On the Table Laptop Showing World Data Flow: Team of Politicians, Corporate Business Leaders and Lawyers Sitting at the Negotiations Table in the Conference Room, Trying to Come to an Agreement.
Image © gorodenkoff | iStock

Government IT leaders should consider improving their security with tools designed to go beyond signature-based detection to spot unknown but potentially malicious behaviour

We live in a world of escalating digital threats to government IT systems. The public sector recorded more global incidents and data breaches than any other over the past year, according to a recent Verizon study.

That’s why it’s heartening to see the launch of the new GovAssure scheme, which mandates stringent annual cybersecurity audits of all government departments, based on a National Cyber Security Centre (NCSC) framework.

Now the hard work starts. As government IT and security leads begin to work through the strict requirements of the Cyber Assessment Framework (CAF), they’ll find network detection and response (NDR) increasingly critical to these compliance efforts.

What is GovAssure and how can it protect governments?

GovAssure is the government’s response to surging threat levels in the public sector. It’s not hard to see why it is such an attractive target. Government entities hold a vast range of lucrative citizen data which could be used to carry out follow-on identity fraud.

Government services are also a big target for extortionists looking to hold departments hostage with disruptive ransomware. And there’s plenty of classified information in there for foreign powers to go after to gain a geopolitical advantage.

Contrary to popular belief, most attacks are financially motivated (68%)* rather than nation-state attempts at espionage (30%). That means external, organised crime gangs are the biggest threat to government security.

However, internal actors account for nearly a third (30%) of breaches, and collaboration between external parties and government employees or partners accounts for 16% of data breaches. When the cause of insider risk is malicious intent rather than negligence, it can be challenging to spot because staff may be using legitimate access rights and going to great lengths to achieve their goals without being noticed.

Collaboration between external parties and government employees or partners accounts for 16% of data breaches

Phishing and social engineering are still among threat actors’ most popular attack techniques. They target distracted and/or poorly trained employees to harvest government logins and/or personal information.

Credentials are gathered in an estimated third of government breaches, while personal info is taken in nearly two-fifths (38%). Arguably the shift to hybrid working has created more risk here as staff admit being more distracted when working from home (WFH), and personal devices and home networks may be less well protected than their corporate counterparts.

The growing cyber-attack surface

Several other threat vectors are frequently probed by malicious actors, including software vulnerabilities. New Freedom of Information data reveals a worrying number of government assets are now using outdated software that vendors no longer support.

Connected Internet of Things (IoT) devices are an increasingly popular target, especially those with unpatched firmware or factory default/easy-to-guess passwords. Such devices can be targeted to gain a foothold in government networks and/or to sabotage smart city services.

Finally, the government has a significant supply chain risk management challenge. Third-party suppliers and partners are critical to efficiently delivering government services.

But they also expand the attack surface and introduce additional risk, especially if third parties aren’t properly and continuously vetted for security risks. Take the recent ransomware breach at Capita, an outsourcing giant with billions of pounds of government contracts.

Although investigations are still ongoing, as many as 90 of the firm’s clients have already reported data breaches due to the attack.

Digitally enhanced shot of an unrecognizable businessman's hands on a laptop keyboard superimposed over multiple lines of computer code
Image © shapecharge | iStock

What the Cyber Assessment Framework demands

In this context, GovAssure is a long overdue attempt to enhance government resilience to cyber risk. In fact, Government Chief Security Officer, Vincent Devine, describes it as a “transformative change” in its approach to cyber that will deliver better visibility of the challenges, set clear expectations for departments and empower security pros to strengthen the investment case.

Yet delivering assurance will not be easy. The CAF lists 14 cybersecurity and resilience principles, plus guidance on using and applying the principles. These range from risk and asset management to data, supply chain and system security, network resilience, security monitoring and much more. One thing becomes clear. Visibility into network activity becomes a critical foundational capability on which to build CAF compliance programmes.

How Network Detection and Response tools can help

NDR (Network Detection and Response) tools provide visibility. This kind of visibility will enable teams to map assets better, ensure the integrity of data exchanges with third parties, monitor compliance, and detect threats before they have a chance to impact the organisation.

Although the CAF primarily focuses on finding known threats, government IT leaders should consider going further, with NDR tooling designed to go beyond signature-based detection to spot unknown but potentially malicious behaviour.

Such tools might use machine learning algorithms to learn what regular activity looks like to better spot the signs of compromise. If they do, IT leaders should avoid purchasing black box tools that don’t allow for flexible querying or provide results without showing their rationale.

These tools can add opacity and assurance/compliance headaches. Open-source tools based on Zeek may offer a better and more reasonably priced alternative.

Ultimately, there are plenty of challenges for departments looking to drive GovAssure programmes. Limited budgets, in-house skills, complex cyber threats, and a growing compliance burden will all take their toll. But by reaching out to private sector security experts, there is a way forward.

For many, that journey will begin with NDR to safeguard sensitive information and critical infrastructure.

 

*Source of statistics: Verizon

This piece was written and provided by Ashley Nurcombe, Senior Systems Engineer – UK&I, Corelight.

LEAVE A REPLY

Please enter your comment!
Please enter your name here