Cyberthreats are fast moving and everchanging. It can be hard for busy justice professionals to keep up with the changes and determine which trends are the ones they should pay attention to.
That’s why Stacey Wright from the MS-ISAC is back to provide her Half Yearly Update!
Join this recorded webinar as Stacey shares the changing cyber threat environment that local and regional government law enforcement organizations should be aware of, including:
- Current and emerging malware and threat trends
- New tactics
- Active malicious cyber actors
- And what LEOs need to know to combat these perpetrators and protect their networks
Justice Clearinghouse Editors: As you know, we always have new members joining us here at JCH, and there are always new people joining the justice profession. Share with us, briefly, who MS-ISAC is?
Stacey Wright: Thank you, Chris! I certainly like being here and appreciate the opportunity to share my passion – cybersecurity – with you.
The MS-ISAC is the Multi-State Information Sharing and Analysis Center. We’re part of CIS (Center for Internet Security), a non-profit that houses us, the CIS Controls, and CIS Benchmarks.
The MS-ISAC is a really amazing organization. We’re one of the 24 Information Sharing and Analysis Centers (ISACs) that are authorized under PDD 61 from 1998. ISACs are charged with helping the critical infrastructure sectors to share relevant information and come together with a singular voice. This allows each sector to more effectively convey their needs and concerns to the federal government and the federal government to more easily send messages to each of the sectors. The MS-ISAC, in particular, is that voice for all U.S. state, local, tribal, and territorial (SLTT) governments. But the coolest part is probably that the U.S. Department of Homeland Security (DHS) has designated us to be the key cyber threat prevention, protection, response, and recovery agency for all the SLTT governments.
As that key resource, we’re actually able to provide an amazing list of cyber resources to our members at no-cost to them because DHS funds us. (That’s one of the things I like most about my job – I get to spend all day helping SLTT governments and never have to ask for payment!) We currently have over 2000 U.S. governments as members. My job is to look at what those governments are seeing and combine it with the information from our sensors (1.3 trillion log lines of data in January!), open source reporting, and reporting from other agencies to figure out the cyber trends and patterns affecting SLTT governments. Other people on the MS-ISAC team do everything from monitoring those sensors and making sure SLTT government websites are running up-to-date software, to providing free incident response and forensic services for any SLTT government, regardless of whether they are a member or not. Plus, we run poster contests for school children, publish tools for governments to use in training their employees, provide lots of webinars and presentations around the country, and so many other things I have trouble naming them all.
And yes, it’s all at no-cost to any SLTT government. If anyone wants to send us their domains and IP addresses, get forensic help, or join (you only have to sign an NDA) they can email us directly at SOC@msisac.org.
U.S. Department of Homeland Security (DHS) has designated MS-ISAC
to be the key cyber threat prevention, protection, response,
and recovery agency for all the SLTT governments.
JCH: As you’ve shared with us in the past, cybercrime is always evolving. Can you give us a sneak peek into maybe a new trend or develop you’ll be highlighting in this half-yearly update this time?
Stacey: We’ve definitely seen some changes over the past few months that I’ll be talking about. One of them is a growing trend among cyber threat actors to target a broad group of victims opportunistically and then single out a victim for further strategic targeting. This confluence of strategic and opportunistic targeting is a bit worrisome as it’s often associated with cyber extortion schemes. Another problem we’re seeing is the increase is cryptocurrency mining malware being placed on government systems. On the surface, this sounds fairly minor as it only uses extra system resources, but if they can put this mining software on your computer it means the computer is fully compromised, which is very concerning when it happens on servers that contain the personally identifiable information (PII) of employees. And yes, that happens. So I’ll be talking about both these trends as well as a few other newer trends that we’re tracking.
One of the trends we’ll be talking about is a growing trend among cyber threat actors
to target a broad group of victims opportunistically
and then single out a victim for further strategic targeting.
JCH: A lot of people assume that Cybersecurity is something that “the IT department just deals with”… that it’s more the IT department’s purview or domain. Why is this flawed thinking?
Stacey: Chris, I’d love to help correct that misconception! IT is information technology. These are the folks who keep your computers and network up and running. They care about security but availability – making everything work – is their primary job. Someone in your organization, possibly a Chief Information Security Officer (CISO) or someone else, cares about keeping your computers and network secure from threats. The problem is they can’t do it alone. Networks are like secured buildings. We’ve locked the windows, drawn the shades, put up cameras and motion sensors, and installed key card access on all the doors. That means the easiest way into a network is just like the easiest way into the secured building – by getting someone to help you walk in the front door.
The Business Email Compromise (BEC) scam is a perfect example of this. Otherwise known as the $5 billion dollar scam because it’s responsible for more than $5 billion dollars in losses, it starts with a simple email pretending to be from a senior executive and going to the finance or HR departments. That email asks for a wire transfer to be issued or for all employee’s W-2 information to be sent. Then the employee receiving the email follows the instructions. Unfortunately, those instructions send the wire transfer out of the country or the W-2 information to a malicious actor who uses the info to file fraudulent tax returns. Technological controls shouldn’t prevent an employee from doing their job, which is what this scam relies on and it’s widely successful because of this. So this is a perfect case of the best security being trained employees who not only know how to do their jobs but also how to do their jobs with security as a primary component of the job.
The guy walking down the street trying every car door handle
doesn’t notice that it’s an unmarked cruiser,
he just sees a car with an unlocked door and something valuable inside.
Cybercriminals operate much the same way.
JCH: I think sometimes some justice professionals make the mistake thinking that their job is to be on the lookout for and to pursue cybercriminals… Forgetting that government agencies, police departments etc, can also be targets of attack. Can you share how often government agencies are attacked/targeted?
Stacey: I’ll definitely talk about some particular incidents on the webinar but yes, everyone is a target. I mentioned opportunistic crime before – simply browsing the Internet or opening an email can and has infected entire departments with malware. Ransomware is the most notorious of these because this malware encrypts all the files on the network. This isn’t about who the victim is, it’s simply a case where the cybercriminals are trying to target as many potential victims as possible. It’s all about economy of scale for them. And you can imagine how horrible it would be for a first responder or law enforcement agency to lose all access to their computers for days or weeks while the IT team rebuilds everything from scratch.
Think about it this way, if you park your car on a street and leave it unlocked, you’re more likely to have someone steal things from it. The guy walking down the street trying every car door handle doesn’t notice that it’s an unmarked cruiser, he just sees a car with an unlocked door and something valuable inside. Cybercriminals operate much the same way. Their attacks are frequently automated so they don’t know the person receiving the email works in a particular agency, they just have an email address to target and its one of millions of similar emails on the list.