While talking with a few federal security analysts at the recent GFIRST Conference, I was reminded of just how challenging the job of information security really is at the government level today. Most anyone who follows security, knows that state and federal agencies have been repeatedly targeted in the recent rash of network breaches. However the thing that really stands out to me is that these agencies are in actuality engaged in a battle on at least two fronts – each with unique adversaries who use very different techniques and have very different goals. On the one hand you have decentralized, opportunistic attacks driven by political motivations such as the hacking group Anonymous, and on the other you have very well organized and targeted attacks supported by nation-states and organized crime. Both of these classes of threat are very real, but take very different approaches to breaching the network. Lets take a look at both of these scenarios in turn.
Anonymous and the many groups similar to them are at their heart, politically motivated and as such are more than happy to have their battles in public. As a case in point, the recent AntiSec campaign has seemingly deviated away from whistle-blowing activities to simply attempting to embarrass the government by publishing email exchanges, login credentials, internal documents, and personal information of government employees and actively serving personnel. The targets of the attacks have been equally opportunistic, targeting federal, state and local government, and all levels of law enforcement and the U.S. military.
In terms of technique, many of the breaches have been relatively straightforward, relying on SQL injection and targeting known vulnerabilities in exposed websites and resources. The challenge for this type of attack is not the innovation of the attacker per se, but rather the enormity of the attack surface. The next-generation firewall can help reduce the attack surface and enforce policies based on application and user that can significantly reduce the exposure.
While keeping up with Anonymous-style attacks could be a full-time job on it own, the government is also engaged with a very different type of adversary. In this case the key operators are nation-states and organized crime, who are far more targeted, organized and stealthy in their approach. These attacks represent even more risk simply due to strategic nature of the information being targeted.
Targeted attacks typically begin with a spear-phishing campaign focusing on carefully selected and researched individuals. The targeted user is compromised with malware (often by a drive-by-download), and the infected machine can then be used to expand the operation deeper into the network and into more secure areas. These attacks have all the hallmarks of today’s most sophisticated attacks such as customized malware, advanced command and control infrastructures, and heavy reliance on evasion techniques that allow the attack to hide from traditional security solutions. (You can learn more about the lifecycle of these attacks in our recent Threat Review here).
For these attacks, full visibility and control of traffic at the application is an absolute prerequisite. Targeted attacks excel at circumventing security controls throughout the lifecycle of the attack, and security staff must regain control in each of these steps:
While these are hopefully helpful examples, the common thread across all of them is the need to have full visibility across all types of applications and users. Attackers of all types thrive on their ability to find and exploit our assumptions, whether its an evasive botnet hiding traffic on a non-standard port, or a simply a user who is unprotected by IPS when outside the office. The real key is the need for full, consistent visibility and control of all our traffic.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.