Attackers With the Backing and Sophistication of Nation-States Are Increasingly Targeting Commercial Entities
There is no one-size-fits-all mold for attackers in the security space. We can – and should – do our best to stay informed regarding the latest threat assessments, industry trends, and breach disclosures. While threats facing private industry and government may once have looked distinctly different, the line separating attackers pursuing these two arenas is now so blurred that it’s often hard to distinguish one from another. Nation-state attackers who once could be identified by a combination of targets, motivations, and tactics no longer fit cleanly into a specific box. Attackers with the backing and sophistication of nation-states are now targeting commercial entities for reasons ranging from financial gains to cultivating economic, social, and political disruption.
U.S. Director of National Intelligence Daniel Coates highlighted the uncertainly associated with these increasing threat actors in his 2018 Worldwide Threat Assessment:
“The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.”
Attack vectors that were once reserved for highly sophisticated nation-state actors seeking diplomatic or military intelligence have now become pervasive in the commercial world. It’s now reached an undeniable scope and scale with far reaching consequences. Nation-state security is now a private sector necessity and enterprises must be informed and prepared to face these threats.
Recently, the National Counterintelligence and Security Center initiated an awareness campaign called “Know the Risk, Raise your Shield” to warn U.S. companies of the importance of defending against nation-state attacks. The communications cite increasing attacks on government and corporate systems by groups, including Chinese, Russian, and Iranian intelligence, looking to steal databases and trade secrets. “The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars,” said NCSC Director William Evanina. The effort specifically warns against the attacks on corporate supply chains, spear-phishing emails, and social media deception as possible network entry points.
The worst thing we can do is underestimate an attacker. Risk assessments and breach investigations are incredibly important in the ongoing battle to stay ahead of attackers, but the information we gather after a breach event occurs can only do so much to prevent the attack on the horizon. As great as security practitioners are, they don’t have crystal balls. At the end of the day, we’re left combating an enemy we can’t fully define and we’ve reached the point where the only safe assumption is preparing as though all attackers attempting to infiltrate your network will be armed with a nation-state level of sophistication. We continue to see a surge in the number of organizations embracing the Zero Trust security model, a concept centered on the assumption that every environment in untrusted, no matter if it’s inside or outside an organization’s perimeters.
When considering nation-state attackers, there are a number of ways to begin ensuring your organization is battle-ready:
Know your data assets: Data and IP-rich businesses are prime targets for state actors using sophisticated techniques. These attackers often focus on an organization’s Crown Jewel data, the information that holds the most value because of its significance and/or potential for disruption. Organizations need to identify assets that fall into this category and recognize that they require an extra level of protection.
Think like an attacker: Identify your most vulnerable attack vectors and have specific response plans in place. Conducting regular risk assessments and red-team operations is a great way to uncover potential weaknesses in your overall security posture. Such evaluations must be performed regularly – vulnerabilities develop at the speed of innovation.
Evaluate your arsenal: Are there holes in your defenses? Ensure the products you use adhere to industry standards, evaluate your third-party touch points, and understand your best tools to combat specific threats. Standards and best practices are some of the most relevant tools we have to evaluate the effectiveness of a given technical solution. While the innovative leadership role of the private sector is undeniable, the reality is that the government and nonprofit groups issuing these recommendations have been in the battle for longer than most of the solutioning companies have been in existence. It doesn’t mean that they know everything – or share everything they know – but it is certainly worth heeding the guidance they provide.
Continue to update and evolve: Unfortunately, an effective security strategy is a moving target. Attackers are constantly discovering new tactics and targets and so our protection strategy must be elastic as well. Sometimes this means patching and implementing incremental improvements; sometimes it means flipping the whole strategy on its head. The most dangerous security foe is often complacency.
By recognizing the pervasiveness of nation-state attackers in the commercial market, identifying vulnerable attack surfaces, and committing to the necessary groundwork required to prepare your systems, security teams can ensure their company is ready to defend against these sophisticated attackers.
