Why Network Detection and Response (NDR) Solutions are Critical to the Future of Federal Agencies’ Cybersecurity

Executive Order 14028, “Improving the Nation’s Cybersecurity,” signed by President Biden, shows the US federal government’s growing focus on cybersecurity.

The 2021 Executive Order requires U.S. federal government departments and agencies to focus on their cybersecurity framework and address the risks of malicious cyber campaigns.

This increased focus comes as internal audits of federal agencies’ security have indicated that number of federal agencies’ cybersecurity programs are not adequately or fully protecting them against modern cyber threats.

Like businesses and nongovernmental organizations, federal agencies face a rapidly evolving cyber threat landscape that requires an equally fast-evolving cyber security framework.  In the current environment, signature-based detection is limited, especially when it comes to detecting zero-day threats and malicious activity that has never been seen before. Known hackers can even take actions to disguise themselves, like changing their techniques or processes, to avoid detection from an NCPS. (hsgas.senate.gov report, page 11)

To protect themselves against these evolving threats, government agencies can benefit greatly from security solutions that can detect intrusions in time for government security teams to respond and manage the harm that they could do to the organization. Since most cyberattacks occur over the network, network visibility is essential to government agencies’ ability to protect against evolving threats. This makes an advanced network detection and response (NDR) solution an essential component of government agencies’ cybersecurity defenses. Individual agencies should implement the NDR while a broader replacement for NCPS is considered.

Federal Agencies Face Increasing Cyber Threats

US government agencies are one of the biggest targets of advanced persistent threats (APTs). These threat actors have significant resources and expertise dedicated to the development and use of various tactics to infiltrate and cause damage to target organizations.

Federal agencies face various cyber threats from these advanced threat actors. Some of the most sophisticated and dangerous attacks these organizations face include ransomware infections, fileless and in-memory malware attacks, and the exploitation of unpatched zero-day vulnerabilities.

Ransomware and RaaS

Ransomware has emerged as one of the greatest threats faced by most organizations, including federal government agencies.  In fact, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has launched the Stop Ransomware project specifically to provide coordinated prevention and response to ransomware attacks across the entire US government. In February 2022, CISA reported that 14 of 16 critical infrastructure sectors have been targeted by sophisticated ransomware attacks.

With the emergence of Ransomware as a Service (RaaS) business model, the ransomware threat has grown significantly.  With RaaS, ransomware developers put their malware in the hands of other cyber threat actors for a split of the profits.

The ability to identify the malware before it gains access to an organization’s systems or to detect attempted data exfiltration is essential to minimizing the cost incurred by a ransomware attack.

Fileless Malware and In-Memory Attacks

Many traditional antimalware systems are file focused. The typical antivirus scans each file on the computer, looking for a match to its library of signatures. If it finds a file matching the signature, it quarantines and potentially deletes it from the disk.

Fileless and in-memory malware are designed to evade detection by these solutions by avoiding writing malicious code to a file on disk. Instead, the malware operates entirely within running applications.

With fileless malware attacks growing significantly year-over-year in 2021, the percentage of attacks that traditional antivirus solutions can detect is shrinking quickly. Threat detection techniques based on identifying anomalous behavior or network traffic are essential to detecting these types of attacks.

Exploits

New zero-day vulnerabilities and exploits pose a growing threat to federal agencies and their security. These exploits can bypass security solutions that depend on signatures to detect known attacks and are blind to novel threats until new indicators of compromise (IoCs) are released.

New vulnerabilities such as Log4j have caused a scramble to patch vulnerable systems, and cyber threat actors often move quickly to exploit vulnerable organizations after a new vulnerability is discovered and disclosed.  In fact, half of new vulnerabilities are under active exploitation within a week.

In recent years, the rate at which zero-day vulnerabilities are discovered and exploited has increased significantly – with more than twice as many zero days exploited in 2021 as in 2020. Without the ability to identify and block attempted exploitation of these novel threats, federal agencies are continuously playing catchup after the latest vulnerability is discovered.

