Disrupting Adversaries To Fulfill the National Cybersecurity Priorities

Biden’s National Cybersecurity Strategy calls for agencies to “Disrupt and Dismantle Threat Actors” as one of its five pillars moving forward. In my opinion, the disruption approach is exactly what’s needed in today’s threat environment. As ZeroFox CEO James Foster explains, “Prioritizing disruption of threat actors shifts our strategy from reactive to proactive, a subtle yet important change to how Americans view cybersecurity overall.”

He goes on to say, “As modern threat actors scale and automate their attack campaigns and become sophisticated enough to dance around traditional defensive security, chasing down detected threats can feel like running in circles.” 

Running in Circles

Running in circles is how I often hear federal CISOs, CIOs and other security leaders describe their progress in dealing with the burgeoning growth of frauds and scams that leverage and abuse the public’s trust in government. According to the FTC’s Consumer Sentinel Report, consumers reported almost 200K government imposter scams in 2022, totaling  $511M in financial losses. This is likely just a portion of actual losses, given how many incidents go unreported.

Of those reported, the top five scams targeted the Social Security Administration, HHS/Medicare, US Customs and Border Protection, the Federal Trade Commission and the IRS. Similarly, in 2022 ZeroFox identified a 100 percent year-over-year increase of DoD impersonations based on available DoD customer data since 2021, with an additional 100 percent increase of impersonations in Q1 2023 when comparing the first quarter of 2022.

For federal agencies, identifying and taking down hostile domains can be a complex process for the following reasons:

• Although a malicious phishing domain might not have a valid or even relevant name, it often displays an official government logo, lending the appearance of authority and credibility. 
• Many of the invalid sites are not hosted in the U.S. Some of the non-US registrars can be uncooperative or simply don’t have a customer service orientation. Of course, some of the less reputable providers just don’t play by any rules. 
• Identifying and removing malicious content is not a mechanical process. Automation has to be combined with human expertise and relationships to make it work. 

Since these imposter and impersonation attacks are mounted against citizens completely outside the agency perimeter and out of sight of most security tools, it’s essential to detect, block, and ultimately remove hostile sites.

A Proactive, Supersized Approach

ZeroFox’s proactive approach is based on the idea that a disruption can greatly reduce these numbers and protect citizens from the damaging impacts of financial and other types of fraud.

To that end, I was beyond excited to hear that ZeroFox just supersized our disruption capabilities, thanks to a new partnership. Last month, ZeroFox announced a partnership with Google Cloud Web Risk Submission API, a service that verifies unsafe URLs and shows warnings across 5 billion devices using browser, social media, and other technology integrations. ZeroFox detects and verifies malicious URLs on behalf of our customers and submits them to Google Cloud’s Web Risk Submission API. This integration provides almost instant protection to millions of users while ZeroFox works to complete the takedown process. This partnership will enable agencies to warn millions of innocent Americans from going to malicious sites and, as a result, will produce a measurable decline in losses.

This is good news in particular for federal agencies. Historically, the most powerful cyber solutions in the market have been operated at the enterprise, for the enterprise. They primarily protect an organization’s own assets, employees, perimeters, and direct partners. Federal agencies need to protect their own holdings, but they also have an obligation to protect citizens at large outside their domain. 

Those Most Capable of Taking Action

In the past, some agencies were also unsure about the propriety of taking action to remove content. CISOs often questioned their responsibility to look outside the agency perimeter, or if they were aware of the threats, they questioned the authority to act on them. As a result, hostile content that defrauded citizens persisted until the protection of assets outside the perimeter could be more clearly defined. Now, as per the National Cybersecurity Strategy, disruption of fraud is not just necessary, it is required. As for who is responsible to protect citizens, the Strategy states, “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes…”  It does not get more clear than that. 

How can agencies implement disruptive solutions that match the scale of modern threat actors? 

1. Understand your online footprint by taking an inventory of your active and orphaned social accounts. 
2. Establish a process for determining whether an account is real, inactive, or fake.
3. Consider how attackers may be leveraging your online footprint against the public. 

Lastly, according to the Strategy, stopping malicious cyber actors from threatening the national security or public safety of the United States will depend on the government’s ability to rapidly “engage the private sector in disruption activities through scalable mechanisms.” Partnering with trusted providers that discover malicious content on hundreds of platforms, have dedicated teams and runbooks to mitigate that content, and can scale with a global network will accelerate the disruption of malicious actors from hours and days to minutes.