Mandiant Director Government Solutions Tim Wellsmore argues why private-public-partnerships are vital for helping government agencies achieve truly proactive cyber defence – and intelligence.
By Tim Wellsmore
In Australia, Prime Minister Scott Morrison recently warned that Australian networks, including all levels of government, face intensifying cyber attacks from a “sophisticated state-based actor.”
While the government did not outline motivations for the attacks, and the tactics, techniques and procedures (TTPs) appear to be widely known, the decision to issue a statement was itself a stark warning that the cyber threat landscape is evolving in ways that make passive cyber defence increasingly untenable.
In public and commercial sectors, cyber threats continue to become more complex as adversaries succeed in exploiting cyber defences to achieve their malicious objectives. Yet, frequently, organisations’ cyber defence missions aren’t evolving in tandem with those threats. This is a problem because proactive defence is by far the best approach an organisation can take. Key to this approach is an intelligence-led framework, the ability to understand and communicate a broader context for cyber threats, and self-targeted offensive capabilities that can be used – consensually and legally – for security validation purposes. However, this menu can look a little full when a public sector agency is juggling tight budgets, few resources and risk aversion based on the extremely high stakes at play.
Public-private partnership (PPP) offers unique support for reconciling these issues and ensuring government agencies achieve proactive defence against cyber threats that are rapidly evolving and proliferating. But realising the full potential of PPP depends on understanding why the evolving threat landscape uniquely impacts the public sector and how to build proactive defence on intelligence-led foundations.
Espionage is not the only concern for government
Historically, government agencies have maintained a primary focus on espionage activities – and these remain a vital priority. However, we’re also seeing cybercrime threats (i.e. cyber threats that are financially motivated) propagate at an agency level and are accumulatively significant at a national level.
Even if their TTPs often overlap, cybercrime is distinct from espionage and requires different defence and response. It’s also a threat that’s becoming more serious each year. This is particularly true with regard to ransomware attacks, with US figures indicating governments saw a staggering 150 per cent increase in reported attacks from 2018.
Based on FireEye’s insights and others, ransomware attacks have seen a jump in frequency and further evolution in sophistication, especially during COVID-19. Unfortunately, this is likely due to its success in monetising the victim environment, making it harder to imagine a near future where the threat diminishes. Ransomware users are leveraging more business-like payment structures and more sophisticated methodology, including a shift to post-compromise deployment, double ransoms and deliberate and specific lateral movement inside networks to determine which systems would cause the most pain if taken offline.
The financial risk is significant but so are the risks to sensitive data and public trust, meaning government agencies cannot afford to underestimate cybercrime when assessing their threat profiles, but many do.
With the emergence of dual espionage and cybercrime operations, malicious actors themselves are leveraging a kind of PPP – to devastating effect. High-profile examples include APT41, a China-based actor that carries out both state-sponsored espionage and financially motivated operations, and APT 38 (aka Lazarus) a North Korean state-sponsored threat group that’s undertaken both commercial and espionage activities. Sometimes these entities even perform commercial or financially motivated activities outside the control or awareness of the state sponsorship, making predictions about their behaviour and methodology harder.
Effectively detecting and responding to alerts involving these groups requires a broad understanding of their backgrounds and, importantly, ongoing intelligence capabilities about their ongoing global campaigns.
For instance, identifying activity from APT41 helps a security team know to keep a dual focus on their crown jewels from an espionage perspective but also on defending against financially motivated cybercrime. Even knowing information like where they’re based and any public holidays they’re likely to take can help inform a response to attacks.
Proactive defence via PPP is the best answer to new adversaries and tactics
Proactive defence is the pre-emptive work to make infrastructure more resilient and an organisation more responsive to cyber threats, including the use of authorised offensive activity for testing purposes.
