top of page
ProofPoint.PNG

Privileged Identities: Cybercriminals’ Keys to Government Organizations

By: Ryan Witt, Vice President, Industry Solutions, Proofpoint

 

Cybersecurity continues to be a top priority for state and local governments, and with good reason. Cybersecurity incidents due to malware, phishing, and ransomware continue to grow in state and local governments, and news of major public sector breaches continues to be reported with regularity. State and local governments are up against national foreign actors that have vast resources to maintain a constant threat level. 

The global increase in cyberattacks has been enabled by attackers shifting their tactics and focus to identity-based attacks, with 84% of organizations falling victim to an identity-related breach last year. Threat actors now realize it’s more effective, faster, and cheaper to steal credentials and log in than trying to hack through technical controls. 

Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels.  Many organizations now embrace resilience strategies, accepting that an incident is inevitable — “It’s not a matter of if, but when.” This transitions the defenders mindset from the impossible task of protecting everything within their agency.  A new industry approach to cyber defense in recent years has emerged.  Instead of protecting everything, defenders aim to neutralize attackers’ tactics, techniques, and procedures (TTPs) in advance. 

The first call to action is for government agency Security teams to evaluate detective tools already in place. Doing so will help determine fragmented implementations and siloed tools which do not share relevant information. Absent tools or a platform to detect these movements presents an opportunity to implement tools which the organization is without. 

Email remains key entry-point 

Threat actors understand that people hold access to an organization’s most critical data, and the majority of employees can be relatively easily tricked into taking an action via email which could put the security of a government organization in jeopardy.  

 

Email-based attacks continue to dominate the threat landscape globally.  A 2023 IDC survey showed that the most significant source of initial compromise for ransomware incidents in governments was an employee opening a malicious attachment in a phishing email (28% of respondents) or clicking on a malicious URL in a phishing email (18% of respondents). 

 

Many of today’s attacks rely on such compromised identities, including ransomware. According to another recent IDC report, more than half (56%) of state and local government organizations in the U.S. reported a ransomware attack in 2022. 

 

The second call to action is that it is clear to see that email security is critical. Therefore, implementing proper email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications, organizations can block the majority of targeted attacks before they reach employees. Legislatures must consider legislation requiring government organizations to have email security products implemented which meet at least a 99% threat block rate metric.  

When considering defense against today’s pervasive identity-based attacks, an important consideration is the entire attack chain as part of an effective threat protection strategy, covering the threats your people and their identities continuously face. 

Breaking the attack chain

Attackers will continue to rely on the same technique - targeting employees with an email, in an attempt to gain foothold into an organization and move laterally, doing as much damage as they can. They depend on this technique, because put simply, it works and will continue to do so unless organizations consider how they can break the links in the attack chain. 

When we look at opportunities for government agencies to break the attack chain, the first step is to stop the initial compromise in the first place. This is where a robust email security strategy is crucial. From Business Email Compromise (BEC) attacks, cloud account takeover or cybercriminals using trusted third parties to compromise a government organization through their supplier, an initial email can lead to compromise. After initial compromise, attackers have access to your domain, giving them access to email accounts and the ability to steal information or wage ransomware attacks. 

Worryingly, compromised accounts can often go undetected, leaving no indicators of compromise or evidence of malware. And despite the deployment of privileged account management (PAM) and multifactor authentication (MFA), these attacks are still on the rise. If undetected, organizations are faced with an even bigger problem – that of privileged escalation and lateral movement within the networks. 

The third call to action is for organizations to implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) helps organizations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property. 

If you want to stop cyber attackers from escalating their attacks, you need to adopt proactive measures to protect your government organization against identity-based threats. You also need comprehensive security controls. With the robust controls in an ITDR solution, you get tools to help you: 

  • Block targeted phishing and malware attacks 

  • Detect and respond to account takeovers with speed 

  • Identify and halt lateral movement 

  • Prevent privilege escalations 

  • Fortify defenses against data exfiltration attempts 

ITDR solutions help proactively defend against threats at their earliest stages. They do this by scanning each endpoint and identity repository to deliver bottom-up and top-down views into risks related to unmanaged, misconfigured and exposed identities. This gives security teams the visibility they need to take away the attack paths through Active Directory that attackers want to use to deploy ransomware and steal data.  ITDR solutions are a critical tool to break the attack chain. They can help you stop attacks before they can become devastating incidents. 

Security is a shared responsibility, so the last call to action is implementing a training and awareness program that evaluates your employee’s knowledge and at the same time rewards those who understand the threats.  We must empower people, at all levels within government agencies, to understand security and the risky behaviours that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. Make sure your program and training platform is from the perspective of the user, evolves as the threats evolve and make it relevant to their work and personal lives. 

© 2024 by Florida Technology Council.

  • Linkedin
  • Facebook
  • X
bottom of page