Avoiding data extortion: A guide for federal agencies

Government data is under attack. The intel held in federal agencies’ databases keeps our society up and running and often includes sensitive personal information about citizens and government initiatives. Just as healthcare has become a favorite target amongst cybercriminals for its valuable and extensive data, exploiting the technical skills gap in its workforce, a similar pattern emerges in the public sector. Here, hackers encrypt, or otherwise withhold, sensitive data to extort victims within the public sector for profit, including critical infrastructure, cities and municipalities, and federal agencies.

The latest stats report a surge in distributed denial-of-service attacks against the government sector in Q4 2023, increasing 163% from Q3 and 4,025% from the previous year. Criminals are increasingly attacking cities and municipalities, such as the headline-driving attacks on Oakland and Dallas last year. Fulton County in Georgia was attacked in January by hackers who threatened to release stolen data unless a ransom was paid. To make matters worse, the Phobos ransomware-as-a-service operation has been targeting “entities including municipal and county governments, emergency services, education, public healthcare and critical infrastructure to successfully ransom several million in U.S. dollars,” according to several government intelligence agencies.

Municipalities are not the only ones at risk. Federal government agencies are not immune, and in fact, are increasingly becoming targets themselves. The most notable example is likely the SolarWinds cyberattack of 2020 that trojanized a software widely used in the federal government to breach infected agency information systems. However, just last year, vulnerabilities in MOVEit, a widely used file transfer software, led to several federal government agencies being breached in a widespread hacking campaign by the notorious Clop ransomware gang.

While the situation may seem dire, hope is not lost if people join together to recognize this threat and tailor solutions to fit the unique challenges of federal technology. By focusing on preparation, agencies can avoid having to pay exorbitant ransoms on the back of taxpayer dollars and disincentivize ransomware attacks throughout the public sector.

Playing catch up

Federal agencies face unique challenges when it comes to protecting their data. Access to budgets and lengthy timetables can be major barriers to obtaining the technology solutions needed to effectively protect the IT infrastructure. On top of that, the data management role is rapidly evolving. Five years ago, data management was just about storage or server administration, but now includes security on top of that. A main reason for this is as the way people work has evolved, so too have the solutions that need to be employed to protect that workspace. For example, when employees started accessing work intel on their personal devices, IT teams implemented cloud access security brokers to monitor and protect data at the edge of the distributed IT architecture. Each of these layers has accumulated a different type of solution that employees have to buy, understand and train on. It’s a lot for teams to keep up with.

The game is changing so fast, and threat actors in 2024 moving so quickly, it becomes difficult for federal tech teams to move at the speed required to keep up. It also can become hindersome to wait for the bureaucracy of accessing budgets to buy and implement a new solution to keep up with the evolving landscape.

To avoid falling into a cycle of just being reactive to the latest threat, it becomes much more practical and effective to focus on preparing for what has become practically inevitable. Let’s discuss ways agencies can prepare for the event of a cyberattack ahead of time, ensuring they’re not struggling to play catch up on the day one hits.

Fighting back

The key is to always operate as if the organization is on the cusp of an attack. That might sound extreme to some, but the truth is that it’s no longer safe to assume that a cyberattack won’t hit an organization just because of its size, location, etc. While most agencies are equipped with the best protection and detection tools, the nature of today’s threat landscape means that oftentimes, they are still hit by ransomware without knowing it. Cybercriminals are consistently coming up with new tactics and leveraging artificial intelligence so that by the time a new attack method is identified, it’s too late for the impacted organizations.

Some feel that the only cyber threat to government agencies comes from nation state actors or cyberespionage, but even departments that are not primary targets for these types of attacks can become victims. Cybercriminals are casting far and wide nets with their attacks, hoping to find any door they can exploit to enter a network.

Most IT professionals have heard of the zero trust security framework that requires all users on the network to be authenticated at every request before being granted access. Without these precautions, threat actors can impersonate a user or service and use these elevated privileges to move around the architecture to go in and steal information that they then hold for ransom. Zero trust helps to prevent this exposure by taking a “trust no one” approach to security by assuming that any account could be compromised and adding extra measures to ensure everyone is who they say they are.

Despite becoming a more mainstream model across cybersecurity teams, zero trust still hasn’t made its way into backup strategy – leaving organizations’ data vulnerable. IT teams tend to separate data storage/backup from cybersecurity strategy, but they need to be completely intertwined. Zero trust data resilience is a new model that applies the zero trust approach to data storage by segmenting backups in an immutable environment. Immutability is a bit of programming that ensures data cannot be modified or destroyed once uploaded to the backup environment. Doing so removes the ability for a threat actor to delete or alter backup data, even if they’re already moving about the main network. This creates a zero-access barrier around the backup data and keeps it away from the rest of the infrastructure, separating the data so it can’t be stolen or encrypted.

Keeping backup data untouched guarantees that it’s always recoverable and a ransom will never have to be paid, no matter what. It keeps cybercriminals from ever completely crippling the agency and will become an essential part of national security as we continue to face advanced threats from the cyber realm.

Sterling Wilson is product strategist at Object First.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.