Public Administration


    Cyber-Espionage is rampant in the Public sector, with State-affiliated actors accounting for 79 percent of all breaches involving external actors. Privilege Misuse and Error by insiders account for 30 percent of breaches.


    23,399 incidents, 330 with confirmed data disclosure

    Top 3 Partners

    Cyber-Espionage, Miscellaneous Errors and Privilege Misuse represent
    72% of breaches

    Threat Factor

    External (75%), Internal (30%), Partner (1%), and Multiple parties
    (6%) (breaches) 

    Actor Motives

    Espionage (66%), Financial (29%), Other (2%) (breaches) 

    Data Compromised

    Internal (68%), Personal (22%), Credentials (12%) (breaches)

    Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape and tights wearing super heroes, or so stressed they’re barely hanging on by their fingernails. And while that may yet be the case, keep in mind that we do have very good visibility into this industry, in part due to regulatory requirements that members (at least in the United States) must report their incidents to one of our data sharing partners (the US-CERT). Arguably more interesting is the fact that, with similar breach numbers from last year’s report, the makeup of the breaches has seen some change.

    Master of whisperers

    While the Cyber-Espionage pattern was also the most prominent in this industry in last year’s report, the number of breaches in the Cyber-Espionage pattern is 168% of last year’s amount. Figure 60 shows how the percentages shifted from last year.


  • Figure 60

    The most common pairings of threat actions and assets in Table 7 tells a story that is as easy to follow as "See Spot Send Malicious Attachments and Gain a Foothold." We have a gang of five threat actions found in breaches that had a human asset16 and a workstation as affected assets. We are seeing the familiar phish > backdoor/C2 > use of the newly acquired channel into the network. Admittedly we do not have as much data as to what is happening beyond the deception and initial device compromise. The inclusion of keylogging malware is a good indicator that additional credential theft and reuse is a likely next step.

  • Table 7
  • I click, therefore I am

    Since we have established a bit of a problem with ma­licious emails, we wanted to dig more into the security awareness training data provided to us this year. Figure 61 shows how quickly employees in this sector are clicking or reporting on phishing emails. Early on in the training similar percentages of users are clicking and reporting, but reporting drops off after the first hour, where clicking is more active. Not optimal, but since this was sanctioned and not actually malicious, nothing was done after the initial reporting other than an “atta boy”. Having documented, understood, and tested incident response plans to the real thing will allow the containment process to begin during that first hour to limit the effectiveness and impact through quick identification. This should also limit the opportunity for the users who are not KonMari-ing their inboxes to interact with the malicious message days later.

  • Figure 61
  • The wheels of government discover slowly

    When there is enough detail to derive breach timeline metrics, the data shows that breaches in the Public sector are taking months and years to be discovered. Public breaches are over 2.5 times more likely to be undiscovered for years. Espionage-related breaches typically do take longer to discover due to the lack of external fraud detection, but we did not have timeline data for those breaches. Privilege Misuse is the most common pattern within breaches that went undiscovered for months or more.

  • Figure 62
  • Things to consider

    Understand the human factor

    Not just from a phishing target standpoint. Errors in the forms of misdelivery and erroneous publishing of data rear their risky heads again. Insider misuse is also still a concern, so ensure efforts are taken to routinely assess user privileges. Limit the amount of damage an employee acting inappropriately or maliciously can do with existing privileges. 

    Lookin’ out my backdoor

    While not as obvious as cartwheeling gi­ants, validate there are controls in place to look for suspicious egress traffic that could be indicative of backdoor or C2 malware installation. 

    The malware conundrum

    Large government entities with a massive community of end-points face a challenge in ensuring the breadth of up-to-date malware defenses are implemented. Smaller organizations may lack the budget for additional malware defenses other than desktop AV. Make friends with the desktop security folks and find out what their specific challenges are.

16 Person – Unknown was not filtered out due to the amount of phishing without a known organizational role associated with the target.