All nations rely on an extraordinarily large network of facilities, systems, information, people and processes to function, and it only continues to grow. The term ‘critical national infrastructure’ traditionally referred to sectors such as defense, emergency services, national utilities, telecommunications and food production – but technological advances have meant that a much greater portion of IT infrastructure has become ‘critical’. In short, successful cyber-attacks against any government agency can have disruptive and dangerous effects on our daily lives.
Safeguarding the public sector from cyber-attacks is a key responsibility of our country’s government in general, and the National Cyber Security Centre (NCSC) in particular. However, the National Audit Office (NAO) has warned that the government is failing with certain parts of its National Cyber Security Programme for the country’s national infrastructure, citing uncertainties around where efforts should be concentrated in order to maximize impact. The Cabinet Office was also berated for not producing a business case for its program before it was launched.
With this in mind, there are concerns that the public sector is not being safeguarded from cyber-attacks. State-sponsored cybercrime is nothing new – the government has been on high alert for cyber-attacks against its national infrastructure for years – but it is becoming clear that action needs to be taken at all levels of government to keep up with the threat.
Public sector predicaments
While any business may feel the fallout of a successful attack on critical infrastructure, state and local government organizations are leaving themselves especially vulnerable to threats that can bypass “outdated” and “ineffective” legacy prevention and detection tools.
While attackers have become worryingly good at breaching security defenses, with lateral movement often beginning within the first two hours of a compromise, security analysts often have more alerts than they can physically investigate. This leaves attackers with enough time to comfortably do the necessary reconnaissance and steal sensitive data without being detected.
Hunting down the threats
Rather than passively waiting for an adversary to potentially show themselves, state and local government must employ strong detection methods across the kill chain, while proactively hunting for threats that bypass prevention and detection tools.
While often misunderstood as a defense tactic, threat hunting is, ultimately, a proactive way to find advanced threats designed to evade traditional defenses, as well as automated detection tools.
Threat hunting is an underused tool within the government sector, which became clear when Fidelis interviewed state and local government representatives as part of its research into how security professionals perceive and use threat hunting. Fifty-four percent of respondents do not currently engage in the method and have no plans to do so, even if almost everyone (88 percent) believes the method is necessary. The most common reason cited was lack of time, followed by lack of skills, which is known to be a critical issue for the UK Government.
Last year, even the chair of the JCNSS, Dame Margaret Beckett MP, concluded that it found little to reassure [us] that the government has fully grasped the problem of the availability of skilled people in cybersecurity, but that it is now planning appropriately.
Skilling up
While lack of skills and resources are valid barriers to adopting threat hunting, they can be overcome. Many government agencies need to better understand the skillset of their existing team to equip, enable, and empower them as efficiently as possible.
Naturally, speeding up the workflow of security operations is critical for successful threat hunting, and boils down to having the right solutions in place that provide adequate context, search speeds, metadata and actionable evidence to minimize intruder dwell time.
Threat hunting requires experienced analysts with highly specialized skills. While they can be hard to find, and even harder to recruit, one way to circumvent the issue is to outsource parts of the security operations center (SOC), or indeed all of it, and tap into the talent of technology providers who can fine-tune and use high-level technology, 24/7. This can be a cost-effective way to allow internal security teams within government organizations to focus on their very important day jobs, while resting assured that threats will be identified and mitigated as quickly as possible after the point of compromise.
Leaning forward
In the end, there is no way to guarantee adversaries are caught quickly by security teams, and this goes for all sectors – not just government. What sets the public sector apart is how slow many of its organizations have been to update security infrastructures and protect themselves from ever-evolving threats. Therefore, all branches of the government need to adopt a ‘lean-forward’ approach, meaning that proactive threat detection methods such as threat hunting are considered. Only then might the UK Government be able to fully deliver on its promise to protect the country’s infrastructure and ultimately, the safety of its citizens.