2023 is shaping up to be a transformative year for security teams in the federal government. Regulations, such as the Cybersecurity Maturity Model Certification (CMMC) that requires agencies to better authenticate remote access for employees and civilian contractors, are a step in the right direction. But these new security controls will likely require a bit of a rethink in how federal agencies secure an expanding threat surface.
As security teams refocus already-stretched IT resources to tackle certification of these new regulations in the next several months, they can’t neglect basic cybersecurity foundations. This is especially critical given the proliferation of today’s Highly Evasive Adaptive Threats (HEAT) that target web browsers and employ techniques to evade multiple layers of detection in current security stacks–including firewalls, Secure Web Gateways (SWGs), sandbox analysis, URL Reputation, and phishing detection. Often delivered through the web, attackers leverage HEAT attacks to gain initial access to the network and ultimately download malware or compromise credentials, which in many cases leads to ransomware and other attacks.
As efforts continue around CMMC and other regulations, it will be equally important to proactively and automatically protect users from these web-based attacks by implementing basic, common sense protection capabilities. The peace of mind that comes with a strong security strategy will allow more resources to be directed toward these transformative re-architecture projects without putting the agency at increased risk.
Federal agencies remain a tempting target for web-based attacks
The combination of limited resources and expanding threat surfaces due to digital transformation, hybrid work and a higher percentage of contractors make federal agencies extremely vulnerable to attacks. Malicious actors will no doubt be looking to exploit federal agencies using highly-sophisticated techniques that have been designed to evade traditional security tools used by federal agencies. Targeting the browser where most work is done today allows threat actors to gain initial access to an end device and lay in wait before spreading through the network in search of more tempting targets.
We recently conducted a browser penetration test for a large federal agency and found that despite using two well-respected next-generation security solutions from top vendors, malicious activity was running rampant across the network after attackers gained initial access through the browser. It’s clear that relying on the detect-and-respond approach is not sufficient. Today’s evasive threats move much faster than legacy security systems, and can even deliver their payload within seconds of the initial breach. Once a threat is detected, it’s already too late. The damage has been done.
Adding a protective layer on top of the existing security stack
The only way to protect the organization from these threats is to layer in prevention capabilities on top of the existing security stack. This additional security layer stops events from happening in the first place. And if the browser is breached, you have the monitoring in place to quickly cut it off. Having your bases covered allows you to focus on other things–such as meeting CMMC requirements.
But not all protection is created equal. Three things to look for in a security solution that protects federal agencies from today’s HEAT attacks include:
1. Protection from the unknown
Threat intelligence is important, giving organizations up-to-date information about the latest threats and trends in the cybersecurity landscape. But threat intelligence is limited. As soon as a new security control is developed, attackers quickly find a way around it. So what works today, won’t necessarily work tomorrow, or even an hour from now. Federal cybersecurity teams need to protect users from unknown threats in addition to known threats. Traditional security technology like URL filtering is insufficient. Our internal research shows that 30 to 50 percent of web-based threats originate from uncategorized websites and don’t show up on white and black lists.
2. Scales across the web
The web is essential to getting work done today, and threats can emerge from compromised websites, SaaS platforms, cloud infrastructure and other web-based platforms. Social engineering can even weaponize users’ social media, personal banking or other online services as an attack vector to gain access to their endpoint. Federal cybersecurity teams need to find a prevention tool that scales across all web traffic–including email, websites, SaaS platforms and private applications.
3. Doesn’t impact productivity
Government employees–especially remote workers–need unrestricted access to online resources. Accessibility or performance issues can impact productivity and prevent work from getting done. Any prevention solution needs to preserve the native user experience. No new browsers to learn. No lag in performance. No pixelated content. No disabled features like cut/paste and print. Your users need to be safe, but you can’t cut them off from large swaths of the Internet. The web needs to act like… well, the web.
Getting back to basics
Federal agencies will have their hands full with the new CMMC regulations going into effect this year, and it’s imperative that security teams have a FedRAMP Authorized Partner who will eliminate the web as a source of risk, so you can focus your time and energy on handling this security stack re-architecture as seamlessly as possible. Making sure you are able to prevent HEAT attacks from making their initial access through the browser through a preventative and automated approach frees up the necessary resources.