Implications of the Alleged State Department Breach

August 24, 2021 | 2 minute read

The US State Department was reportedly hit by another cyber attack, although it has not been officially confirmed. Whether or not the attack occurred, it is a simple fact that government agencies and private organizations are under constant siege, and that the security professionals tasked with protecting against attacks need to remain vigilant. 

Attacks will happen. What matters most is how quickly the threat is detected and how quickly it is neutralized. 

What We Know about the State Department Attack

Details about the attack are scarce. For that matter, the State Department hasn’t even officially confirmed that the attack occurred. 

Fox News reporter Jacqui Heinrich revealed on Twitter that the State Department had been hit by a cyber attack. Citing anonymous sources, she reported that the mission to evacuate Americans and allies from Afghanistan have not been affected, but there are few, if any, details available beyond that.

A Reuters story shared a statement from a State Department spokesperson stating, “The Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” 

Defending Government Agencies Against Cyber Attacks

The default assumption might be that this attack is cyber espionage or executed by a nation-state adversary as part of the ongoing Cyber Cold War. It’s generally a bad idea to make assumptions, though. The State Department and its networks are huge. 

Presumably, they get attacked daily by hacktivists, run-of-the-mill malware and ransomware, as well as more adept nation-state sponsored attackers. Without more information, it is premature to make assumptions. 

Admittedly, many U.S. government agencies have a larger bullseye on their back than an average business, so defending against cyber attacks is challenging. It is not significantly different from being a security professional at any large, cyber mature organization, though—just for less money. 

It's a tough job made more difficult by more oversight than in most private sector equivalent positions. It's high stress, largely uneventful-but-critical operations punctuated by high adrenaline incidents. The tradeoffs and impacts may be different, but the job looks like the same job in large banks or the defense industrial base or any critical infrastructure provider too.

Implications for EDR and XDR

There's no shame in being attacked, and disclosing it properly is laudable. There's a world of difference between an infrastructure compromise where a nation-state, rogue group or hacktivist commits a material breach versus an attack that actually causes damage. 

While the State Department isn’t likely to disclose any further details given the current chaos on the ground in Afghanistan and other lingering tensions with Russia over the Colonial Pipeline and JBS ransomware attacks. Additionally, following news of Chinese APTs and a host of cybercriminal gangs exploiting Microsoft Exchange Servers, security teams will be on high alert for unusual cyber related activity against the U.S. government and other allies.

This is the reason for the recent mandate issued by a White House Executive Order that all U.S. government agencies implement endpoint detection and response (EDR, MDR or XDR) capabilities as soon as possible. Not having a means of finding the attacks as they move in the slow, subtle, stealthy way through networks isn’t an option anymore. 

This class of tool isn’t the be-all and end-all, but it’s at the top of the solution options when combined with advanced prevention solutions for eliminating most threats and building-in resilience by ensuring that the blast radius of malware payloads are minimized.

The most significant take-away though, is that it’s not about who we hire or what we buy, it’s about how we adapt and improve every day. The job is the job. The tasks vary, the tools and budgets vary, the frequency and caliber of attacks vary, but in the end Defenders are always Defenders.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry