Cybercriminals have access to a broad range of tools and techniques, but they tend to share one common goal – they’re looking to make the biggest possible profit with the least amount of effort, writes Jim Cook.
As a result, they’re on the hunt for targets with potentially lucrative data stores but whose defences are easy to breach. Unfortunately, local government councils all too often meet these criteria.
Frequently, the problems stem from a lack of IT resources. Local government authorities tend to store large volumes of personal and financial data. However, they often don’t have in place the resources needed to keep these stores secure. Compared with other levels of government and private enterprises, this makes them an attractive target.
The ransomware threat
One of the techniques criminals increasingly use against local governments is ransomware. This attack involves infecting core systems with malicious code that encrypts data making it impossible to access. The criminal then demands a payment in exchange for the key needed to decrypt the stores.
The strategy is effective against local governments because of the vital support they provide to residents and businesses in their area. Any disruption to these services can have a significant knock-on effect, and so many victims opt to pay the ransom to recover their data.
Using advanced ransomware tactics or simply leveraging ransomware-as-a-service kits, criminals typically start their attack by convincing an employee to click on a web link, provide their credentials, or insert an infected USB drive into a PC to gain access to a system.
Once inside, they can then move laterally, looking for data stores and determining where the organisation stores the most valuable targets. This movement is a process that can continue undetected for weeks or even months.
Deception as protection
While deception is a technique that cybercriminals use to gain access to a target IT infrastructure, it’s also something that defenders can use. Organisations can create deceptive traps and misdirections that can lure attackers away from real assets and toward fakes, thereby delaying or even derailing a planned attack.
The deception solution achieves this by creating traps that appear to be the genuine files, systems, and credentials for which an attacker is likely to be searching. When a cybercriminal has infiltrated and interacts with any of these false assets, the solution triggers an alert and initiates the incident response process.
Defenders can also go one step further and layer in denial technologies that will further derail an attacker by hiding and denying access to real production data. Here, an attacker won’t be able to see or tamper with the data. However, their discovery actions will raise an alert and trigger the return of fake information that will divert any further activity to decoys.
At a basic level, having a deception and denial defence strategy buys the security team some time to respond and shut down an attack. At a more advanced level, such tactics can prevent an attacker from successfully compromising assets, moving laterally throughout a network, or escalating their privileges in search of potential targets.
While the most common deceptive tactic use decoys that mimic real assets, the approach can apply to a range of different areas. For example, it’s possible to use an endpoint to create fake Active Directory responses designed to intercept and derail unauthorised queries. Notably, this runs from the endpoint without touching the production AD environment.
As a point for managing user authentication, Active Directory is a prized target for criminals seeking to escalate their attacks and access more of an IT infrastructure. After detecting unauthorised access, the system can even give the intruder fake data that will lead them directly into the deception environment for the security team to observe safely.
While the cybercriminal may eventually realise they have become a victim of deception, the main benefit is in receiving an alert on an attack at the point of discovery vs. exploitation. Of course, wasting a cyber criminal’s time and resources increases their costs and can also result in them disengaging and going in search of another target.
A cost-effective solution
Putting in place a deception and denial security strategy can be a cost-effective option for local government authorities with limited IT budgets. By deploying deceptive assets and denial technology on endpoints as well as a fabric across the network, it will provide a robust and reliable early warning system.
Also, when they can engage with an attacker within a decoy environment, the IT team can extract valuable attack information, which is useful in helping to understand security gaps and notifying the team when cybercriminals are evading prevention mechanisms.
As local government authorities continue to battle challenges such as remote working imposed by COVID-19, a deception strategy can be a relatively straight forward way to improve security and avoid a potentially crippling ransomware attack. It’s another way to stay ahead in a continually evolving threat landscape.
*Jim Cook is ANZ Regional Director at deception software specialist Attivo Networks.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter