Deborah Watson is the resident CISO at Proofpoint with over 20 years’ experience in security.
Cybercrime has become a profitable business model, as evidenced by recent ransomware payments where criminals continue to perfect low-investment, high-return campaigns. While the majority of attacks start in email, the techniques, tools and procedures cybercriminals use are quickly changing. This rapid evolution makes it increasingly difficult for organization leaders to adapt to changes to the threat landscape in a timely manner.
One of the techniques we see on the rise is social engineering attacks, where malicious actors gather information about the people within an organization to trick users into making security mistakes. Attitudinally, cybercriminals approach people-centric attacks with as much effort, time and resources as they are devoted to understanding vulnerabilities in enterprise networks. Some emails impersonate colleagues and suppliers, taking advantage of employees who strive to be supportive. Other emails leverage reconnaissance information to emulate standard user interfaces resulting in credential theft.
In a threat environment where criminals are strategically targeting people, federal agency leaders may make many assumptions about who represents the most significant risks within the organization. But those assumptions can be wrong when leaders do not have the complete picture of who is vulnerable, privileged and targeted. And while their ecosystem of security tools monitor network activity, cloud environments and endpoint devices, they may be missing an agency’s most outstanding security and compliance risk — its people.
Human error is still the most significant risk factor
Phishing and credential theft are two primary techniques that attackers use to gain access to an organization. Verizon’s 2021 Data Breach Investigations Report found that 94% of breaches start with attacks targeting people via email, which is now the number one threat vector.
Complicating the situation, hackers have evolved from their emails being blatantly fraudulent, increasing the probability that an employee, with limited time, will evaluate an email before opening an attachment or clicking on a URL. It is true that poorly crafted emails still exist and are broadly distributed, but modern email security solutions generally catch those due to their widespread distribution. Today’s attacks are often narrowly targeted and explicitly crafted to subvert traditional email filters as the probability of detection is reduced by the number of emails sent.
While traditional cybersecurity threats have been built based on a linear kill chain — where reconnaissance of system and software vulnerabilities lead to vulnerabilities allowing access to an organization’s assets — current attack patterns indicate anything but a linear approach and have highlighted that our employees and those within our supply chain are softer targets.
Attackers do their homework targeting people based on data readily available to them. Social networking accounts, for example, allow them to identify common content types for those who are more likely to click on an email based on their specific roles and responsibilities. Once a cybercriminal gets access to the system through a compromised credential or the use of ransomware, they can take their time gathering information about the organization to navigate their way to a part of the architecture where they can launch their exploits.
People-centric approach to security
Many organizations may make qualitative assumptions about how they are being targeted and attacked. One strategy organizations frequently take involves wrapping added security layers around people in the organization — such as executives or high-level finance resources — based on what they believe is true in the absence of intelligence data. However, that strategy can overlook individuals in a wide range of lower-level job functions that frequently offer criminals an easy opening.
A people-centric approach provides agencies the ability to apply risk-risk based controls because the tools look at data in three key areas:
- Which job functions within the organization are being targeted?
- Are these employees vulnerable to different types of attacks?
- What system and information access privileges do they have?
Instead of treating everybody in the organization the same way, agency security teams can create a more informed picture about their security risks and implement adaptive security controls based on current situational intelligence. Adaptive controls may include using zero-trust application access, browser isolation, step-up and risk-based authentication and targeted security training. Applying adaptive policies can also benefit user monitoring programs, support privacy requirements, minimize data collection and expedite investigations.
Using a platform approach to manage adaptive controls consolidates and correlates policies, intelligence and supports ease of reporting. The result of this approach – increased situational awareness without additional staffing. The workforce efficiency gains allow agency personnel to focus on additional initiatives like those highlighted by the recent White House Executive Order, such as continuous monitoring and compliance.
The growing risk of security threats
Cybercriminals are also getting more organized and functioning more like businesses. In addition to malicious groups creating shared infrastructure, they share information and leverage credential dumps obtained from other security breaches to exploit known visibility gaps. Consequently, agencies need to increase information sharing, control standardization and implement modern security solutions to reduce the risks from the increasing intensity of more targeted attacks.
We work with a global network of customers every day to detect and block advanced threats and compliance risks in more than 2.2 billion emails and 22 million cloud accounts. We see how organizations are getting attacked and which countermeasures are proving most effective. For instance, in the public sector, we can identify which agencies, departments and roles are more targeted than others.
Healthcare organizations, for example, have been increasingly targeted by ransomware attacks both during and following the COVID-19 pandemic response. The aim of those attacks is not so much to disrupt patient care but to extract payment. However, the far-reaching nature of these attacks suggests that criminals could prevent health organizations from providing critical patient care and safety.
Financial institutions and federal regulatory agencies also saw a spike in activity from cybercriminals. Because many of these institutions still use legacy communication systems for transactions, they lost some security visibility and oversight as employees shifted to remote working conditions.
Not surprisingly, cybercriminals saw tremendous opportunities to social engineer account takeovers and infiltrate an entire ecosystem of public and private sector entities that often work closely together.
Another risk factor we see is the number of agencies with underutilized security tools and those who do not take advantage of the complete set of available features. The more security leaders can adapt their security strategies to incorporate a people-centric perspective, the more effective they will become in utilizing the protective controls required to address today’s attacks.
And by working with Proofpoint — with more than a decade’s experience building a global intelligence platform (Proofpoint Nexus), spanning threat protection, information protection and compliance — agencies are equipped to become more secure and protect their people even when they make mistakes.
Learn more about how Proofpoint can help protect federal agencies, and their people, against malicious attackers.