Nation-state hackers are increasingly targeting government institutions, industrial facilities and many businesses with powerful and sophisticated techniques, which interrupt business operations, leak confidential information and can result in massive data and revenue loss.
Nowadays, both public and private organisations are leaving sensitive and monetisable data, such as intellectual property (IP), unprotected. Given the high rewards and low risks for cyber attacks, nation-states are more active than ever. Indeed, in most instances, nation states devote seemingly limitless resources to achieve their objectives, including time, money, and hacker talent. As a cybersecurity professional, the challenge is to deploy limited resources most efficiently.
Many mature cybersecurity programs use a risk-based approach to maximise security value for the pounds spent. This requires an understanding of the adversaries targeting your networks and the data they are after. If the last year provides any lessons, the top takeaway would be that almost all executive communications have value for a hacker.
For example, during the course of last year, much of the news was dominated by reports of Russian agencies using cyber attacks to extract information that could be used to influence the U.S. presidential election. In June, it was reported by the Washington Post that Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach. In December it was reported that Russian hackers tried to penetrate the computer networks of the Republican National Committee, using the same techniques that allowed them to infiltrate its Democratic counterpart.
As today’s state-sponsored cyber attacks are growing in scale, frequency and sophistication, understanding the motivations and capabilities of hackers is the first step towards employing a risk-based approach to mitigating the most advanced and persistent threats.
‘State-backed’ cyber attacks on the rise
In the last decade, the fact that nation-states were actively deploying cyber weapons against commercial interest in the West was well-known in the law enforcement and intelligence communities. In the last few years, state-sponsored cyber attacks have come out from the shadows. Companies of all sizes found themselves face-to-face with military and intelligence agencies, without much protection from the government. This left them practically alone to contend with the significant challenge of ensuring that they can detect and protect against such serious threats.
Two of the top players are Russia and China.
Both deploy sophisticated malware tools and simpler, off-the-shelf tools to achieve their objectives. In many cases, the common element of the attack is the exploitation of the human element within an organisation. This attack vector, exploiting the human component within the target’s infrastructure, has also increased in complexity. So it’s not just the ones and zeros part of an attack that’s sophisticated, it’s also the development of exploitations of other weak points within an enterprise. In addition, criminal groups are adopting the same tools and techniques making the gap between deployment by a nation state and deployment by a criminal group, in terms of time and quality, shrink.
What’s motivating cyber attacks?
Let’s look at the top two players. First, the Russians – while they remain committed to hacking business information that will assist their competitive standing in the world, their first priority is collecting military and diplomatic information. To this end, they have put significant talent and resources into targeting U.S. government networks to collect the kind of diplomatic information that gives them an advantage in negotiations or strategic decisions as this information enables them to predict U.S. strategic positions and decisions.
For cybersecurity professionals, it is important to know what type of information is stored on or passing through your network. Media companies, academics, law firms, and companies that deal in strategic commodities are all potential targets. A risk-based approach will account for the threat and layer more advanced (and expensive) defences around sensitive information.
In comparison, the primary objective of Chinese cyber collection capability is to enable their State Owned Enterprises (SOEs) to compete and dominate on a global economic level. Over the last decade, cybersecurity professionals have noted an increasing number of network intrusions that result in exfiltration of business information, including IP and executive communications. That’s a hallmark of Chinese hacking groups, particularly Group 61398, who are known for stealing trade secrets from companies such as Westinghouse and US Steel.
Group 61398’s efforts to target technologies and business information that advance China’s strategic industrial sectors are emblematic of the Chinese hacking initiative. Cybersecurity analysts have directly correlated the key industries China seeks to grow with the sectors they are targeting with cyber attacks. As a security professional, it pays to understand what the Chinese are after and develop a risk-based approach to protecting the information in your network that may be of value to a sophisticated economic adversary like China.
Are you ready for a “State-Sponsored Attack”?
One of the main challenges for organisations is moving from a perimeter-based strategy to a risk-based approach in a rapidly expanding and amorphous infrastructure. Deploying a software defined perimeter (SDP) model to protect highly sensitive information, such as IP, contracts, business processes, and communications, can help meet these challenges by effectively turning the infrastructure invisible. For years many have argued that you can’t secure what you can’t see, however the reverse is also true – you can’t hack what you can’t see either!
The approach is simple – provide access to the least amount of network-based resources for the least number of individuals, who are then granted the lowest level of privileges required to perform their job. Access privileges are set, defined and updated by user-centric policies which leverage multiple aspects of server and user context, including device integrity as part of the authentication process.
Anyone can be a victim of a “state-sponsored” cyber threat whether it takes the form of identity theft, malware or DDoS attack. Therefore, it is crucial for organisations to learn how to defend themselves. Although there isn’t a way to completely diminish “state –sponsored” attacks, there is a way to make them less successful by educating users to stay alert, recognise and report threats, while working from an ‘invisible’ network.
Leo Taddeo is Chief Security Officer at Cryptzone