With transition coming, what lessons can public and private sector organizations share on cybersecurity?
In the midst of receiving the results of the 2020 presidential election, we’re faced with a potential administration change. As such, we’re entering a period of transition that raises questions about the best way to protect our nation’s digital infrastructure from nefarious actors wishing to cause harm to our systems.
While comparing the difference between how the private sector operates versus the public sector, the past few years have brought into sharp focus the benefits and drawbacks of how each approach cybersecurity. And looking forward, we see a more intertwined fate of both, as sophisticated and brazen cyberattacks deploy similar TTPs (techniques, tactics and procedures). After all, phishing and ransomware campaigns don’t care whether you have a .com, .gov or .org email address, and non-state eCrime actors are taking advantage of remote working conditions whether you work for a corporation, city government or a federal agency. In fact, since March 2020, CrowdStrike has observed a 330% increase from cyber threat actors deploying malicious files using COVID themes. And in the six months from January to June, CrowdStrike’s threat hunting team, OverWatch, observed more hands-on-keyboard intrusions than were seen throughout all of 2019.
In recent weeks we have seen a diversification in tactics, including the China-based nation-state actor PIRATE PANDA using COVID-19-themed lure documents to launch attacks, as well as a 112% increase in distinct and sophisticated (hands on keyboard) intrusions compared to that of the entirety of 2019. Increasingly worrisome is the fact that eCrime actors are using more Ransomware-as-a-Service methods to catalyze the spread and velocity of attacks. Ransomware actors are even moving to extortion tactics, where they are stealing sensitive files and threatening to release them if they are not paid. Data-as-a-weapon, a tactic previously only used by a nation-state, is now being harnessed by the common eCriminal.
These threats aren’t abating, and currently, siloed and isolated threat abatement will not be enough in the face of sophisticated international operations. So what can these types of organizations learn from each other? Which existing organizational tendencies can be learned to instill better cybersecurity hygiene? And how can both public and private segments of the market take advantage of collaborative and real-time services like cloud-based protection in the face of adversaries?
In a world where ransomware actors are increasingly moving to more shameless tactics including extortion, the answer is sometimes a tough pill to swallow.
History matters: how public sector institutional memory protects us
When looking at private companies, especially those of an entrepreneurial bent, we observe a lack of institutional knowledge that public organizations often have in spades. On the whole, government and public sector organizations understand that an attack on one arm of the government will naturally impact another area of the government. As is the nature of complex bureaucracy, the cascading effect of communicating from umbrella organizations downward (for instance, a memo issued from the head of an agency down into sub-agencies) means that collective knowledge touches many. Additionally, beyond political appointees, established government agencies at all levels are built by workers who remain at their posts for many years and are trained by fellow public servants who brought their own tenured knowledge with them. So when a threat presents itself, the baseline evaluation of the environment may already be established by agency staffers with a wealth of experience to help make decisions, and years of work in the same environment provide much-needed context.
For private sector companies — smaller ones in particular — it can be a lot harder to benefit from security economies of scale, especially if the security solution tasked with protecting the company isn’t cloud-based. And in major threat cases, history and context matters, a luxury that a brand-new company may not have. Companies lacking tenure may find it difficult to establish their own environmental baseline, leaving them at risk of not knowing what they don’t know. Smaller companies often have challenges of their own, as they may not understand that their managed security service provider (MSSP) leaves themselves responsible for investigating their own vulnerabilities. And, with no history or investigation artifacts to draw upon, smaller and newer companies alike could be at risk of being unable to conduct a retroactive investigation in the event of a security incident.
But can they move? Why private sector entrepreneurial nimbleness can be crucial
On the flip side, smaller, more nimble private sector companies do have an advantage, as they are able to react and adapt their actions far more quickly than most government organizations. In the face of an attack, a private company can typically engage all of the key stakeholders and resources, without fear of political interference, in order to investigate, contain and remediate in a timely manner.
As such, these companies can more effectively learn from attacks of the past and anticipate future attacks faster than most public sector organizations. A critical component fueling this advantage is the ability of private sector organizations to pull in external security partners far more quickly, without having to cut through tons of red tape. When internal security teams are augmented with external resources dedicated to proactive threat hunting, operators who are able to conduct hypothesis-driven investigations using real-time attack telemetry, a force multiplier effect is now empowered that leverages the speed and agility required to get ahead of malicious actors.
As unfortunate as it is, public sector organizations are far too under-resourced and far too burdened sifting through all the noise and alerts beaconing off their security apparatus – which is all the more reason why they need to invest in third-party threat hunting measures before a threat presents itself. Additionally, a third-party threat hunter is not easily condemned by organizational blind spots, allowing them to stay focused and see around the corners that a slower-moving bureaucracy cannot. Because in the face of increasing threats, public sector organizations would be well served to more organically pivot and react more nimbly, or at least have the ability to rely on a third-party partner to do so for them.
When it comes to cybersecurity, we’re all in this together
Agencies and organizations in both sectors would do well to understand that battling increasingly sophisticated cyber threats is not a solo quest. It can be isolating and disheartening to endure an attack and its ramifications, but that is not a reason to shut off and pull away from your peers or pull all of your cybersecurity needs in-house. In fact, an attack is precisely the time to draw on the collective knowledge of a broader ecosystem of players, because a threat against one organization could be indicative of a more pervasive threat across an entire industry.
In the face of bad actors, now is the time to ensure that every organization invests in a cloud-native, always-on cybersecurity platform. Speed is the name of the game – for both the offense and the defense. And when you don’t have the resources or tooling to operate with speed, then lean on a partner with the depth and breadth of knowledge and experience to deploy the 1:10:60 rule: one minute to detect, ten minutes to investigate, and sixty minutes to remediate. The outcomes achieved by this benchmark can only be reached if you’re able to clearly see the entire picture, understanding the full context of how local attacks fit in against the broader global threat landscape.
True security in the face of cyberattacks is much more than IT hygiene and checking a compliance box. True security is proactive security – which can only be achieved if you are able to learn from threats against you and other organizations at the same time and in real-time. Proactive security requires additional support from external partners, and the ability to leverage capabilities that detect hands-on attack measures as the attack is happening. All the more reason to ensure that any program or partner you engage with to protect your systems is cloud-based, always-on, and learning from the greater threat landscape.
Because as we enter into this period of transition, we will all be better protected if we engage in collective efforts against cyberattacks.
James Yeager is vice president of public sector and healthcare for CrowdStrike