The alternative, passive defence, in which security teams simply wait and try to block attacks as they arrive, opens agencies and the government to serious and systemic risk. For some organisations, compliance requirements and best practice standards inform the bulk of their security strategies, leaving them exposed to adversaries who have long ago adapted beyond the defences of typically slow-moving compliance requirements and generic standards.
Usually, this isn’t a product of apathy. Even for those who try to take a more proactive approach, government entities tend to have tight budgets and often limited visibility of some threats within a single country rather than a wider global context. And, while it might be tempting to assume they can benefit from intra-agency intelligence sharing, many lack access to, or controls around, critical yet sensitive information due to the necessarily classified environments of most central intelligence agencies. Lastly, public sector organisations usually don’t have the resources to build out their own intelligence operations on their own.
As a result, PPP is vital for helping government agencies achieve truly proactive defence – and intelligence is one of the main reasons why. The right partner can draw on a broader, more global pool of intelligence to help agencies understand the most relevant cyber threats and how they fit into their wider risk portfolio.
Combining research and victim intelligence, a private partner can also use an exhaustive understanding of adversaries and TTPs to conduct agreed-upon red-team activities against the organisation’s own systems. There are no platforms available that can automate these activities and draw intelligence from the frontline without risk to the organisation’s network to continue to test against the latest attacks. In our experience, this is one of the most effective measures for security validation, in the same way that a rugby team is better prepared by playing actual matches than by studying techniques in isolation.
Drawing upon outside expertise to complement internal resources when necessary can be a cost-effective way to augment in-house capabilities, but proactive defence depends on a true partnership rather than a traditional client-vendor relationship. Part of that includes working together to build solid, intelligence-led foundations.
Building a cyber threat intelligence framework through PPP
Cyber threat intelligence frameworks are just as important to the scaffolding of an agency’s security as its cyber defence framework, and faulty scaffolding can lead to collapse down the line.
These frameworks are informed by working to understand the organisation, its unique needs, its likely threats, its defence requirements and its critical internal stakeholders. They need to integrate across the organisation and outside the traditional IT purview, empowering defenders to communicate effectively with executives and decision-makers about cyber risks in wider contexts. Threat intelligence combines subjective information about active and emerging threats to create a holistic picture of an organisation’s profile. Threat intelligence frameworks must be integrated into operational frameworks, informing tech stack decisions, based on intelligence and guidance directly relevant to the agency.
Private vendors offer a unique opportunity to build these frameworks using more far-reaching, comprehensive and timely visibility, along with an outside perspective that nonetheless understands the unique challenges of the public sector. This is not in isolation from the government cyber security leads but, ideally, in direct partnership with them.
It’s crucial to remember that the third “P” stands for “partnership.” Australia’s still-recovering economy, industries, privacy and national security all depend on our ability to beat cyber adversaries in the partnership game.
When bringing in a private vendor, agencies should expect that the vendor partner will need to know more about those underlying frameworks and to get a more holistic view of how the organisation works across functions. And, from the other end, vendors need to work flexibly with agencies, aligning with central cyber centres through on-demand or other support models. Each party needs to seek out partnerships that make sense for the organisation and cyber defence mission at hand, with expectations and parameters set clearly from both sides. Trusted relationships are critical. This is not a customer/vendor transaction, this needs to be a partnership. This rarely occurs.
Cyber threats are becoming a truly global, adversarial sport – their scale and sophistication have reached alarming proportions. With increasingly sophisticated business models and the emergence of dual espionage and cybercrime groups, it’s clear that our adversaries are bridging public-private gaps to strengthen and refine their operations. We have to be better at it than they are. It’s not impossible. By working together to create the right intelligence-led models, and by helping one other learn and grow within ongoing partnerships, public and private organisations can collaboratively achieve a proactive defence that evolves alongside the ever-changing threat landscape.
(Ed. Tim Wellsmore is Head of Mandiant government programs across Asia Pacific and Japan, and says his role helps Australia manage national efforts on financially motivated cyber security threats and related cyber intelligence collection.)