Imagine you own a mansion full of priceless antiques, high-end appliances and expensive jewelry, on a highly trafficked street. While the majority of passersby simply want to get from point A to point B, you realize that a few less scrupulous onlookers might have malicious motivations. So, you put up a security gate and deadbolt your door each day.

But there’s a problem: Your gate isn’t tall enough and there’s a first-floor window with a broken lock. Worst of all? There’s a man who patiently waits every day for you to leave so he can stake out your property. Is it all that surprising when, eventually, you come home to discover you’ve been robbed?

Unfortunately, this is a scenario that federal IT teams increasingly face, tasked with securing stores of sensitive, valuable data, but with too few defenses standing between their networks and the hackers determined to penetrate them. And, just like the robber needs only an unlocked window, hackers need only one vulnerable endpoint to penetrate an entire network.

In February 2017 alone, an estimated 94.1 million new malware variants emerged, nearly tying October 2016’s record high. Likewise, recent years have seen multiple massive breaches of federal networks, each resulting in major risk and embarrassment to the agencies and to the citizens with whose data they’re entrusted. Meanwhile, the number of ill-intentioned passersby—and the sophistication of their methods—continues to rise.

Of course, the higher a target’s value, the more effort hackers will make to infiltrate their networks and deliver the intended payload. Consequently, no matter how intricate the firewall or how current the antivirus software, there’s always someone smart, resourceful and determined enough to clear the gate and find the open window. And there’s always a user who’s just vulnerable enough to leave that window open—and that window is typically attached to individual devices, or endpoints.

Hackers understand that individual endpoints are often the surest route to their larger target: the entire organization. Knowing this, today’s sophisticated hackers often embrace multi-phase attacks that begin by targeting end users until they find an “in.” From there, they can employ any number of tools and strategies to penetrate their target’s IT environment, culminating in the release of a payload—usually malware.

To catch a thief, you have to think like one—and hackers are no different. So, first, let’s look at two of the more popular tactics for hackers looking to penetrate a target’s network.

Spear Phishing

Usually just the first step in a multi-phase attack, spear phishing is essentially a more involved, focused form of phishing. This attack method generally targets organizational higher-ups: executive-level leaders whose emails other users are most likely to open, read and trust. It also heavily relies on human error and vulnerability.

Because of that human factor, defending against spear phishing is difficult. Hackers spend substantial time gathering intelligence on an organization, including individual users. Such information is readily available online, often through public social media profiles.

Using that information, spear phishers craft emails that appear to come from a known contact and that have an air of credibility, relevance and familiarity. They might even address the target—perhaps an agency leader—by name and include specific information about the victim and his organization. One way or another, the hacker tricks the recipient into divulging his login credentials, which he then uses to send emails to the entire organization, encouraging employees to click on a link.

And, because the email appears to come from a C-level leader, employees confidently click away. Consequently, those users unwittingly become a hacker’s entry point to the agency’s entire network.

Zero-Day Exploits

What does that mean? Zero-day attacks exploit vulnerabilities as yet unknown to product vendors or the public. Attackers often reserve the use of zero-day exploits for their highest-value targets, such as major corporations or government agencies.

Zero-day attacks can be delivered via email (e.g., a malicious attachment), “drive-by” download (e.g., a compromised website), or steganography (e.g., embedded in the metadata of visual files). While firewalls and antivirus software can sometimes detect and block the delivery of zero-day attacks, those hackers who are sophisticated enough to discover and weaponize zero-days are also usually smart enough to bypass traditional antivirus software and firewalls.

Even after discovery, zero-days pose a significant threat if systems and applications remain unpatched—and firewalls and antivirus are of little assistance. Take, for instance, Heartbleed—a serious vulnerability in OpenSSL cryptographic software that emerged in 2014. Unpatched, this bug leaves network vulnerable to significant data theft. Yet, as of January 2017, 200,000 systems still had not been patched.
Of course, zero-day and spear phishing attacks are simply steps of a larger campaign. After all, hackers don’t spend huge sums of time and energy to penetrate a network just for fun. Whether motivated by money, revenge or ideology, each step ultimately leads to payload—most often in the form of malware.

And this brings us to two of the more popular forms of malware hackers employ to achieve their ultimate goal.


There’s no question that ransomware has become the malware of choice, particularly for financially motivated hackers.

Ransomware saw exponential growth throughout 2016, arguably becoming the highest-profile exploit among cyber attackers and victims alike. Essentially a means of digital extortion, ransomware allows cyber criminals to steal and encrypt data until the victim pays a ransom—usually paid in the cryptocurrency Bitcoin to command-and-control servers anonymously hosted on the Tor network.

Through a zero-day exploit—particularly where appropriate endpoint security measures are lacking—all it takes is one careless or uneducated end user for hackers to successfully launch a ransomware attack. Lacking proper network segmentation, that ransomware can quickly spread network-wide. Meanwhile, without proper incident response and data backup, ransomware can significantly paralyze an organization, requiring high-volume computer reimagining—if not hundreds of thousands of dollars paid out to the attackers.


If ransomware attacks are predominately financially motivated, Trojans are a favorite for more mission-oriented hackers looking to spy, steal data or access your network. That’s not to say that Trojans are never employed for financial gain—they are, as evidenced by a wave of bitcoin mining attacks earlier this year.

A Trojan horse is a type of malware that appears like a piece of legitimate software. Users are tricked into opening and executing it—often through phishing or social engineering campaigns—thus enabling cyber criminals to access your system. This kind of malware comes in multiple forms, including:

Backdoors, which allows attackers to create a backdoor in order to access and control the user’s computer or device and steal data or even install more malware.

• Downloaders, which enable attackers to download additional content—including malware—to the infected computer.

• Infostealers, which—as the name suggests—allow hackers to steal data.

• Remote Access Trojans, which are designed to give attackers full control of the machine.

• Distributed Denial of Service (DDoS) Trojans, which take down a network by flooding it with traffic.

What makes Trojans particularly challenging is how difficult they are to detect. Because Trojans can be executed without disrupting other software, machines can be infected for a good while before users or IT pros realize there’s been a breach. And, of course, the longer the time to detection, the more damage can be done.

The Devil You Don’t Know

Of course, these are just a small sample of potential threats—hackers have innumerable routes to their end goal. Meanwhile, given their extremely targeted nature, many of today’s threats render traditional security measures (e.g., firewalls, antivirus) significantly less effective. Polymorphic code (i.e., malicious software that constantly mutates) further hinders detection. Then, of course, there are the individual users and their endpoint devices, each one a potential window of opportunity for hackers.

How do you fight a hacker you don’t know, wielding malware you can’t see, aimed at any of numerous endpoints, manned by users over whom you have limited control? Fortunately, new technologies are emerging—for instance, threat intelligence, machine learning, and behavioral analytics—designed to fill the gaps left by firewalls and antivirus software. With endpoints continuously and increasingly under attack, agencies need an endpoint solution that not only detects modern threats, but that can respond to and defend against those threats that get through.

Pete Burke, CISSP, is a security and borderless networks consultant at Force 3.

Be the Hero Your Endpoints Deserve.

Are you prepared to protect your endpoints against modern malware? Let Force 3 and Cisco help.

Related Blog Posts

See All Blogs

Network Security in a Remote World

Five Tips to Help Federal Technology Teams Keep Their Networks Secure with a Remote Workforce With the Office of Management and Budget’s (OMB) mandate for federal agencies to implement policies and procedures to slow the spread of the COVID-19 virus,…

Protecting Federal Agencies from Phishing and Ransomware Attacks

As we spend an increasingly large percentage of our time online, we’ve become aware of the malicious tactics used to trick us into downloading malware or betraying our credentials. However, when we’re not paying attention, serious trouble can take us…

Using the CDM Program to Keep Up with Compliance in the Digital Age

As the Homeland Security Department’s Continuous Diagnostics and Mitigation program enters its seventh year, its positive impact on federal agencies' cybersecurity is clear. Since implementation, Homeland Security has been able to field and navigate over 35,000 security incidents, and fiscal…

4 Security Lessons Federal IT Pros Can Teach the Private Sector

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an…

NextGov: Security Doesn’t Have to Be a Sticking Point in Cloud Migration

Despite the innovations and efficiencies that come with cloud migration, only about 20 percent of federal agencies have migrated their applications and data to the cloud. Why such a low adoption rate? One reason is the challenge of securing data.…

Fifth Domain: How Agencies Can Protect Legacy IT As They Modernize

Cybersecurity threats grow more sophisticated every year. And while the federal government has pushed forward with efforts to modernize IT, some legacy systems pose unique challenges. Often, these systems remain static even as the landscape around them continues to change.…

What You Need to Know about Data Privacy

Data privacy is the crossroads of confidentiality and integrity. When data is shared, either voluntarily or involuntarily, there’s an expectation that the collected information will be kept confidential. In general, data privacy is really about identity—social security numbers, credit card…

Cyberattacks and the DHS Directive – It’s Time for your Agency to Improve Your Authentication Protocols

By now CIOs across the federal government have seen Emergency Directive 19-1 issued by the Department of Homeland Security, which was issued in response to cyberattacks on DNS infrastructure for several executive branch agency domains. In these attacks, outsiders compromised…

