Threat actors are upping their game. Rather than acting as a lone attacker sitting behind a single computer, today’s threat actors operate like an enterprise.
State actors are well-resourced, and criminal groups are well-connected and form alliances. They change their tactics, techniques and procedures to achieve objectives. They use cryptocurrency to purchase tools and even utilize Software-as-a-Service (SaaS) models to leverage existing tools rather than spending the time and money on in-house development.
A threat actor may have multiple targets in the same sector, such as state and local health agencies, or focus on a specific agency. The point of an attack is often monetization, typically through the theft of sensitive data or ransomware. But attackers often have ideological or geopolitical motivations, meaning even entities with few resources can be heavily targeted.
And the threat landscape is always evolving.
A major target in the last few years are third-party service providers, such as those that develop applications for or require network access from their customers. State-backed threat actors, like those from Russia and China, are also targeting state and local agencies, likely in retaliation for trade wars or to simply gather more intelligence.
In addition to their agility and sophisticated attack methods, threat actors have another significant advantage: speed.
An important threat concept to understand is breakout time. This is the window of time it takes for an adversary that gains a foothold on an endpoint to move laterally to other endpoints on a victim network or to escalate privileges. The average breakout time in 2017 was 1 hour and 58 minutes. It slowed down to an average of 4 hours 37 minutes in 2018, likely due to the use of better network security technologies and more actors using tactics, techniques and procedures that required breaching multiple endpoints.
Still, network defenders have limited time to contain or remediate an intrusion before it becomes a major breach. The battle between threat actor and network defender comes down to survival of the fastest. This is a tough race for many state and local cyber teams working with constrained staffing and budgets.
CrowdStrike offers governments a cloud-native endpoint protection platform built to stop breaches. It recommends that agencies follow the 1-10-60 rule, which requires:
- Detecting intrusions in under one minute,
- Performing an investigation in under 10 minutes, and
- Containing or remediating the threat in under 60 minutes.
Agencies that meet this 1-10-60 benchmark are much more likely to prevent an attack from spreading from its initial entry point, or at least minimize the impact that could occur.
Because of the sophistication of today’s threat actors, network defenders need to flip all the switches to protect agency infrastructure. That means the enterprise must have robust protections in place. The failure to implement these protections can be costly in time, effort and dollars – and it can put citizen data and trust at risk.
This article is an excerpt from GovLoop Academy’s recent course, “The Need for Speed in Detecting and Responding to Cyberthreats,” created in partnership with CrowdStrike and DLT. Access the full course here.