Cyberattacks such as phishing, ransomware and malware have increased at an alarming rate this year, with agencies experiencing over 6.5 million attacks a day — a significant increase from 150,000 daily attacks before the pandemic. Awareness of the problem increased dramatically with the highly publicized SolarWinds Orion supply chain attack, in which multiple agencies were impacted.
Adversaries are targeting agencies. The Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released an alert in October to warn of the rise in ransomware targeting healthcare systems. The Treasury Department’s Office of Foreign Assets Control has also issued an advisory around the risks associated with ransomware payments. The list continues.
In our recent “2020 State of Encrypted Attacks” report, the Zscaler ThreatLabZ team found a close connection between the surge in ransomware and the continuing pandemic. There has been a 500 percent increase since March 2020 in ransomware attacks delivered over SSL/Transport Layer Security (TLS) channels specifically, and the public sector is one of the five sectors most often targeted with ransomware attacks.
The research shows that 80 percent of all traffic uses SSL/TLS encryption by default. While agencies know encrypting traffic with SSL and TLS is the standard way to protect data in transit, cybercriminals are now sneaking past security tools that do not fully inspect encrypted traffic and embedding malware inside that traffic.
As the percentage of encrypted traffic continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. Ransomware attacks delivered over SSL-encrypted channels are the next evolution of this highly destructive attack vector because this makes the attacks harder to detect.
REGISTER: Sign up for free to hear cybersecurity expert Theresa Payton discuss today’s pressing IT security challenges.
Encryption and Inspection to Maintain Operations and Security
SSL inspection is the only effective way to block the malicious files delivered, because security engines cannot block what they can’t see. The problem is that legacy security tools like next-generation firewalls often cannot provide the performance and capacity needed to inspect SSL traffic at scale. This leads organizations, including government agencies, to sometimes sacrifice security by allowing encrypted traffic to pass uninspected in order to keep operations and workflows moving.
Further, agencies must create separate policies for how specific types of data are inspected. As federal employees work from anywhere and data is spread through multiple locations across various cloud environments and data centers, these policies must be replicated across locations, leading many agencies to skip this practice altogether. How can agencies decrypt, inspect and re-encrypt all traffic while maintaining operations for users on and off the network? Agency IT leaders should look to deploy the following tools.
- Cloud-Based Proxy Architecture to Decrypt, Detect and Prevent Threats in SSL Traffic: With a cloud-based proxy architecture, agencies can monitor encrypted traffic for threats and breaches in a timely and cost-effective manner. In addition, with machine learning, agencies are able to proactively scan for threats in real time to stop potential attacks in their tracks and secure their infrastructure.
- Sandbox Approach to Quarantine Unknown Attacks: Adversaries are constantly advancing and exploiting vulnerabilities in new ways. Specifically, ransomware attacks have become more sophisticated, targeting individual agencies and exposing them to new malware. To combat this, agencies need to adopt a cloud-based platform approach that uses artificial intelligence to isolate and eliminate the threat. Traditional sandboxing approaches are no longer reliable, as the first unknown file will always be missed, allowing files to reach the target before being properly analyzed. AI allows agencies to analyze inbound files before delivery, reducing potential threats within the agency.
- Secure Access Service Edge for Secure User Access: Agencies should adopt a secure access service edge (SASE) framework so federal employees can continue to work from anywhere, and to ensure access to applications and a secure IT environment. SASE flips the security model to focus on securing the user/device rather than the network. By moving essential security functions to the cloud, SASE ensures optimal bandwidth, comprehensive security and a consistent experience, no matter where the user or data is located.
- Zero Trust to Reduce the Attack Surface: Agencies are turning to a zero-trust model to ensure secure access for all intended users. Zero trust means that before users can gain access to applications, IT administrators must first verify and authorize each user. This trust must be continually reassessed as it starts to decompose over time.
Traditional firewalls publish applications on the internet, where they are easily accessible by bad actors. This approach also provides poor visibility and security for IT teams to manage the environment.
Instead, with a zero-trust model, applications are never exposed to the internet, and users are not placed on the network. Zero trust gives agencies strong access management and security tools to prevent unauthorized users from seeing applications and sensitive data — reducing the attack surface and giving IT teams some peace of mind as they monitor their environments.
Protecting Traffic at Rest and in Transit from Start to Finish
Decrypting, inspecting and re-encrypting traffic must be a top priority for all agencies going forward. No agency is immune to security threats, but agencies can take a threat-based approach to security and adopt a defense-in-depth strategy that can scale as needed to support SSL inspection from start to finish.
Think of it as if you were boarding a plane and you found out that no one was securely checking all the bags. Would you feel safe on that plane accepting that risk? SSL is the baggage, and agencies need to be checking all packets coming and going.
A cloud-native, proxy-based security platform meets the bandwidth and security demands of agencies’ traffic by elastically scaling computing resources and providing consistent policy enforcement across multiple locations.
Attackers are getting smarter and more cunning with every attack, as we can see with the current Sunburst backdoor issue. The only way to protect is defense in depth. Make sure your partners are nimble and can react immediately to leverage countermeasures to enhance coverage wherever required across the multiple layers of your security platform.
EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust.