Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Beyond Nation-states: The Disappearing Line Between Attacker Capabilities

In the incident response world, we used to draw a clear line between the capabilities of attackers affiliated with nation-states and those not affiliated with any nation-state. Nation-state attackers always seemed to be the most well equipped and the most sophisticated attackers.  Then, over the last few years, that line began to blur.  

In the incident response world, we used to draw a clear line between the capabilities of attackers affiliated with nation-states and those not affiliated with any nation-state. Nation-state attackers always seemed to be the most well equipped and the most sophisticated attackers.  Then, over the last few years, that line began to blur.  

The sophistication of attackers with criminal or financial, rather than nation-state motives began to increase significantly.  We now find ourselves in a completely different threat landscape.  As the 2017 M-Trends report notes, “Today, the line between the level of sophistication of certain financial attackers and advanced state sponsored attackers is not just blurred – it no longer exists.”

Defending Against Nation-States

Of course, there is no shortage of pundits running around talking about pandas, tigers, and bears (oh my!).  But as someone who has spent most of his career as a defender, criminal attack groups have captured my attention for quite some time now.  Am I saying that we no longer need to worry about nation-state attackers?  No, of course not.  Rather, what I am saying is that most organizations should probably be paying far more attention to criminal attack groups than they currently do.

Let’s take a look at a few of the reasons why:

A Numbers Game

While nation-state sponsored attacks often grab headlines, they are not something most security teams spend a majority of their time on.  Of course, when a nation-state attack hits, it can be quite ugly and can consume the entirety of a security team for an extended period of time.  But day-to-day, there is plenty of other activity to keep a security team busy.

There are many reasons why this is the case, but part of it is a simple numbers game.  While the capabilities and resources of various nation-states vary widely, the number of attack groups is relatively finite in number.  There aren’t millions of countries in the world, but around 200 (give or take).  Each of these countries can have anywhere from 0 to N state-sponsored attack groups (where N can be a fairly large number for a small number of nation-states).

On the other hand, when we expand our criteria to look at attack groups organized around criminal or financial motives, there are literally tens of thousands of such groups, or perhaps even more.  It is difficult to pinpoint the exact number, and of course, the sophistication of these groups will vary widely.  But fundamentally, what we have here is a numbers game.  With so many attack groups, the chance that one or more of them is interested in some data or information that you are entrusted with safeguarding is fairly high.

Flexibility and Spontaneity

For those of you who have worked in large organizations for any amount of time, you understand that large organizations cannot move as quickly and nimbly as smaller organizations.  Smaller, less formal, more loosely organized attack groups can form flexibly and spontaneously around specific objectives and missions.  These attack groups can recruit talent and adopt tools, techniques, and procedures as necessary for their day-to-day work without prolonged and protracted bureaucratic processes.  For us on the defensive side, that often means a significant number of adversaries that are both more sophisticated and more agile than we are.

All About the Information

As you are likely aware, the motives of each attack group vary widely.  As a result of this, so does the data or information they target.  As we expand the list of attack groups, not surprisingly, the array of targeted information expands as well.  And of course, this has the ultimate effect of greatly expanding the list of potential victim organizations.  Not surprisingly, this is essentially what we’ve seen happen over the last few years.  Targeted attacks are no longer the exclusive “privilege” of governments, militaries, defense contractors, and other traditional targets.

What we see in practice is that size, geography, and industry vertical are less important to this expanded group of attackers than information.  It is the information they covet, regardless of where it resides.  As an example, consider a law firm that may have around 100 employees and that specializes in mergers and acquisitions (M&A).  Although the law firm is a relatively small business, it may possess some extremely sensitive, and thus valuable, data.  Not surprisingly, attackers are well aware of this.  In fact, if this scenario sounds familiar, it would be because it isn’t a hypothetical example.  This particular victim profile was one of several different victim profiles highlighted in FireEye’s FIN4 report in 2014.

The news is not all bad, however.  While the risk of grave damage to an organization from criminal attack groups is one that is rising, it is one that can be mitigated.  While there are no silver bullets, taking a holistic approach to risk mitigation has proven to be effective time and time again.  This strategic approach to security is based first and foremost on a deep understanding of the threat landscape facing a given organization.

One of the key takeaways I hope the reader will take from this piece is that organizations should not be lured into a false sense of security if they deal in information or data that are not typically sought after by nation-state attackers.

There is a whole other world out there once we look beyond nation-states.  It pays to be prepared.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.