Making IT happen
By Keren Cummins
Federal intelligence teams have been monitoring “external cybersecurity” for decades. Whether attempting to find chatter about vulnerabilities on the dark web or uncovering plans to attack an agency network, the external attack surface is a well understood battleground with well understood threat actors. So, what has changed in “external cybersecurity” in the context of today’s threat environment, and why should every government agency be prioritizing it as part of their security strategy?
At ZeroFox we like to think of “external cybersecurity” as referring to a new attack surface formed by “gray space.” As opposed to red space (adversary infrastructure) or blue space (organizational infrastructure), gray space is the internet infrastructure, applications, platforms, and forums that are typically managed by third parties.
Why do we call this a “new” attack surface? With the push to e-commerce and the digitization of business, threat actors can now be anyone – from radicalized individuals seeking retribution for a court decision to crime groups from third-world countries seeking the next best way to scam others for profit. These threat actors may use obfuscated or impersonating social profiles, code-sharing sites, gaming channels, news comment sites, and other widely accessed third party systems for their attacks. This new attack surface even shows up in the physical realm as online impersonations, doxing, SWATTING and cyber stalking executed by threat actors (or groups) who oppose a victim’s role or position in government and who intend to do them physical harm.
What makes this new attack surface unique in a public sector environment is that the target needing protection isn’t necessarily the agency’s assets and people. In many cases, an agency has to defend the public from someone leveraging the agency’s assets and people to cause harm. On this new attack surface, what and who you have to protect has shifted. The threat actor, and the intended victim, could be literally anyone.
Traditionally, threat intelligence has mostly been about the red space – threat actors and TTPs (Tactics, Techniques, and Procedures). When you shift the focus to protecting external assets and reputation in the gray space, an agency has to gain a clear picture of its own digital footprint and what assets it needs to protect. This means understanding:
It’s not only about discovering where the agency’s assets show up, but where people are pretending to be the agency, its programs and personnel, or making threats against them. This type of threat intelligence requires a whole new set of tools — and a new mindset.
We sometimes hear CISOs say they either don’t have the responsibility to look outside their perimeter, or that they are aware of threats outside their perimeter but don’t have the authority to act on them. Why do CISO’s make that assumption, even when there’s a clear-cut case where someone is impersonating the agency and defrauding innocent people? The following statements represent the traditional mindset…
|“We can’t violate—or give the appearance of violating—first amendment rights to the free speech of our constituents.”||When in fact: There is no circumstance under which someone’s right to free speech includes impersonating someone else.|
|“We don’t have law enforcement authority, so we don’t have the power to take down false information.”||When in fact: The power to take down false information lies with the social networks themselves, and all reputable social networks operate by a set of rules that govern how they handle customer information (“Terms of Service”). Most networks’ Terms of Service don’t permit impersonations, and the networks will honor requests to remove impersonations when they are properly notified.|
|“Information on third party platforms is not considered a high-value asset under NIST 800-53 guidance.”||When in fact: Agencies currently have a wide variety of high value assets running on 3rd party networks in the cloud. An agency’s Facebook or Twitter profile is no different, if takeover of that asset for malicious purposes could cause damage to the agency’s mission or reputation.|
|“If we were supposed to do this, someone would have told us to do it.”||When in fact: All federal agencies are required to comply with the NIST Cybersecurity Framework—the first two tenets of which are “Identify” [risk] and “Protect”.|
|“Government agencies petition social networks to take down harmful information—to no avail.”||When in fact: There is a fine line between parody and impersonation. All governments have an abundance|
of critics, and even haters, that post critical or even threatening information, most of which will remain in the public domain. However, there is a distinction when someone represents themselves as a government official or entity. Impersonation is not tolerated by most networks.
|“But, Zero Trust Architecture is what I am mandated to focus on right now.”||When in fact: You need Zero Trust externally as well as internally. NIST SP 800-53, Revision 5, requires you to protect your external assets. Because the majority of data breaches begin with threat actors reusing compromised credentials or other data that can be acquired externally, it is vitally important to continuously monitor outside the agency perimeter.|
Whereas a security team with an internal security focus uses a high degree of technical sophistication to protect a logical asset (i.e. database or network) from compromise, they are not trained to protect an agency’s reputation from being used to defraud the American public. Fraud is often a specialty area for those with a Law Enforcement perspective, while reputation would typically land in the Public Affairs domain. So, who is best suited to manage an agency’s external cybersecurity program?
Having an effective external cybersecurity program requires cross-organization collaboration that includes: those who understand threat vectors, both logical and physical; those who understand social media and business platforms, how they are used and misused; and people who understand the value of an agency’s brand and the importance of protecting it from compromise.
Many agencies are already breaking new ground in this arena, with carefully defined collaborations spanning cybersecurity, physical security, and public affairs; or by defining entirely new roles, like the US Army’s Director of Digital Persona Protection.
Effectively executing an external cybersecurity program requires tools that fill in visibility gaps and enhance existing processes. Fortunately, many tools exist to monitor the gray space. While adding multiple solutions to your security stack may not be in the plans – or in the budget – with ZeroFox’s AI-powered external cybersecurity platform and full-spectrum intelligence services, federal agencies can monitor, disrupt, and respond to threats all across the gray space using a single platform. The following capabilities unique to the ZeroFox solution are especially critical for public sector organizations:
External Cybersecurity provides the orchestration of machine intelligence AND human intelligence to expose and disrupt threats beyond the agency perimeter. Finding a solution that provides both – to scale – is where the U.S. Public Sector will make real progress.
Once the question of responsibility and authority is settled, an infrastructure for collaboration across the various areas of expertise can be established, and with the right solution in hand, agency personnel become empowered to protect outside the agency perimeter. In fact, they quickly get excited about external cybersecurity. Being able to detect when someone is pretending to be an agency administrator, secretary, or commissioner and is communicating something clearly fraudulent about the agency; identifying when an agency contractor is storing code where it is exposed to public view; discovering conversations on extremist websites that include highly detailed sitemaps days before a protest – these are the threats that can now be successfully addressed and acted upon.
External Cybersecurity is a new space requiring a new mindset, team, and tools. Understanding external cybersecurity means engaging in a dynamic process that evolves to address external threats as rapidly as new social networks and new TTPs emerge. ZeroFox continuously adapts to the expanding social and digital threat environment and our managed service business model means that existing customers are constantly seeing the benefit of that continuous improvement. Threat actors are not standing still; align with a partner who can deliver protection at the pace of change.
Learn how to prioritize your agency’s External Cybersecurity strategy by downloading our latest Guide for U.S. Public Sector, The External Cybersecurity Guide — Protecting U.S. Public Sector from Cyber Attacks in the Gray Space Outside the Perimeter.