Government agencies and other organizations need a comprehensive understanding of activity in their IT environments to better protect themselves against modern attackers, advised Mark Bowling, Chief Risk and Information Security Officer at ExtraHop.
Agencies focused on developing resilience in the face of cyberattacks need to not only track everything happening on their networks, but also to recognize the significance of that activity, said Bowling, speaking on April 11 at the CrowdStrike Government Summit in Washington, D.C.
“It’s not enough to have visibility,” he said. “You have to see your environment, but you also need the right level of expertise to understand what that activity means in your environment. You need to have both visibility and understanding to gain perspective on the attacker. Being perceptive to the attacker is key.”
Knowledge is the key to cyber resiliency, added Russell Marsh, Director of Cybersecurity Operations for the National Nuclear Security Administration. Agencies need to know what’s going on inside their networks, and they need tools or expertise to identify threats, he added.
Bowling urged representatives of agencies attending the summit to reach out to the broader community of cybersecurity professionals. He recommended that agencies become active in appropriate Information Sharing and Analysis Centers (ISACs) to ensure that their respective agencies are able to contribute to and understand the operational needs of the civilian organizations represented by the ISACs.
The U.S. government has a responsibility to be resilient against cyberattacks and to protect citizens and organizations operating in the country, he said.
Agencies are seeing attackers become increasingly organized, noted Jeff King, Deputy CIO at the U.S. Department of Treasury and acting CIO at the IRS. The agency has been fighting regular distributed denial-of-service attacks for six weeks, he said, taking valuable resources away from other cybersecurity duties.
He sees newer business models in the attacker world, with brokers selling access to breached organizations, and successful ransomware attackers selling the data to other groups.
CrowdStrike, an ExtraHop technology partner, is seeing many of the same issues. The CrowdStrike 2023 Global Threat Report found that adversaries are increasingly outsourcing their attacks to brokers who sell access to breached organizations.
The report saw a 112% increase in advertising by breach brokers between 2021 and 2022, noted George Kurtz, President, CEO, and Cofounder of the cybersecurity provider, during his event keynote, adding that attackers “leverage access brokers as a force multiplier."
Kurtz warned that the cyberattack landscape is changing rapidly, with the average time between the point when attackers breach an IT system until they can move laterally across the network dropping significantly in the past year.
Cybersecurity can be more difficult for government agencies that are dealing with budget constraints, legacy IT systems, and uneven deployment of newer technologies, Kurtz said. He compared government digital modernization efforts to changing parts on an airplane when it’s in the air.
The 2023 threat report found that the time it took for attackers to begin moving laterally from the initial point of compromise decreased from 98 minutes in 2021 to 84 minutes in 2022.
The question for defenders is, “Are you faster this year by 14 minutes?” he said. “Can you get to 84 minutes?”
Many organizations take days, weeks, or even months to find attackers in their IT systems, he added. “When we think about the adversaries, they are actually looking at a watch; they are not looking at a calendar,” he said.