From Hunted to Hunter: Building a Proactive Government Cybersecurity Strategy

Cybersecurity professionals can take a more proactive stand against malicious actors by using their tactics against them.

Cybersecurity professionals can take a more proactive stand against malicious actors by using their tactics against them. SHUTTERSTOCK


Connecting state and local government leaders

COMMENTARY | Thinking like the enemy can improve state and local officials’ cybersecurity defenses.

Cybersecurity used to solely focus on keeping bad actors out of the network. Now, it’s clear that it’s almost impossible to keep malicious actors out indefinitely. In all likelihood, someone is probably already inside your network as you read this.

The never-ending stream of news reports announcing a new city has been hit by a ransomware attack proves that sophisticated attackers are increasingly working to get over, under and around state and local government cyber defenses.

Until recently, implementing cybersecurity measures has largely been reactive. Most security officials assumed that bad actors would stick to the traditional playbook of breaking and entering through the virtual front door. Naturally, security officials developed solutions to block them on the way in, looking for known threat signatures and indicators of compromise. But today’s threats—especially from well-funded cybercriminals looking for the next big opportunity—are much harder to block if you only look for suspicious activity at the point of entry.

Now is the time to reassess how we defend networks by thinking like the adversary and taking a proactive defensive approach.

Reimagining Cybersecurity

Understanding the adversary’s methods of attack and associated behaviors is critical to progress beyond the decades of incremental change in cyber defenses. One framework that helps to do that is MITRE ATT&CK.

According to MITRE, a not-for-profit that manages federally funded research and development centers, "ATT&CK is an adversary behavior model that describes the actions an adversary may take to compromise and operate within a network." This framework gives threat hunters a common vocabulary to describe attacker tactics and provide the basis for teams to build their own hypotheses about the possible intrusion and search for threats.

Maturing your threat hunting program with ATT&CK requires you to focus on data collection early in the process. Successful threat hunting means searching all available data to determine what’s relevant, what’s benign and what’s a real cause for concern. This means collecting and analyzing anything and everything on local and remote networks such as applications, endpoints databases, platforms, cloud, API gateways, logs and firewall. In other words, you cannot find the needle in a haystack without the haystack.

Hunting at the Speed of Threats

The core of good defense is speed. Security is one of the few jobs in the world where we constantly fail, but that doesn’t make us failures. Incidents happen every day, like a laptop being compromised or a server attacked. But successful security teams are the ones that stop the incident before it becomes a breach.

The key to a speedy response is the ability to scope the incident completely and faster than the adversary that’s attempting to steal or damage your data. The increasing amount of data creates an additional challenge of increasing the time it takes to search. Indexing and searching need to happen in real time to account for new information pouring into the system, and all of an agency’s data must be included to make sure nothing is missed.

Fortunately, there are products that can meet these requirements, enabling security personnel to automate the process of enriching, filtering, analyzing and visualizing the information quickly and coherently. This allows IT operations and security teams to prioritize more strategic tasks and focus on bringing human intelligence into the threat hunting process. Recognizing where systems are vulnerable, as well as what “normal” looks like for a specific environment, helps threat hunters spot inconsistencies that could indicate a breach.

We’re In This Together

The adversaries and issues faced by government and commercial organizations are the same. The significant difference is the amount of security resources each is able to commit. A lack of budget has been the top issue cited by state government chief information security officers in the biannual NASCIO/Deloitte cybersecurity survey since it began, with the majority of states spending 1-2% of their IT budgets on cybersecurity. Contrast that with the 2020 State of the CIO report, which found private sector organizations spend an average of 16% of overall IT spend on security. 

The security community knows that state and local governments have limited resources. That’s why organizations like MITRE and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are at the forefront of helping to share resources, best practices and information about new threats and potential solutions. With experts from government, industry and academia, these groups provide a broad spectrum of insights, including how to develop a threat hunting strategy that fits an organization’s IT environment, budget and culture.

Cybersecurity is a technology issue, but it’s also a human one. When faced with new challenges, people often turn to new technology, but it’s security analysts who develop new ideas, threat intelligence and approaches to prevent bad actors from impacting the systems that are so important to keeping government functioning—no matter how elusive and clever they may be. It is important to pick the right cybersecurity technology for your defenses, but that investment needs to be a distant third behind the people running the products and the processes that define their work.

Mike Nichols is the Product Lead at Elastic Security.

NEXT STORY: USDA Makes New Move in Broad Effort to Bring Innovative Tech to America’s Farmers