What Don't You Know? Uncover and Manage Unknown Cyber Threats

How a Tennessee intercounty agency finds and stops risky activity on its network, and how any local government can apply managed threat detection. [PM Magazine, November 2019]

ARTICLE | Nov 5, 2019

The cyber threat environment is dynamic and evolving. New vulnerabilities emerge daily, and attacks are becoming more sophisticated. It’s nearly impossible to effectively manage the threat environment alone, particularly when attacks now fly under the radar of traditional detection technologies.

Scarce resources, and the public’s prioritization of spending on more frontline city services, can compel local government leaders to seek internal support more readily. On matters of cybersecurity, however, the increasing complexities and rapid evolution of technology may mean that the most effective tools and knowledgeable staff to fight cyberattacks simply aren’t available. The following steps can help your organization build a robust cybersecurity culture, while laying the foundation for a more sustainable IT infrastructure.

We Don’t Know What We Don’t Know

Local government entities of all sizes are challenged by under-resourced IT teams working in an environment of constant threat. When asked what kept him up at night, Mike Caffrey, an IT executive for East Tennessee Governments said, “We don’t know what we don’t know.”

“Detecting cyber threats is a full-time job, and we just didn’t have the resources to dedicate to it,” Caffrey added. “The task is time consuming. There is a huge amount of data that needs to be sifted through. Plus, attacks don’t always happen during normal business hours.”

In-House vs. Outsourcing

To alleviate that burden, Caffrey’s team has implemented a managed threat detection and response (MDR) service that can keep watch on his network 24/7. This follows an interesting industry trend. Recent articles in GovTech1 and CompTIA2 have made sound cases for why local governments might be better off outsourcing some or all of their IT operations, including cybersecurity.

In GovTech’s interview with Teri Takai, the executive director of the Center for Digital Government and former chief information officer of the Department of Defense, Takai points out some pain points similar to Caffrey’s for local governments struggling to keep up with cyber threats:

• Lack of resources,

• Aging technology,

• New technology that doesn’t integrate with existing systems,

• Lack of size and scale to appropriately meet evolving challenges, and

• Lack of executive understanding and appropriate funding/support.

As Takai noted, “There is no ‘one-time spend’ that makes a jurisdiction 100 percent secure.” Neither can a jurisdiction expect to handle cybersecurity threats on its own. This can be a tough sell, particularly when sharing resources. However, there are successful emerging models of cyberthreat management that particularly involve collaborations, partnerships, and economies of scale.

Partnership and MDR Options

Opportunities exist among federal, state, and local governments—as well as between traditionally siloed departments such as IT and public safety—to join forces and share technology and expertise. Jurisdictions can connect with a shared technology partner, particularly in tech infrastructure and threat monitoring and detection.

Utilizing an MDR service, as Caffrey did in Tennessee, is another avenue to economically detect malicious behavior and safeguard data. It allows organizations to benefit from cybersecurity domain expertise without the need to invest in training, development, or headcount, as outlined in a recent blog post, “Why Your Business Should Consider Managed Threat Detection.”3

MDR Identifies Risks

With the service Caffrey implemented, security experts analyze event logs from the Tennessee Intercounty Agency’s network, including end point activity, to uncover suspicious behavior. Any potential compromise is investigated and confirmed by the analyst, and the information security team is notified immediately.

In the first few days of operation, analysts uncovered a variety of network behaviors that presented significant risk to the agency. Noteworthy risks that had been previously undetected included:

1. Tech Support Scams

Analysis of firewall logs uncovered many instances of users visiting malicious websites containing” tech support scams.” Users are often redirected to these sites during normal browsing and enter the malicious site unknowingly. These fake sites encourage users to provide personal data, install programs giving hackers control of their system and network, or, worse, allowing them to install a remote access tool (RAT) giving them access to the system.

2. Fraudulent Programs

The new system also found a fraudulent Adobe Flash player installed on the agency’s network. A common online scam tricks the person browsing into downloading a fake version of a popular software. While it appears legitimate, the fraudulent program tries to infect the victim with malware or collect personal information.

3. BitTorrent (BT)

Traffic that pointed to peer-to-peer file sharing known as BitTorrenting (BT) was also identified. BT is a common protocol for transferring large files and is often used to download illegal and / or copywritten material. This poses a risk to local governments because if an illegal file is successfully downloaded, the agency could be held liable.

4. Potentially Unwanted Program (PUP)

Analysts found multiple instances of PUPs. These programs are not necessarily malicious, but their unintended use may compromise the privacy of the user, weaken network security, or degrade system performance.

5. Advanced Persistent Adware (APA)

When reviewing the agency’s endpoint activity, analysts found an APA installed on one of their devices. According to Booz Allen Hamilton, an APA “leverages advanced techniques, typically only seen in attacks attributed to Nation-State-level Advanced Persistent Threats (APTs), to evade detection, maintain persistence, and connect to a Command and Control (C2) server to facilitate the second stage of the attack.” If left undetected, this activity posed a significant threat to the agency.

Newfound Security and ROI

The investment in the MDR service paid off immediately for the Tennessee intercounty agency. With trusted analysts alerting Caffrey to any system vulnerabilities, his network is secure, and his team’s time is freed up for other strategic priorities. “It’s much less expensive than hiring full-time employees to find threats,” Caffrey said. “And it’s saving my team time because we don’t have to chase down false positives anymore.”

Culture Is Key

Another important—and budget-friendly—action is to cultivate an organization-wide cybersecurity culture, one in which every department is involved in the ongoing effort. Creating this culture means developing cybersecurity awareness throughout your entire organization, which will lead to organizational practices that support the secure execution of your business strategy.

As Takai noted in the GovTech piece, “The ability of smaller organizations to address the threats without collaboration, shared resources, and support of the technology partners is a thing of the past.” All of us with tight budgets should consider partnerships, resource sharing, and managed threat detection options to stay ahead of cyberthreats and avoid potentially devastating loss.

ENDNOTES AND RESOURCES

1  https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-local-governments-can-address-cybersecurity.html

2  https://www.comptia.org/about-us/newsroom/blog/comptia-blog/2019/06/27/ten-reasons-why-local-governments-should-outsource-all-it-operations

3  https://www.tylertech.com/resources/blog-articles/why-your-business-should-consider-managed-threat-detection

  RON BERNIER, CISSP, MCSE, is director and chief architect of Tyler Detect, Tyler Technologies’ managed threat detection service (ron.bernier@tylertech.com).

Advertisement

You may also be interested in