Global attacks on critical infrastructure are up by 30%, as cited by the House Committee on Homeland Security. In addition, government agencies were the third-largest target of ransomware attacks in 2023.
In an environment of heightened threats and digital volatility, government agencies and public sector entities need to meet the now inevitable wave of cyberattacks well-prepared. There can be no room for the element of surprise. And nothing readies teams, strategies, and solutions like comprehensively stress-testing your security defenses with a simulated real-world attack.
Why Government and Public Sector Red Teaming?
Government and public-sector entities cannot afford to be sitting ducks, waiting on the defensive for attacks comprising ever-more-sophisticated exploits. They must engage in offensive security tactics to proactively identify potential weaknesses and attack paths before adversaries try to exploit them.
Red teaming, which emulates advanced adversarial methods in real-time, readies security teams’ collective nervous system by using the same tactics, techniques, and procedures (TTPs) as today’s most sophisticated threat actors. Red teaming tools, like Fortra’s Cobalt Strike empower public sector and government red teams to conduct these simulations efficiently and effectively.
Keeping Your Team Primed
If government and public sector entities do not put their teams, strategies, and response plans to the test on a regular basis, attackers will have the advantage. Getting practitioners to understand the anatomy of an advanced persistent threat (APT) and detecting incoming indicators of compromise is not enough. When the pressure is on, teams need to act in a well-coordinated response to neutralize malicious attacks.
A Legal Requirement
Currently, government red teaming is making its way into US cybersecurity legislation in several notable ways. The Federal Risk and Authorization Management Program (FedRAMP) implements mandated Red Team Testing Requirements (CA-8(2)), outlined in the Penetration Test Guidance.
Additionally, the White House Office of Management and Budget (OMB) released M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)” which seeks to accelerate agencies’ ability to securely adopt cloud services. It notes that cloud providers will be subject to consistent oversight, noting that such may include “intensive, expert-led ‘red team’ assessments at any point during or following the authorization process.”
Cyberattacks Targeting Government and Public Sector
Cyberattacks on Military Services
The Center for Strategic & International Studies lists many cyberattacks on military services, critical infrastructure, and government agencies that occurred between 2006 and present day. Those include:
- Ukranian Draft | Attempts to undermine the Ukranian military draft by Russian cybercriminals leveraging information-stealing malware in October 2024.
- Military Contracts | Nation-state actors compromised military contracts from South Africa’s Department of Defense in September 2023.
- Reconnaissance Systems | In August 2003, Chinese hackers targeted a US military procurement system for reconnaissance to establish covert proxy networks.
The list goes on. As military systems stand on the frontlines of international cyberwarfare, they should be constantly battle-tested to ensure that their defenses remain strong enough to combat frequent and powerful attacks from some of the world’s most advanced cybercriminal organizations.
Critical Infrastructure Cyberattacks
Public sector utilities, such as those involved in critical infrastructure, are prime targets for both domestic and foreign powers looking to undermine societies and create civil unrest.
One recent example includes an Iranian-linked hacking group known as the “Cyber Av3ngers” attacked a Pennsylvanian municipal water plant by targeting a programmable logic controller (PLC). PLCs control everything from water pressure to chemical levels in US water facilities.
Other incidents were called out as the US Cyber Threat Intelligence Integration Center noted that “Iran-affiliated and pro-Russia cyber actors gained access to and in some cases have manipulated critical US industrial control systems (ICS) in the food and agriculture, healthcare, and water and wastewater sectors in late 2023 and 2024.” This is an ongoing problem with “outdated software, poor password security, the use of default credentials, and limited resources for system updates render[ing] ICS devices vulnerable to compromise.”
According to the Center, other attacks during this time have affected utilities such as energy and telecommunications, along with other critical entities like agriculture, private-sector manufacturing, and education.
Cyberattacks on Construction
In September 2024, cybersecurity firm Huntress discovered a brute-force attack against users of Foundation Software, a solution serving over 40,000 construction pros across the US. Affected subcontractors included HVAC, concrete, and plumbing companies.
According to the IBM 2024 Cost of a Data Breach Report, “The industrial sector experienced the costliest increase of any industry, rising by an average of USD $830,000 per breach over last year.” According to SecurityHQ’s Construction Threat Landscape Report 2024, since the start of the year, the Construction & Building Materials Sector has been the target of at least:
- 161 ransomware attacks
- 20 hacktivist attacks
Suppliers are widely exploited victims in construction-based cyberattacks, and increasingly, security measures must take into account the software supply chain as well. As the Report notes: “Along with the physical delivery of materials, machinery, and labor, there is also the exchange of digital information, such as designs and specifications,” within modern construction supply chains.
