How can government agencies prevent cyberattacks?
James Thorpe
Share this content
While working in the public sector and private sector have many differences, one characteristic is similar: cybersecurity and threats. Both sectors feel the pain of not having a sufficient community of trained and available security staff to hire, both are constant targets of phishing and related social engineering attacks and both are trying to balance the three-pronged attacks of the pandemic, the relocation of employees to work-from-home status and increased risks from attacks on cloud assets.
The current pandemic is having a major impact on all levels of government. Aside from the financial impact the pandemic is having on the private sector, government IT professionals are facing the following challenges:
- Workers are being required to work from home
- IT and security staff must provide WFH employees with new equipment, which has major implications for IT budgets
- Users are connecting to government networks from untrusted and often compromised home networks
- Users are employing personal equipment and IoT devices to connect to government networks and clouds that might not be secured to the governmental agency’s security standards
However, governments have other concerns as well. Government operations potentially can impact much larger groups of people than a corporate attack. Depending on the government entity targeted, the effect could impact critical infrastructure at all levels. The COVID-19 effect of draining critical financial resources to fund purchases of hardware and software for newly displaced employees, plus expenses for significant increases of cloud services and, in some cases, a forced digital transformation from on-premises data centre to cloud-based assets, is putting a strain on both financial and staffing resources.
From the citizenry perspective, the pandemic has opened the proverbial Pandora’s box of fake “official” websites devoted to COVID-19, misinformation from websites purporting to be the Centers for Disease Control and Prevention and other government and medical facilities that actually are watering holes for malware and ransomware attacks on hospitals delivered in emails purporting to be information about COVID-19.
A joint advisory group from US and UK security agencies was formed to protect the intelligence communities from becoming victims of attacks, particularly from advanced persistent threats from groups targeting individuals and organisations with malware. In March 2020, Infoblox observed a malicious spam (malspam) email campaign that used a fraudulent Coronavirus alert from the World Health Organization (WHO) to deliver Trickbot banking malware. We also observed a series of campaigns using COVID-19 or Coronavirus-themed spam emails to distribute the Agent Tesla information stealer (infostealer).
What can government agencies do to defend themselves against such attacks?
While public and private sectors have some differences when it comes to issues such as disclosure and confidentiality, the basis is the same. At the core is user education. Helping government employees understand good cybersecurity hygiene is essential. With the vast majority of office-based government employees working at home, agencies need to focus on the basics of identity management; implementing zero trust in order to protect networks from untrusted users, devices, applications and network connections; and ensuring that data is protected from unauthorised egress and access.
For those governmental agencies without existing threat intelligence capabilities, now would be a good time to invest in a comprehensive program that includes a mix of traditional data feeds, specialised feeds focusing on specific requirements for a given agency, an open source intelligence (OSINT) feed and greater emphasis on understanding the threat intel an agency already is generating from its existing SIEM systems and related log systems.
Government agencies also should take advantage of several emerging technologies to further enhance their existing security policies. For example, security orchestration, automation and response (SOAR) enhances the speed and reliability of existing operations. For cloud-based operations, a cloud access security broker (CASB) is on-premises or cloud-based security policy enforcement placed between cloud server consumers and providers. It interjects enterprise security policies as cloud-based assets are accessed.
Continuous management and monitoring add another dimension to protecting government networks. As a key target of bad actors and nation-state cyberattackers, continuous monitoring is essential; any lapse can let attackers have access to a system, even if just momentarily.
So, how can government agencies protect themselves and their employees from potential losses? Generally, the best practices for corporations apply to government agencies as well.
Cybersecurity guidelines for government organisations
- Use advanced DNS protection to defend against the widest range of DNS-based attacks
- Use a DNS firewall that automates malware protection.
- Detect and prevent data exfiltration by utilising DNS-based analytics.
- Use a centralised, cloud-managed, provisioning, management and control solution, designed with the modern borderless enterprise in mind. This is what is needed to eliminate the management complexity and bottlenecks of the traditional branch office DDI (DDI is the integration of domain name system, dynamic host configuration protocol and IP address management into a unified service or solution).
- Deploy a virtual DDI appliance on a public or private cloud, which can enable you to deploy robust, manageable and cost-effective appliances.
- Have an Incident Response and Backup Plan. Test the plan on a consistent basis and adjust as necessary.
- Have a consistent security policy across all platforms. For example, if you are leveraging cloud services, ensure they are secured as you would on premises.
- Ensure you are actively monitoring and managing DNS within your organisation.
- Use comprehensive threat intelligence to proactively block malicious DNS threats.
- Monitor and manage the behaviour of DNS in your environment — black-lists are not enough, you need to ensure that the protocol is behaving as appropriate.
- Restrict use of DNS over TLS (DoT) and DNS over HTTPS (DoH) on assets and on the network.
- Know where your users (assets) are going from a DNS perspective, no matter where they are located (on premises, working remotely, etc.). Have a 360 degree view of all assets.
- Automate responses where possible to leverage your current infrastructure. There is no silver bullet when it comes to security, but you can solidify your posture by using defence in depth and automation.
By Wissam Saadeddine, Senior Manager – MENA at Infoblox