NextGov: The Boldest Predictions for Federal Technology in 2019

Everyone is talking about artificial intelligence right now—it’s the buzz of the industry. But not many people fully understand what AI and machine learning can do. Jason Parry, our VP of Client Solutions, shares his prediction on the impact artificial…

Covering Your Blind Spots

Visibility and security are paramount to a network because you can’t have one without the other. As technology develops, and our reliance on internet connectivity grows, new road blocks appear that make visibility harder to achieve. How can CSOs adapt…

Keeping Your Agency Secure in the Cloud

Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily. It’s a situation that doesn’t change after organizations adopt…

GCN: Securing Data in the Cloud Requires Planning, Constant Vigilance

Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.”  How do they move legacy systems to the cloud? How do they choose the…

NextGov: It’s Time to Tackle the Problem of Unapproved Cloud Apps to Keep your Agency Secure

It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts…

GCN: Why Blockchain Belongs in Government

Anyone with a finger on the pulse of the latest cybersecurity trends has probably noticed an increasing number of contributions to the blockchain conversation. The dialogue around blockchain, while loud, clear and growing, has been largely undirected for the past…

Federal Times: Can Industry Bridge the Government Cyber Skills Gap?

Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address…

CSO: Getting the Most out of Your Security Budget

There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce. Security…

NextGov: The Time to Automate Security is Now

Cybersecurity threats are constantly evolving. Unfortunately, federal IT teams often find themselves low on resources, which means being proactive to combat them is a pipe dream. So how can leadership focus on strengthening their agency’s security posture when they spend…

CSO: Ways to Improve Your Security Team’s Response Time

When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated…

3 Ways to Unleash the Power of Your Next-Generation Firewall

We more or less abandoned pagers more than 15 years ago. Fax machines have gone from ubiquity to near obsolescence. And floppy disks? Many of the most recent generation of tech users have never even held—let alone inserted—one. And yet,…

Cisco Live 2018: Vendor Opens Management Console to Partners

In this article for TechTarget, Force 3's VP of Client Solutions Jason Parry weighs in on the new opportunities arising from Cisco DNA Center. In Cisco's latest nod to software, the company has opened its Cisco DNA Center to developers,…

NextGov: How to Integrate TIC Security with the Federal Cloud-First Mandate

When the Trusted Internet Connections (TIC) initiative was first introduced more than a decade ago, the goal was to improve security in government IT systems by limiting the number of individual external network connections to the internet. Before implementing TIC security…

CSO: Security Metrics You Need for the Board

No one wants to show up to an important meeting empty-handed. But with so many analytics right at their fingertips, how can CSOs pick the right numbers to reflect their work? Here are three imperative security metrics to have in…

Preventing Ransomware Attacks the Right Way

Ransomware attacks continue to be a major threat with no sign of slowing down. Here are some lessons organizations can learn from federal agencies to better prevent them. While ransomware is hardly a new threat, it’s far from being obsolete.…

Anomaly Detection: Stop Threats Before They Hit Your Network

In today’s IT environment, endpoint monitoring is fairly standard procedure. Most organizations have at least some sort of system in place allowing them to collect network monitor firewalls and collect network usage data to for network anomaly detection. But, by…

5 Reasons Why Vulnerability Management Is No Longer Optional

For agencies determined to create the most effective network security strategy possible, vulnerability management is no longer optional—it’s a necessity.  If there’s anything we’ve learned in recent years, it’s that cyber threats just keep coming. Thwart one and a new…

Best Practices for Thwarting Insider Threats

Testing the excerpt override field.

Dark Reading: 3 Tips to Keep Cybersecurity Front & Center

In today’s environment, a focus on cybersecurity isn’t a luxury. It’s a necessity, and making sure that focus is achieved starts with the company’s culture. For IT departments — especially in large organizations — daily operations are complex, multifaceted, and…

IoT & The Intelligent Edge: Defending Outside The Firewall

The Internet of Things, though still evolving, has pushed its way into the workplace. The result? CSOs are working overtime to keep up. What’s the protocol for these connected devices, and how do they fit into the existing security infrastructure?…

GCN: The Hidden Challenges of Federal IT Modernization

In the next three years, an estimated $3 billion worth of federal IT equipment will reach end-of-life status, according to former U.S. Federal CIO Tony Scott. It’s an intimidating number, and one that indicates just how far-reaching the need is…

Stealthwatch vs. Insider Threats

In an evermore threatening cybersecurity landscape, how can organizations protect themselves from one of the greatest security risks of all: The Insider Threat. Did you know? 66% of cyber attacks in 2015 were carried out by insiders. 74% of organizations…

How can we help your agency achieve its mission?

Maximize your IT investments. Learn more about solutions and services from Force 3.