’s network architecture.
How Federal Networks Can Be More Resilient
The Cisco report outlines specific steps agencies can take to address the different threat vectors. In general, Ash says, agencies should invest in infrastructure to make their networks more intelligent and resilient. Those include investments that “actually have the cybersecurity hooks, [application programming interfaces] and functionality built in,” he says.
Agencies should consider adopting machine learning and advanced data analytics to analyze network traffic identify patterns and act on issues “before they become problematic,” Ash says. Such automated tools can also help agencies facing shortfalls in cybersecurity talent. “The most important part is the visibility that can see everything,” Ash says.
Overall, Ash advises agencies to ensure that their network components can be integrated so that they can get that insight into their network traffic and potential threats.