How Threat Intelligence Helps Government Organizations Defend Against Cyberattacks

August 2, 2019 • The Recorded Future Team

From organized crime to state-sponsored hacking groups, government organizations face some of the most persistent and advanced cyber threats around.

The recent case of a Florida city government being forced to pay a $600,000 ransom is a prime example. Attackers had completely compromised their electronic systems, holding their data hostage and forcing employees — including 911 dispatchers — to work exclusively with manual paper records until the ransom had been paid.

In this blog, we’ll take a look at the threat landscape for government organizations, and explore how these organizations can use threat intelligence to enhance their security profile.

Massive Attack Volume and Highly Focused Threats

Most government organizations hold large quantities of sensitive data, and many have operations that include thousands of employees and endpoints. Not only does this make them a high-value target, but they are also faced with significant security challenges. So it shouldn’t come as any surprise that the government sector is heavily targeted by cyberattacks. Our own research revealed that at least 170 U.S. government systems have been attacked since 2013, including more than 45 police and sheriff’s offices.

Verizon’s 2019 Data Breach Investigations Report saw government organizations affected by 23,399 incidents during their reporting year — more than all other industries put together — 330 of which led to confirmed data breaches. While the number of incidents identified is partly due to stringent regulations, which force government organizations to disclose more than most, the sheer volume is still staggering.

And it’s not just the volume of attacks that causes problems. The most common motivation associated with government breaches involving external actors was cyberespionage (79%), which is typically perpetrated by state-sponsored hacking groups. These groups sometimes use highly advanced tactics and have substantial resources to work with, making them a formidable adversary for government organizations to defend against. It’s no surprise, then, that government sector data breaches are 2.5 times more likely than average to go undiscovered for a period of years.

Securing Taxpayers’ Data With Taxpayers’ Money

Security is a major consideration for government organizations — and they spend a lot of money on it — but it’s not the only consideration.

On top of stringent compliance requirements, a constant barrage of cyberattacks, and the need to protect large quantities of sensitive data, government organizations have one other important concern: retaining the trust and goodwill of the public. To do that, they must ensure their budgets (which are typically funded by taxpayers) are used wisely. Unsurprisingly, taxpayers don’t like to see their money being wasted. Government organizations must ensure that every penny invested has a clear and measurable return on investment. Functionally, this means government organizations are forced to make difficult decisions about how and where to invest their limited security resources.

This is a major function of threat intelligence. It helps government organizations identify their most pressing threats, so they can allocate resources accordingly while staying accountable to the public.

Threat Intelligence for Government Organizations

Protecting government organizations against a huge volume of attacks — many of which involve highly sophisticated attackers — is no easy feat. It requires a well-orchestrated security program, experienced personnel, and watertight processes. This is where threat intelligence comes in. It helps personnel throughout the security function make better, faster decisions about what to do and when to do it.

In particular, the following roles gain huge utility from threat intelligence:

  • CISOs: Security leaders can use threat intelligence to obtain critical insight into their organization’s threat landscape and accurately assess the risk posed by different groups and attack vectors. This enables them to conceptualize and build risk-based cyber programs that align security to the needs of the organization. It also helps them identify gaps in their existing security programs, make better hiring decisions, and determine how and where to invest security resources.
  • Security Operations: Large government organizations typically see hundreds of thousands, or even millions, of security alerts each day. Naturally, it takes a huge amount of time to cut out false positives and identify genuine threats. Threat intelligence can lead to massive improvements in SOC productivity. When independently tested, real-time threat intelligence from Recorded Future enabled SOC analysts to investigate SIEM indicators 10 times faster than could be done manually.
  • Incident Response: Responding accurately to cyber incidents isn’t a simple thing to do. Context is essential to enable rapid prioritization of the highest-risk incidents. Threat intelligence helps incident response teams identify their most pressing threats so they can be triaged and remediated promptly and effectively.
  • Vulnerability Management: Patching vulnerabilities can easily become a numbers game. But vulnerabilities don’t all pose the same level of risk, and government organizations in particular must be able to prioritize their patching efforts. Threat intelligence provides real-time context on vulnerabilities — most importantly, identifying those which are actively being exploited or included in exploit kits — so that vulnerability management professionals can ensure their time and resources are being applied in the right areas.

Staying One Step Ahead

When your adversaries are state-sponsored hacking groups — as they often are for government organizations — a reactive approach to security is never going to work. By the time you know something has happened, it could be years down the line.

Threat intelligence helps government organizations build proactive security programs that enable them to rapidly block and respond to cyber threats. Perhaps even more importantly, it enables them to remain accountable to the public, and clearly demonstrate that limited security resources are being utilized in the best possible way. If your organization isn’t currently using threat intelligence, here’s an easy way to get started. Sign up for our free Cyber Daily newsletter, and you’ll receive the top cybersecurity intelligence direct to your inbox each morning. That includes:

  • Top targeted industries
  • Most active threat actors
  • Most exploited vulnerabilities
  • Trending malware
  • The latest suspicious IPs
  • And much more

Subscribe today and use this intelligence to keep your organization — and its sensitive data — safe from cyber threats.