Government Technology-focused Cyberattacks
Even government technology is not impervious to attack. For example, vulnerabilities were found in the US government’s voting machines. Every year, hackers at the DEF CON “Voting Village” hacking event find weaknesses of this sort, but there is typically not enough time to patch them before the next election day. This year was no different. Voting Village co-founder Harri Hursti explained, “If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves. We are here only for two and a half days, and we find stuff…it would be stupid to assume that the adversaries don’t have absolute access to everything.”
Red Teaming and Penetration Testing
Just like government-focused criminal hacking efforts are likely running around the clock, security teams defending critical government and public sector assets need to perpetually put cybersecurity defenses to the test. Where that is concerned, it is important to note that both penetration testing and red team engagements are needed here.
Red Teaming
Red teaming employs advanced techniques to mimic a long-term embedded threat actor. Using everything from social engineering to sophisticated exploits like APTs, red team engagements are designed to test detection and response and serve as vital information the blue team needs to strengthen security posture.
Penetration Testing
Penetration Testing has a more defined scope and identifies potential attack paths within a specified environment. A pen test can also determine which vulnerabilities, out of a list of many, are most likely to be exploited and verify that exploitation. Pen testing can also be used to validate remediation tactics. Both tools combined make an effective one-two punch against cybercriminals looking to employ a surprise element. If the attack vector is disarmingly simple, such as a compromised credential, penetration testing will catch that vulnerability and report it. If the vector is stronger, such as a low-and-slow attack leveraging polymorphic malware, a red team engagement will reveal a government organization’s susceptibility to that kind of compromise.
For that reason, organizations cannot afford to be lacking when it comes to top-notch red team tools. While homegrown solutions can be effective, to a point, they can lack the scope and depth of enterprise-grade red team solutions. This is because vendors offering enterprise-level software often have the luxury of drawing from wider pools of experts with more experience fighting, analyzing, and even creating malicious exploits – the same kind needed in a good red team arsenal. If your red team engagements are limited only to what your current staff on hand already knows, then chances are high that a motivated attacker with long-term plans to infiltrate a government system is going to have a few tricks up their sleeve for which your team is not prepared.
Government-funded cybersecurity training is one way to upskill your current staff in ethical hacking, malware analysis, and more. Analysts with some background in these areas will be more familiar with the principles and practices underlying vendor-made red team tools and can help their agencies get a running head start. The Federal Virtual Training Environment (FedVTE), a free government cybersecurity training resource, has transitioned to CISA Learning and can serve as a foundation for future red teams and blue teams alike.
Why Cobalt Strike?
Fortra’s Cobalt Strike is leveraged by red teams industry-wide to launch realistic simulated attacks, establishing persistence and capturing information using the same tactics, techniques, and procedures as today’s advanced adversaries.
Cobalt Strike Capabilities
Using covert channels and powerful post-exploitation agents, Cobalt Strike can imitate an embedded actor within your network. Malleable C2 enabling network indicators keep teams on their toes with the ability to emulate different malware. This makes it difficult to detect or design traditional firewall defenses against.
Bundled with Outflank Security Tooling, Fortra’s red teaming can help government agencies and public sector entities “simulate similar techniques to what some APTs and Organized Crime Groups apply but are not available in public tools.”
Cobalt Strike Features
Some features of Cobalt Strike include:
| Arsenal Kit | Customizable tools that users can modify to better emulate real-world techniques, such as custom reflective loaders and an LLVM mutator to break in-memory YARA scanning of sleeping masks. |
| Covert Communication | Malleable C2 profiles, peer-to-peer connections via TCP or SMB, and the ability to egress networks using HTTP, HTTPS, and DNS. |
| Post-Exploitation | Beacon, Cobalt Strike’s signature payload, gathers information, deploys additional payloads, executes arbitrary commands, and more, just like a real attacker would. |
| Payload Generation | Users can customize payloads through Cobalt Strike to best meet their specific needs. |
This list is just the beginning. Additional Cobalt Strike features include interoperability with Fortra’s penetration tool Core Impact and Outflank, compatibility with personalized tools and techniques, collaboration with fellow red teamers via team servers, timelines reports, and more.
Blue Team Benefits
Every red team engagement not only helps identify security gaps and shore up defenses but expressly benefits the blue teams tasked with defending government entities and the data they protect. By safely testing with red team attacks in real time, blue teams can better analyze potential attack paths and techniques, build bespoke mitigation measures, and implement better-suited monitoring and detection mechanisms so that those techniques will not work again.
In the real world, these improvements are hard-won and typically only come at the back end of a very costly attack. Thanks to red teaming, teams can benefit from this invaluable knowledge without paying the price of a data breach for it.
Learn More About Cobalt Strike
Want to learn more? Dive into Fortra’s Cobalt Strike, one of the first public red team command and controls frameworks, in this in-depth on-demand demo. Or request a free trial of Cobalt Strike for a more hands-on experience you can test with your team. And don’t forget to check out our Red Team Bundle to see what Cobalt Strike can do when combined with our curated set of offensive security tools, Outflank Security Tooling (OST).
