Agencies across the federal government are moving to implement zero trust to protect the integrity of their IT systems amidst modernization programs and to adapt around vulnerabilities that emerged during the COVID-19 pandemic.
Speaking at the GovernmentCIO Media & Research Cyberscape: National Security forum, public sector cybersecurity experts discussed the evolving threat landscape and the growing embrace of zero trust as a means of staying ahead of malicious actors.
“If I’m a threat actor and I want to get the most bang for my buck, and I can gain network access into a software company — we've seen these attacks recently with SolarWinds — and I can reach an update server or an entity that I know is used across the whole of government or across the whole of the United States’ networks, I can use that as a jumping off point to attack a variety of organizations,” said Matthew Swenson, chief of the cyber crime unit at Homeland Security Investigations.
The potential damage of these kinds of attacks, especially across the remote work environment, has reinforced the need to prevent spillover breach through leveraging network segmentation and requiring additional verification to access discrete areas of an organization’s broader IT system. The Defense Digital Service has helped the Defense Department overall evolve to implement core zero trust methodology.
"It's been really interesting to see DOD move from traditional defense in depth to zero trust architecture, especially with the COVID pandemic forcing more people to work from home. In the case of the Sunburst malware attack, our kill chain used aggressive deny by default [access control lists]. So we're really focused on, as we evolve into zero trust initiatives, what happens to these sort of traditional [access control list] protections? Tightening those deny-by-default protections at all layers of the OSI model, and then specifically focusing on anomaly detection, has been one of the big recommendations that we've been providing,” said Lance Cleghorn, Digital Services Expert, Defense Digital Service.
This has even encompassed a tighter approach to email access security, particularly as a response to the growing sophistication of ransomware attacks.
“We put a lot of protective capabilities in place, especially around our email because that is probably the most specific vector that's being attacked these days with ransomware. We went very aggressive on what email we allow to come into our network,” said Mike Witt, associate CIO for cybersecurity and privacy at NASA.
The sheer potential cost and disruption to crucial services from ransomware is due in large part to how malicious actors have begun better organizing breaches and payment demands, leading to a corresponding professionalization and consistency in these types of attack.
“Ransomware actors, their methodologies, and the way that they function in an organized capacity is getting much more sophisticated. The vast majority of ransomware groups now essentially function like organized criminal networks. Some of the groups have as many as 80 or more actors all working in conjunction, and they become very specialized in their skill sets. So you have malware developers, money mules and people who gain network access, to people who function as help desk operators and negotiate payment,” Swenson said.
Zero trust measures have enabled agencies to prevent such crippling attacks on vital IT systems and prevent the worst possible outcomes of methodical and highly coordinated ransomware breach.
“If you look at the most major ransomware attacks that have occurred, basic cyber hygiene could have prevented the vast majority of them. Killing their ability to move laterally, heavy network segmentation, network security monitoring, zero trust models, multi-factor authentication, all those types of things,” Swenson said.
In recognizing the shifts to both federal IT and the corresponding threat landscape, private sector security experts have begun updating their recommendations to federal partners to meet this more dispersed approach to network protection — bringing together collaboration around how to most effectively codify and instate these measures across government as a whole.
“In addition to the threat landscape changing, our own network infrastructure has changed quite a bit as we've moved to the cloud, as well as an increasingly remote workforce," said Gram Slingbaum, solutions engineer at CyberArk. "We adopt an assumed breach mentality. Basically we take into account that there are lots of identities out there, but we don't want to assume that these identities can be trusted. Instead, we have to place controls around them. These controls have meant that identity has become the new perimeter. So, while we used to treat our firewall as the edge of our network, now as soon as that user has to make themselves known, that is the new perimeter."