Securing the city's critical IT infrastructure
Municipal governments keep cities running. They are responsible for a variety of services, from maintaining community water systems and issuing construction permits to building neighborhood parks, ensuring public safety and promoting local arts and culture programs. Naturally, technology plays a big part in running a modern American municipality — especially the one with nearly three-quarters of a million residents.
Our customer, a major U.S. city government, has a dedicated team responsible for securing the critical IT infrastructure, complete with a security operations center (SOC) and a fusion center — part of the National Network of Fusion Centers designed to promote collaboration across local and federal agencies to respond to criminal and terrorist activity.
Local threats demand global investigations
Phishing is the number one concern for the city government’s security team. Despite stringent security measures, regular user education workshops and an exhaustive list of blocked IPs, bad actors routinely seem to find ways to penetrate the city-run IT infrastructure, which also includes a network of public K-12 schools. A benign-looking link pointing to a page that appears to belong to a sister school would instead redirect unsuspecting school administrators to a phishing site, where they would give up their credentials before realizing that they were dealing with a spoofed URL.
The city’s SOC team, which includes a dedicated threat hunter, needed a way to investigate these phishing incidents to better understand which individuals or organizations are behind the attacks, what their intentions are and how to better protect the city’s IT infrastructure and data from future exploits. Ideally, the SOC team wanted to be able to “detonate” every phishing email and link to examine each redirect, observe how the phishing kit was downloaded, evaluate the scripts used for execution and follow the information that’s being collected. The SOC team also needed to take a closer look at spoofed and compromised websites and alert the sites’ legitimate owners of potential breaches.
But the city government’s extensive IP-blocking policies severely limited the researcher’s ability to access suspicious sites. A DIY solution of simply connecting to a dedicated remote machine to conduct threat research proved slow and ineffective — wiping the machine clean after each “detonation” required IT time and resources and didn’t provide a truly anonymous environment that analysts needed to get to the root of the problem. Often, investigators’ results pointed to perpetrators beyond the U.S. borders. This required a global, integrated approach to research, with the ability to preserve the chain of custody for all collected evidence, full anonymity, proper documentation for findings and close collaboration with other agencies at the local and federal level.
The city’s SOC team needed a way to investigate persistent phishing incidents, without incurring additional infrastructure costs or violating the policy around blocked IP addresses.-
A Swiss Army knife for secure investigations
“Silo for Research is like a Swiss Army knife for all our research,” says a cybersecurity threat intelligence analyst at the City Government. “Both the SOC and the fusion center use it every day, for all our investigations.” With Silo for Research, the city government’s team was finally able to conduct complete, detailed investigations, collecting enough evidence to share with site owners and even law enforcement. Authentic8’s cloud browser and cloud storage solutions allow the organization to interact with malicious content without putting their infrastructure at risk.
By keeping toxic content isolated, investigators are now free to examine exactly how malware scripts work, where they come from, where they hide and what triggers them. This type of analysis helps the city government better understand the nature of threats and determine what additional blocks and other protections must be put in place to prevent future incidents.
In addition to open web investigations, the city government has added Silo for Research: Dark Web to their tool chest to examine suspicious activity related to them on the dark web. Analysts look for items for sale that may jeopardize the integrity of city government operations or their reputation, and even track leads related to fusion center’s mission to combat terrorism and human trafficking. With Silo for Research, all dark web access remains anonymous and secure, and it never reveals the researcher’s identity or their affiliation with the city government.
When manual collections are not possible or practical, Silo for Research’s added Collector feature helps the Agency keep up with threat researchers and other information sources from around the world. Rather than perform routine, recurring collections by visiting each site individually, the city government’s team can now automate them, even scheduling collections at regionally appropriate times – maintaining full online anonymity while gathering the most relevant content even outside of regular work hours
“Silo for Research is like a Swiss Army knife for all our research. Both the SOC and the fusion center use it every day, for all our investigations.”- City's cybersecurity threat intelligence analyst
Simply blocking content is not enough
With a growing list of blocked IPs (over 17 million) and a full portfolio of leading security solutions, including adaptive intelligence like FireEye and behavioral risk detectors like Forcepoint (formerly Websense), the city government is doing their best to stay on top of threats and keep their operations, infrastructure and data secure. But flagging and blocking suspicious content is often not enough. “You don’t know what the endgame is if you don’t go beyond the first step and investigate the phishing attempt,” says the cybersecurity threat intelligence analyst. “Silo lets us piece together the full story and take the steps necessary to block the infrastructure that’s behind the one phishing IP address and even find the people responsible for the attack. Silo helps us answer the question: When did it start to go bad, and who is behind it.”
The fusion center investigators often refer to themselves as “detectives”, as their job involves going even deeper while researching bad actors’ motives and associations. Silo’s anonymity and ability to spoof devices, platforms, locations and IP addresses to make the investigators appear as if they are coming from anywhere in the world, are especially important to the integrity and effectiveness of their missions.
The main charter of the city government is to provide public services for the city’s residents. Silo for Research helps them stay ahead of any potential threats to their IT infrastructure to keep all their day-to-day functions running smoothly. It’s also a way to give the city’s people confidence in the safety and integrity of the government’s operations.