First responder networks are common targets of cyberattacks. Over the years, the U.S. Department of Homeland Security, the FBI and the National Counterterrorism Center, through their Joint Counterterrorism Assessment Team (JCAT), have documented in depth the numerous ongoing risks to 911 phone systems, mobile sensor and robotics networks and public safety cameras.
The overall problem could become more challenging as the Internet of Things (IoT) turns into an area of interest for police/fire departments and ambulance services, connecting billions more vulnerable endpoints to IP networks.
Identifying Ransomware in First Responder Networks
What specifically can go wrong?
Consider the rising threat of ransomware, which had a breakout year in 2017 and was flagged in the “First Responder’s Toolbox” report from the JCAT. Sophisticated attacks such as WannaCry, NotPetya and Bad Rabbit rewrote the ransomware playbook by exploiting the Microsoft Windows Server Message Protocol, password harvesters and drive-by downloads to spread rapidly across thousands of machines.
For the city of Sparks, Nevada, ransomware was one of several major cybersecurity issues putting pressure on its public services networks in recent years:
- A ransomware attack on the city police department was identified before it got out of control. However, the laborious process of performing various backup operations to stave off a crisis strained the internal IT team’s limited resources and caused concern about the response to any future incidents.
- Spear-phishing campaigns, enhanced by information gleaned from social media, also overwhelmed the team. While only one percent of all corporate emails are related to phishing, the sheer volume of email communications mean that someone can expect to receive at least one risky email per day.
In both cases, the threats slipped past existing perimeter defenses such as the standard firewalls, email and web gateways that were deployed in City of Sparks. When these solutions failed to stop an attack, they shifted the burden to IT personnel who were juggling other responsibilities and had little time for oversight of security platforms. There was no time left for synthesizing the insights from both the automated systems and human actors to stop additional attacks. For additional context on the challenges, click this image to access the original case study:
First responders need secure and reliable networks so that they can focus on important tasks.
Can cities such as Sparks just build a their own Security Operations Centers (SOCs) with Security Event and Information Management (SIEM) capabilities for catching ransomware and phishing attacks early and often? It’s a lot easier said than done.
“A SIEM solution is often expensive to build and time-consuming to maintain.“
For starters, the costs can be considerable. Procuring, deploying and maintaining the necessary SIEM infrastructure is often expensive as well as time-consuming; this is why even soldiering on with an older SIEM is not the best option, either. Moreover, someone would still need to manage it, no matter how extensive its artificial intelligence (AI) capabilities. You still need a human in the loop, to fine tune the policies to reduce false positives and increase the rate of threat detection. The urgency of using Hybrid AI was discussed at length by our own Brian NeSmith in an interview with ISMG.
Most IT departments, municipal and otherwise, are not in a position to devote full-time employees to such tasks. The Spiceworks 2018 State of IT survey found that only 45 percent of respondents planned to increase staffing next year, compared to 48 percent that expected no change and 5 percent forecasting a decrease. Cybersecurity expertise in particular is also widely perceived to be in short supply in 2017.
The Alternative: Hybrid AI Delivered by SOC-as-a-service
Accordingly, Sparks sought help from an experienced Security Operations Center (SOC)-as-a-service vendor and eventually opted for Arctic Wolf, which delivered numerous benefits, including:
- No need to buy hardware or software – a cloud-based SIEM was included in the service.
- Substantial savings compared to an in-house SIEM/SOC deployment.
- Access to Arctic Wolf's security engineers as extended members of the IT staff.
- 10X better threat detection, with 5X fewer false positives, thanks to hybrid AI.
Hybrid AI refers to human-assisted machine learning, especially in cybersecurity contexts; learn more about it by checking out our in-depth white paper on the topic, by clicking on the banner below. Also take a look at our press release – as well as the case study linked above, in the image – for additional details on how the Arctic Wolf's SOC-as-a-Service saved the day for Sparks.