The OPM hack is just one in a series of federal and state network intrusions and data breaches. Other high-profile incidents occurred at the Internal Revenue Service, the State Department, and even the White House. These attacks have occurred despite the $4.5 billion National Cybersecurity and Protection System (NCPS) program and the Department of Homeland Security’s (DHS) Einstein—the multibillion-dollar intrusion detection and prevention system that stands guard over much of the Federal Government’s Internet traffic.
Einstein is an active attack prevention system that resides amongst the government’s Internet gateways and is designed to analyze traffic flow and for signature detection capabilities based on DHS traffic analysis and data shared by the National Security Agency. In recent years, it was acknowledged that intrusion detection was not enough and the Comprehensive National Cybersecurity Initiative (CNCI) came into place with the requirement for a government-wide intrusion prevention system that came with the goal of stopping cyber-attacks before they reached their networks.
Additional programs have also been established to share the information to stop attackers following known profiles of attack. The “DHS-provided information” is threat profile information created by DHS’ US-CERT from analysis of existing attacks and threats. US-CERT analysts look into suspicious traffic and after scrubbing personal identity information, they then share it with NSA. When threats are identified, the traffic data is used to create rules for the Einstein system’s sensors that will in turn trigger alerts and traffic blocking.
Despite the billions of dollars invested in the cyber security, the solutions in place appear to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks. These attacks are sophisticated and customized so that they are not easily identifiable from known signatures, and once such attacks are executed, they tend to look like normal network traffic making them extremely difficult to detect.
In short, the systems work well for stopping known attacks if they have been seen before. They however fail to protect against “zero-day” attacks that disguise themselves as normal traffic and they don’t detect intrusions that have made their way into the network through HTTPS and other means of getting through perimeter security systems.
Common Criteria is an internationally recognized standard which defines a framework for evaluating the security of IT products. US government organizations, man international government entities, and many global Fortune 500 corporations require Common Criteria certification to aid in the evaluation of IT products for their infrastructures.
The stakes are high for all forms of government – federal, state, local, and educational institutions are all not immune. Foreign intelligence services have a goldmine of information about federal employees at every level of the government that could be leveraged for additional highly-targeted cyber attacks and other espionage. State Governments are an attractive target for cyber-criminals that look to take advantage of antiquated tax systems and capitalize off of the sale of government personnel and financial data.
Today, government agencies are not required to disclose breaches though over time this may change, and they could be held to the same standards as financial, healthcare, and other organizations that handle personal information.
Whether it is driven by the failure of today’s security solutions to prevent and quickly detect breaches or future regulation, we expect it is only a matter of time before the government looks seriously at a modern day approach to network security that is designed to detect intrusions that have bypassed perimeter security solutions and are mounting their attack on the network. With modern high-interaction threat detection systems, agencies will in real-time detect intrusions inside their network and be provided the threat intelligence to understand the intent and methods of an attacker and to enable the prompt shut down of attacks.
Attivo takes a modern approach to network security and operates on the premise that attackers will get inside the network. Attivo has created advanced network security solutions that use deception based threat detection techniques to help government organizations dramatically increase the speed to which threats inside the network are uncovered, understand an attacker’s intent, and establish a defense against future attacks.
The Attivo BOTsink® Solution active deception techniques involve luring attackers to engage with the BOTsink Solution vs. company servers or POS devices. Highly interactive decoys are 100% customizable to a retailer’s environment for additional authenticity. Signatures and/or big data analytics are not required to detect intrusions, and there are no false positives, aka noisy alerts, since an alert is only generated from real engagement. A full suite of forensics is provided via the Attivo threat intelligence dashboard and IOC reports to update preventative systems with the tools to shut down current and future attack attempts.
The Attivo active deception techniques are authentic and proven to detect threats targeted at exfiltrating client records and valuable business information stored in data centers, shared with other government departments, and associated with Internet/web presence, HTTPS, and phishing attacks.