Network and system endpoints, i.e., workstations and servers, are the most vulnerable network and system elements because they directly interface with the applications that we use. Those applications act as gateways into those endpoints and thus are used by cyberattackers to deliver the malware that will enable them to carry out their nefarious missions. This is especially true of ransomware, which targets files and data that are accessible on or from those endpoints. The cyberattacker’s goal is to gain access and control of as many endpoints as possible.
Most of the applications in the public safety and justice communities are based on common operating systems used around the world. So, with such a large footprint, the likelihood that cyberattackers will find an unsecured endpoint is very high. In addition, users often are fooled by very-well-disguised emails and attachments that appear to be from a legitimate source, but instead are the work of cyberattackers. Read more about the threat in our post, "If You're Operating an IP-Based Network, Plan to be Attacked."
For example, the cyberattack that targeted Solar Winds’ Orion network-monitoring/remote-monitoring platform—which has been implemented by a great many organizations, including the White House, the Pentagon, the U.S. Department of energy and many other government agencies and technology companies—was particularly clever. The perpetrators designed the malware to look like Orion software files with a signed certificate. When the user deployed what he or she thought was a legitimate update, the malware was distributed. The traffic looked exactly like Orion traffic, so there were no red flags; consequently, it was easy to overlook the breach, which is why it was so widely distributed.
When a cyberattacker gains access to a workstation or server, it represents the beginning, not the end, of the ordeal. Once inside , the cyberattacker will navigate laterally, sometimes unseen for months, to discover other exploits and unprotected files. Once found, those files are compromised in some way, to disrupt the organization’s operations or to steal sensitive information. In the case of a ransomware attack, the files are encrypted, and the victim is informed by the cyberattacker to pay a fee to decrypt them, which is how this type of attack got its name. Today ransomware is one of the most common attacks , in both the public and private sectors, because of its vast revenue-generating potential and high probability of success.
A huge problem for organizations today in the fight against cyberattacks is that the attackers and their tactics are evolving continuously, seemingly by the minute—a problem we explore monthly in our CyberChat video series. As a result, it is extremely difficult to keep pace with them from a cybersecurity perspective. Indeed, many types of malware have emerged that are completely undetectable by legacy antivirus programs and whitelisting tactics. One example is fileless malware, which is particularly insidious. Unlike most malicious software, fileless malware does not rely on computer files to carry out its attack, but rather uses legitimate programs—and thus leaves no footprint. The Ponemon Institute—an information technology research firm based in Traverse City, Mich.—estimates that fileless malware attacks are 10 times more likely to occur than a file-based attack, due to their stealth.
Because attack vectors mutate constantly, the legacy antivirus and whitelisting approaches cannot possibly keep up. So, what is a public-safety or justice agency to do?
Embrace the Concept of Managed Detection and Response
MCP’s recommendation is to embrace the concept of managed detection and response—which is what we did when we recently added an endpoint protection solution to our NetPulse Secure™ cybersecurity monitoring suite.
Unlike traditional signature-based antivirus offerings, MCP’s endpoint protection solution uses artificial intelligence (AI) and machine-learning (ML) models to detect zero-day malware, i.e., malicious software that cannot be detected and/or cannot be mitigated by legacy antivirus signatures. The solution is backed by the MCP’s security operations center (SOC), which continuously monitors for threats 24 x 7 365, and alerts clients of suspicious activities.
In simple terms, the AI and ML models hunt for certain behaviors as opposed to specific files or signatures—unlike legacy antivirus software. When they find one that appears malicious, the SOC immediately responds by quarantining the affected network or system and/or removing the malware from the affected endpoint, effectively stopping the attack in its tracks.
The new solution is designed specifically for mission-critical and public-sector networks—including servers, workstations, tablets and other devices—which are twice as likely to be infected with malware or ransomware than other networks.
As exciting as this development is, it is important to note that it is but one layer in a multilayer approach to cybersecurity. We would welcome the opportunity to discuss all of the ways that MCP’s lifecycle management services division can help you not only protect your mission-critical networks, but also keep them performing optimally. So, please reach out.
In the meantime, we urge you to participate in our second-annual Conference for Advancing Public Safety (CAPS), a two-day virtual conference that will be held June 15-16. (Click here for more information.) During the conference we will present a session entitled “Cybersecurity and the Public-Sector: What We’ve Learned,” from 11:00 a.m. - 12:00 p.m. Eastern on June 15. I guarantee that you will find it to be time well spent.
Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at MikeBeagles@MissionCriticalPartners.com.