Why Identity is at the Core of a Federal Zero Trust Strategy

Blog - Federal Zero Trust Strategy

What’s the Fuss with Zero Trust?

In practice, the zero trust security model means never trusting, always verifying users’ identities in an effort to combat fraud, and only granting access once it is confirmed that users are who they say they are through authentication methods. At its core, identity is a key component of zero trust. And with increasing cyber threats putting organizations at risk, ensuring only authorized users gain access to networks is critical for the private and public sector alike.

Government agencies continue to be a significant target for threat actors, as evidenced in an escalation of sophisticated, high-impact ransomware incidents against critical infrastructure organizations. As part of our 2022 Annual Identity Exposure Report, SpyCloud researchers wanted to learn how government agencies fared in data breaches in 2021, since stolen credentials add powerful ammunition to ransomware attacks. We found 611 breaches containing .gov email addresses, which accounts for 81% of the total breach sources recaptured by SpyCloud.

These compromised credentials give threat actors a potential foothold inside of those agencies – and this risk is compounded given the high password reuse rate of 60% among .gov users with more than one password in our database, where at least one of those passwords was collected in 2021.

With identity being the crux of zero trust, the sheer amount of data exposed on the darknet from .gov email addresses is enough to make the case for implementing this type of initiative across federal government agencies.

Implementing Zero Trust for the U.S. Government

Governments appear to be ahead of their private sector peers when it comes to implementing zero trust, with 72% of government organizations already using a zero trust model, compared to 56% of companies. In the U.S., zero trust is a cybersecurity initiative championed from the top levels of government.

To strengthen national cybersecurity and “reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns,” the White House issued a memo in January 2022 outlining the U.S. Federal Government’s move to a zero trust strategy. The memo states that:

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.

As part of the U.S. Government’s implementation of a zero trust strategy, agencies are required to meet certain cybersecurity standards in which they verify anything and everything attempting to access agency networks by the end of 2024.

According to a Government Accountability Office report, the U.S. Department of Defense (DoD) has reported over 12,000 cyber incidents since 2015, effectively making the case for the federal zero trust strategy across the government. The DoD launched its zero trust strategy in November of 2022, with the intent to:

Limit the ability of threat actors to gain access and evade detection inside the agency’s systems,
Prevent identify theft, and
Enforce multi-factor authentication (MFA).

As more government agencies begin to implement zero trust, making sure bad actors don’t gain access to their networks is a key focus area to a successful strategy, and authentication methods such as MFA and credentials are a major component of that implementation.  

Identity Recommendations To Enhance Zero Trust Strategy

Key tenets of the government’s zero trust strategy include MFA and secure password policies. However, we would argue that even more emphasis should be put on these authentication methods as they aren’t fool proof.

While enforcing MFA does add another critical layer of security, it is also a preventive measure that adversaries are able to bypass. To increase MFA’s effectiveness, agencies must prepare for the threat of malware. Web session cookies are just one type of authentication information that malware siphons, and with this information, cybercriminals and advanced persistent threats alike can gain access to mission-critical applications and move virtually undetected through your network, performing espionage, exfiltrating files, and launching ransomware attacks.

Strong password policies are another way to ensure access is only granted to authorized users, but enforcing them can be another challenge. With poor password hygiene plaguing government agencies as evidenced in our Annual Identity Exposure Report, stolen credentials from government agencies can be used to gain unauthorized access to networks and wreak havoc on not only government employees, but constituents as well. While NIST offers guidelines for password policies, SpyCloud recommends additional tips for strong passwords, including the use of complex passwords and ensuring unique passwords across accounts.

Further, recapturing data early is critical to mitigating the threat of attack. The later breach or malware data is recaptured, the wider the exposure window and the higher the risk of cyberattacks using compromised credentials. Speed of data recovery makes it possible to reset passwords proactively, before criminals use them to cause harm.

NIST Guidelines agree: “Most ransomware attacks are conducted through network connections, and because ransomware attacks often start with credential compromise, proper credential management is an essential mitigation, although not the only mitigation needed.

How Darknet Data Enables Zero Trust

A mature zero trust strategy must seek to proactively secure user identities, regardless of device or network, by preparing for the limits of protective measures and deepening the risk assessment of each user.

As the leader in Cybercrime AnalyticsTM with the world’s largest repository of recaptured assets from the darknet including stolen credentials and malware-infected devices, SpyCloud has become an essential component of zero trust. Insights from data on the darknet give you confidence in your users’ identities and protects their accounts (and your agency’s mission-critical systems and data) without creating unnecessary friction for your employees or extra work for your security team. It’s all about:

  • Having access to the right data — the most current, relevant, and truly actionable breach and malware data
  • The ability to detect exposed credentials and malware-infected devices before criminals have a chance to use them
  • Being able to remediate account exposures automatically

SpyCloud solutions are aligned to several zero trust capabilities, including:

Visibility and analytics

Advanced Threat Protection, Risk Evaluation, and Dynamic Risk Scoring

Automation and orchestration
API Standards
Governance
Threat Score and Risk Score
User
User Authentication, Cybersecurity Access Policy, Privilege Access Management, In-Session Monitoring, Attribute-Based Access Control (ABAC)

It is critical that the federal government and its contractors have comprehensive identity protection to strengthen their zero trust strategy. Ensuring only authorized users have access to government networks is imperative to our national security, and insights from the darknet about exposed identity data can help support that mission.

Learn how insights from the darknet can help protect your agency and enable zero trust strategies with SpyCloud Government Solutions.
Recent Posts

Transforming recaptured data to protect your business.