State-sponsored cyberattacks against Federal Agencies are here to stay. There are simply too many ways to attack computing infrastructure, it’s inexpensive compared to conventional warfare, and it’s possible for nations to deny any involvement in an attack.
Cyberattacks on one nation by another can have many purposes. They might attempt to damage infrastructure, or to gather or expose secret information, or test an adversary’s readiness, for example. Probably among the first of the widespread malware was Stuxnet, thought to be developed by the United States and Israel to attack the programmable logic controllers operating Iran’s nuclear capabilities. Stuxnet is also dangerous in that it can attack manufacturing systems of many different types.
And of course, nations also use cyberattacks to spread misinformation. It can be one way to spread discontent and conduct psychological warfare. Last, they could get personal data on citizens that can be sold on the open market. Despite this wide variety of motivations, many state-sponsored attacks are financial in nature, according to the 2021 Verizon Data Breach Investigations Report. In fact, all of these purposes are common.
Nation cyber attackers can be directly employed by the state, perhaps by the military or spy agency, or they could be independent groups secretly funded and supported by the state. The latter approach may be more difficult to detect by the agency or group being attacked.
What Can a Federal Agency Do?
Governments have specific tools for combating nation-state attacks, some of which are not available to private enterprises. For example, the Federal government can recall its ambassador from a foreign country, eject another country’s diplomats, restrict their movements within the country, or freeze and seize bank accounts.
All of those can be powerful retaliatory weapons, although they tend to be available equally to both sides in a state dispute. Still, it can help get bad actors physically away from the systems they are attacking, and it could make attacks expensive. Governments tend to hesitate using these weapons because the response from the other country can be so uncertain.
Educate Users to Recognize Attacks
Fortunately, more common approaches from industry and enterprises can also help minimize the attack surface. One important approach is to educate computer users and keep them informed on cybersecurity trends, such as knowing what an attack might look like and reporting it quickly. Users can also be taught to recognize and appropriately respond to social engineering incidents, so they don’t fall for trickery.
This also means that regular communications between IT staff and internal computer users is essential. Both groups have to be comfortable talking to one another about cybersecurity on a regular basis, and freely exchange information.
Using Tools and Automation
State-sponsored attackers usually have a lot of talent and resources at their disposal, making it important for agencies to use automation in response. But automation by itself isn’t enough. Agencies often have lean staffing, and need to be able to make their cyber investigations as efficient as possible.
Agencies can also use proactive threat hunting, or actively looking for attackers who have already breached the network. Using proactive threat hunting is a fast way of determining if someone has already breached your network, before they lock you out or start stealing data.
Gurucul provides risk-based analytics to help quickly find and identify attacks, no matter where they might come from. This also includes insider threats, so that malicious employees can be caught based on the risk their activities indicate.
User and Entity Behavior Analytics (UEBA) is one approach used for insider threats. Federal agencies can monitor individual behaviors, both on the network and otherwise in the agency. For example, in the 1980s Aldrich Ames, then a CIA agent, began selling highly classified information to the Soviets for hard cash. Despite evidence that he was living well above his means, it took several years and incalculable damage to arrest him. UEBA can be one possible automated way of identifying personal characteristics that can be indicative of a bad actor.
The Gurucul Risk Analytics platform comes with over 2500 machine learning (ML) models, which have the ability to “learn” normal activities and better recognize potential breaches and threats. By using algorithms to better spot risk, Gurucul can help SOC analysts figure out where real threats may be coming from.
Taking Charge of Agency Cybersecurity
Federal Agencies are hit by cyberattacks on a regular basis, sometimes for ransomware purposes but also for state-sponsored reasons. According to security consultancy PurpleSec, the largest proportion of breaches are in government agencies. Federal agencies have a big responsibility for protecting their networks, both to protect confidential data and to prevent the loss of use of systems. Knowing what to do to look for and remediate a breach is an important step in that direction.