- Johna Till Johnson, Nemertes Research
Ask most cybersecurity specialists about their top fears for 2020 and you'll get a long and valid list of answers. My answer is: Nation-state attacks. Why? And why now, in 2020, when they've been in existence arguably as long as the internet has? Three reasons: motivation, maturity and resources.
Throughout history, nation-states have waged war with the goal of destabilizing the power base of their enemies, shoring up allies and capturing more power for themselves. Sometimes the war is economic; sometimes it's waged with guns. Cyberattacks gave nation-states another vector, and the techniques have matured rapidly in the past 10 years. Finally, nation-state attackers are far better provisioned than your average hacking group. Nations have access to resources on a scale far beyond even that of billionaires or multibillionaires.
To know what you need to know about nation-state attacks, you first need to understand the impact various attack types can have, the likely attack techniques and who is launching these attacks. With that knowledge, you're equipped to undertake several focused mitigation steps, which I've outlined below.
Attack types and effects
The best source for tracking nation-state attacks is Mitre Corp., a federally funded research center with an arm dedicated to cybersecurity in general and nation-state attacks specifically. Mitre maintains a list of all known enterprise attacks by type (they aren't all nation-state attacks). The FBI also tracks nation-state attacks. It recently alerted cybersecurity professionals about two compromises to U.S. municipalities that exploited Sharepoint vulnerabilities, specifically CVE-2019-0604, a vulnerability that permits hackers to take over Sharepoint servers.
Nation-state attacks fall into a few broad categories.
Espionage. Most cybersecurity professionals know espionage is a two-part exercise: information capture and exfiltration. Many groups focus in part or exclusively on capturing information. That means they're not actively damaging systems or networks, but they're capturing trade secrets and other economic information -- for instance, early warning of a potential merger or acquisition. They also capture information on specific individuals for use in further attacks -- such as extortion or physical attacks -- against those individuals.
Espionage efforts are often advanced persistent threats (APTs) in which attackers embed spyware early in the supply chain, as was the case with the reported Supermicro vulnerability in late 2018. This makes them particularly difficult to detect and mitigate against.
Theft. As nation-state attackers are uniquely well-resourced, theft isn't common, but some focus on theft of resources, usually financial ones.
Physical system destruction. Many groups focus on deactivating or destroying physical systems, particularly energy grids, manufacturing plants, energy suppliers -- such as oil and electricity plants -- telecommunications companies and the like. Stuxnet is an early example (2010) of such attacks.
Information system denial of service or destruction. Sometimes, the goal of nation-state attackers is to take an organization out of operation, either for extortion or to shut it down completely. North Korea's attack on Sony is an example. It was reportedly focused on preventing the release of the movie The Interview. Nation-state attackers also tend to engage in ransomware attacks.
Many cybersecurity professionals haven't considered the full range of these types of attacks. Several CISOs have told me that their organizations aren't targets because they don't operate industrial control systems. But tell that to Sony. Here's the point: Every organization has information that's potentially valuable to nation-states. Even not-for-profits delivering humanitarian aid have been compromised because they can provide insight into the vulnerabilities of other nations.
The tricky thing with nation-state actors is that they use many of the traditional techniques all hackers deploy; they're just better at using them in new and creative ways (see "How favored nation-state attack types work"). But security vendors are working to shut down these avenues.
Privileged-account compromise. Until recently, Microsoft's Office365 set the default for multifactor authentication to off for its privileged users. Security vendors are stepping up to the plate; providers such as AppGate have the ability to automatically issue and revoke, on an as-needed basis, privileged access to a range of cloud and on-premises software platforms. For example, providers can grant privileged access only to an assigned troubleshooter for a fixed period of time.
Malware injection. A range of advanced antimalware vendors and products are focusing on endpoints. Companies like VMWare, Crowdstrike, Panda Security, ESET, Palo Alto Networks and others have products that perform advanced, automated antimalware detection and neutralization.
Data exfiltration. One of the best tools to protect against data exfiltration is behavioral threat analytics (BTA) -- software that integrates multiple sources of data to capture and displays anomalous behavior of users, devices and systems. BTA helps locate anomalous data transfers. Providers include Bay Dynamics, Gurucul, Exabeam and Splunk.
Public-facing application attacks. The Open Web Application Security Project Foundation maintains a list of the top 10 application security risks. A range of vendors -- including Tala Security, Arxan Technologies and Jscrambler -- are addressing this problem.
Many other techniques exist, but vulnerabilities in these areas basically function as "come-hither" calls to nation-state attackers. CISOs should focus on remediating these vulnerabilities immediately.
How favored nation-state attack types work
Malware injection. This is one of the most effective types. It allows access to information (audio, test or other data) via human-facing apps and by reading files on data systems, IoT devices or control systems. Malware injection can wipe drives, inject false information or take control of vital resources.
Privileged-account compromise. Cloud made this worse, with organizations assuming cloud-based workloads and accounts were safe. Mainstream providers like Microsoft were slow to see the risk.
Data exfiltration. This is the "second half" of an attack. Once infiltration succeeds, attackers use a range of techniques -- like compressing or encrypting it, packaging it within otherwise innocent data transfers -- to extract information.
Public-facing application attacks. This type uses a range of techniques, which include the following:
- database attacks like SQL injections; and
- cloud-based infrastructure attacks (exploiting it may compromise underlying structures).
Groups and organizations
The most active nation-state attackers include China, Iran, North Korea and Russia. Both the United States and Israel are suspected of conducting them too, although they deny it.
Mitre monitors 16 advanced persistent threat groups, largely Chinese, but also from the other countries noted above. The APT groups are numbered from 1 to 41. The majority have disbanded or reformed -- that is, only 16 out of the 41 are currently known to be active.
At the time of this writing, 77 active groups use techniques other than APT. These groups often work together, either cooperatively or by hijacking one another's toolkits and frameworks. One such example is Turla, a Russian group that hijacked the infrastructure used by Crambus, another nation-state group, to deliver malware.
4 mitigation recommendations
I hope I've scared you into taking the nation-state threat seriously. As an analyst and consultant, my goal isn't just to raise awareness; I also want to provide actionable recommendations. So here you go:
Review your environment in light of the attack types and techniques outlined above. If you haven't thought about what kind of information might be vulnerable to an espionage attack, you might want to do that. It's also worth having a list of physical and virtual company resources prioritized by risk. What systems will compromise the core functions of your organization?
Apply the referenced mitigation tools and technologies. Everybody's budget is strapped, and buying more security tools isn't a recommendation that generates joy in the boardroom. But any tool that mitigates the attack techniques noted here will provide protection across the board, not just against nation-state attacks. The categories include the following:
- privileged user protection;
- advanced antimalware;
- behavioral threat analytics; and
- public-facing application protection.
Revisit all application configurations and security practices, particularly if your applications are more than five years old or are cloud-based. This includes applications from companies like Microsoft, SAP and Salesforce. Although vendors are increasingly enhancing security capabilities, many of these applications have outdated security configurations.
Appoint a nation-state cyberdefense team, and task that team with two primary requirements:
- reviewing all information sources, including Mitre, the FBI and others, on a regular basis and summarizing the potential impact for your organization; and
- meeting with other security teams (such as your Microsoft cybersecurity team--you have one, right?) to ensure they are taking the right steps to mitigate nation-state cybersecurity risks.
The upshot is this: Nation-state attacks are going to escalate, causing more disruption to a growing number of targets. You may think your organization is an unlikely target, but you're probably wrong. Be sure you're prepared.