There is a virulent plague spreading across the globe, Homeland Security Secretary Alejandro Mayorkas warned earlier this year. But he wasn’t talking about COVID-19. Instead, he was referring to what he called “an epidemic that is spreading through cyberspace: ransomware.”
As Mayorkas pointed out: “Ransomware is not new. It has been around for years. What is new is the evolution of attackers’ methods … and the increased frequency of these attacks.”
Ransomware is enormously profitable: The attacks last year that were publicly acknowledged by their victims netted the perpetrators nearly $350 million—a three-fold-plus increase over the previous year—according to a Chainalysis analysis of cryptocurrency transactions linked to them. Accounting for unacknowledged attacks, that figure represented “the lower bound of the true total,” the company said.
Those ill-gotten gains have fueled increasingly adaptive and innovative malware. But they’ve also led to the development of new extortion techniques designed to double down on the threat perpetrators can pose to victims—like the decryption and public dumping of kidnapped data.
Worse, sophisticated cybercrime-as-a-service groups can be used as cut outs by nation-state intelligence services to mask their activities and avoid attribution, according to BlackBerry’s 2021 Threat Report.
There have been no successful ransomware attacks on federal agencies reported publicly to date, but Grayson Lenik, director of consulting and professional services at Trustwave Government Solutions, points out that it’s only a matter of time.
“Someone is going to be the first,” he says, “It’s probably inevitable. … These are determined, adaptive and skilled adversaries, and they only have to get lucky once. Defenders have to be successful 100 percent of the time.”
Defeating ransomware and other online attacks requires discipline. Because the system is only as secure as its weakest link, defending it demands the rigorous application of cyber best practices all across the network.
“Preparation is the key,” says Lenik, “Attacks are going to happen, someone is going to be unlucky and luck favors the prepared.” System administrators must have complete visibility of their network, comprehensive response plans—and the ability to proactively test their security.
“If you don’t test your network security, the adversary will test it for you. They’ll do it for free, but the cost doesn’t bear thinking about,” he adds.
Trustwave Government Services, a U.S.-based subsidiary of global cybersecurity firm Trustwave, can help federal agencies with both proactive and reactive security, says Lenik.
On the reactive end, incident response is all about speed: “Once you go into reaction mode, you’re tying together your forensics, your monitoring, pulling in your helpdesk and your Security Operations Center, to try to figure out what happened absolutely as fast as possible, and to plug that hole.”
TGS’s suite of managed security services, including Incident Response and Security Operations Center-as-a-service, can minimize time to resolution while maximizing response effectiveness. Gartner’s most recent Magic Quadrant report for managed security services puts Trustwave in the sought after “leaders quadrant.”
Many federal agencies have reached a baseline of maturity, Lenik says, “We are focused on agencies that are ready to take their capability to the next level.” And that means moving left of boom—implementing proactive security measures to prevent and limit the consequences of successful attacks.
“Being proactive about security means you’re putting defense in place at multiple layers,” explains Lenik, “You’re training the users at their workstations and their laptops, you’re monitoring the network and the perimeter. You’re sandboxing your public, internet-facing infrastructure, because, if an adversary has a direct path, from those exposed systems that are going to be attacked—and at some point, attacked successfully—into your internal network? Well, that’s game over, isn’t it?”
And sandboxing or network segmentation are excellent examples of the kind of security controls that require rigorous discipline in implementation. “There are a million ways this can go wrong,” Lenik explains. A single stray connection can circumvent a border firewall. “Now you’ve taken those systems that were supposed to be easily replaceable, sacrificial, and you’ve made them a part of your internal network, not by choice, but by accident.”
Such errors are almost impossible to eliminate entirely, especially in organizations as large and complex as federal agencies, but they are relatively easy to detect using penetration testing and other proactive security measures. “These simple flaws are easy to detect with offensive testing,” says Lenik, “But they’re extremely detrimental to an organization.”
TGS offers a full range of offensive security testing services. “We will take something like multifactor authentication and try to poke holes in the implementation. Are there flaws? Can we test the humans running it? Is there a business process problem?”
“Cybersecurity is about people, process and technology,” says Lenik, “We cover all three.”