While these novel attacks cannot be detected using signature-based techniques, other approaches can identify these threats. For example, network traffic analysis that identifies command and control traffic between the malware and attacker-controlled servers can tip off a security team to an undetected malware infection.

How NDRs Can Help Solve Federal Security Challenges

As cyber threat actors expand and refine their tactics and techniques, detecting and mitigating attacks becomes much more difficult. Additionally, as government IT systems expand and evolve, protecting them against cyber threats becomes more challenging for security teams, especially as government agencies struggle to attract and retain scarce cybersecurity talent.

Managing the threat of ransomware, in-memory malware, zero-day exploits, and other cyber threats requires federal agencies to have tools that enable them to detect and respond to potential threats rapidly. Network detection and response (NDR) solutions are an essential component of a federal agency’s cybersecurity architecture and can be used with EDR to get a more complete solution, often with NDR solutions taking the lead in initial attack detection.

“While EDR can provide a more granular view into the processes running on the endpoint and in some cases more finely tuned response options, NDR is critical for maintaining consistent visibility across the entire network.” – ESG’s “NDR’s role in Supporting the Executive Order on Cybersecurity”

NDR solutions provide multiple features that can help an agency’s security operations center (SOC) to identify and respond to potential threats, including:

Network Visibility: Visibility into federal agencies’ networks is essential to detecting potential threats early within the cyber kill chain. NDR solutions can help to collect, aggregate, and analyze data about network traffic to help SOC analysts to identify and respond to potential threats.

AI/ML Threat Detection: Security analysts commonly face an overwhelming number of security alerts, making it difficult to differentiate between true threats to the organization and false-positive detections. Artificial intelligence (AI) and machine learning (ML) solutions can help analyze and triage alerts, reducing false-positive rates and enabling security personnel to focus their time and attention on true threats to the organization.

• Creating a holistic approach with Zero Trust: All federal agencies are required to move toward a Zero Trust architecture by 2024. Successful ZTA implementation requires robust and flexible tools that work quickly and can scale, like the BluVector platform. It’s important to remember that ZTA does not address threats already in a network, and that weaponized data can elude ZTA security. Having complete visibility – including network, device, user, file, and data visibility – is critical to ZTA.

Recommended Responses: During a cybersecurity incident, a prompt and complete response is essential to minimizing the cost and impact of the attack but can be difficult to achieve under tense circumstances. BluVector’s NDR solution can provide recommendations about how to handle certain types of incidents, enabling security analysts to quarantine or remediate the threat more efficiently.

Support for Automation: Security teams commonly struggle to meet expanding workloads as organizational infrastructure becomes more sprawling and complex and cyber threats grow more sophisticated. With the ability to automate repetitive tasks and responses to common threats, NDR solutions can help to ease the burden on overstressed personnel and enable them to focus their time and attention where it is most needed.

The advanced threat detection and response capabilities of an NDR solution can help security teams to identify these subtle threats and respond quickly and effectively to minimize the risk to sensitive government data and critical systems.

BluVector Leading the Way in a High Threat Era

US federal agencies continue to face significant cyber threats from skilled and well-resourced threat actors. These cyber threats use various techniques to gain access and cause damage to government systems, including the use of ransomware, in-memory malware, and the exploitation of novel vulnerabilities. Often, these attacks are specially designed to fly under the radar and avoid detection by widely used security solutions.

While these attacks may be designed to be subtle and difficult to detect on the endpoint, they still need to gain access to agency systems and perform command and control communications over the network. BluVector’s Advanced Threat Detection and Automated Threat Hunting solutions can monitor an agency’s network traffic and sort out genuine threats from the noise, while efficiently supporting SOC analysts’ ability to detect and respond to advanced cyber threats.

BluVector has worked closely with large government agencies since our inception and is here to support the journey toward a common federal cybersecurity strategy. For over a decade, our solutions have enabled government agencies to achieve essential visibility into their solutions while rapidly and accurately identifying threats using AI and ML. Learn more about BluVector’s government solutions and our over 99% threat detection rate.