• People: TGS workforce are U.S. citizens with the clearances, certifications and boots-on-the-ground experience needed for even the most sensitive, specialized work.
• Processes: TGS has experience setting up compliance processes for mandatory programs like DHS Continuous Diagnostics and Monitoring or CDM, and DoD Cybersecurity Maturity Model Certification, or CMMC. TGS also provides 100 percent U.S.-based plug and play services like incident response, threat hunting and SOC-as-a-service; and can help with IR planning.
• Technology: TGS offers full-stack managed security—including network and email gateways, intrusion prevention and detection system and next generation firewall—through the Trustwave Fusion Platform, offered as a GovCloud-based service. FedRAMP authorization is in progress to complete in the last quarter of this year or the first quarter of next.
People, processes and technology is a good construct to keep security practitioners focused on the three facets of their job, acknowledges Lenik. But more than 20 years providing cybersecurity services to the U.S. government has taught TGS one thing: “In the end, it all comes down to people,” he says.
“Technology isn’t perfect and doesn’t implement itself. You can spend a million dollars on the best, most advanced technology in the world, but without the right people to set it up, configure it and run it, what you have is a million-dollar doorstop.”
“Processes can fall apart,” he adds, “I’ve seen it a hundred times. The security team implements some changes, introduces new controls and they inconvenience someone or some group of users and the changes get backed out, but no one tells the security team, and you are left with a big hole in your defenses.”
TGS’ people are the kind of professionals who won’t let that happen. Since its foundation in 2005, Trustwave’s SpiderLabs—named for SPDR Secure, Protect, Defend and Respond—has been a byword for experience and excellence in cybersecurity consulting. In 2015, when Singapore’s Singtel took a controlling interest in Chicago-based Trustwave Inc., it spun TGS off as an independent U.S.-based subsidiary.
Today, TGS is a FOCI-mitigated entity with a Superior rating from the Defense Counterintelligence and Security Agency—the highest-level rating awarded to private sector companies. TGS has its own SpiderLabs team, combining the excellence of the global organization with the clearances and certifications required for even the most sensitive and specialized work for U.S. agencies.
“Our people are good at this work, because they came up doing it,” says Lenik, noting the company employs many former federal security professionals with unique and/or hard-to-find skillsets. “I’m sorry, but having a single certification does not make you a cybersecurity professional, it just doesn’t. Our people have real expertise.”
The TGS corporate culture is “a suit-and-tie environment, rather than a Hawaiian shirt and flip-flops environment. We find that former law enforcement, federal government and military personnel are very comfortable with that … and we like to recruit from that pool because they have the mindset and the necessary qualifications, but above all the skills,” he says.
“Our corporate culture is very patriotic. We are able to attract those people because we have those people, we have that commitment to public service in our corporate DNA.”
TGS’ SpiderLabs has nearly 200 such professionals on its books. That may not sound like many, but cybersecurity, like special operations, tends to be a small team activity. Pentesting teams might be as small as one or as large as a dozen, IR teams, two or more. “Cyber conflict is asymmetric,” notes Lenik, “We’ve built our teams to maximize their cutting-edge capabilities, not to maximize their numbers.”
“Staffing is probably the number one challenge in federal cybersecurity right now,” he observes, which makes it tough for agencies to build the kind of world-class team needed to defend against nation state hackers. “Agencies recruit these people, they train them, then they move up through the structure. When they leave, they’re leaving a senior post [open] and so you need that pipeline of people coming up through the organization to fill that gap.”
The problem is that competition for cleared, trained professionals from higher paying employers in the private sector has made that pipeline rather leaky, leaving agencies struggling to fill vacancies.
TGS offers federal agencies the flexibility they need to meet their security goals at a price they can afford.
“In the midst of that workforce crisis, the danger is that some specialist roles might fall through the cracks,” says Lenik, “We can provide the depth on the bench that our customers require to get through that hump.”
Above all, TGS can offer its customers flexibility. “When you hire some huge faceless corporation, you get a huge, faceless, canned service. We can be flexible, agile, responsive—we can push the envelope to get our customers what they need.”