by Karen Epper Hoffman

Going Soft: Nation-state attackers seek weaknesses in the system

Arguably, the most important battleground is not a geographic location; it's the internet. And here, just as in real-world battles, the enemies of the United States are hoping to find areas of vulnerability to exploit.
Going Soft: Nation-state attackers seek weaknesses in the system
Going Soft: Nation-state attackers seek weaknesses in the system

Arguably, the most important battleground is not a geographic location; it's the internet. And here, just as in real-world battles, the enemies of the United States are hoping to find areas of vulnerability to exploit.

As nation-states jockey for supremacy on the internet, they look to various public- and private-sector inroads through which to embarrass, dominate or exploit their enemies. While most of these critical and important systems are fairly well locked-down, there still remains the potential to bring these systems to a halt, or at least, slow them down for a while.

“The biggest concerns we should have are the ones we don't know about,” says John McCumber, director of cyber-security advocacy for ISC(2). The approach of “setting up perimeters and walls… security as it has been practiced for a couple of millenia” is not very effective in the cyber-world, as McCumber and other experts point out. The new approach needs to be “prevent what I can't detect and detect what I can't prevent,” he adds.

Johannes Ullrich, director of the SANS Internet Storm Center, says that “as far as vulnerabilities go, it really depends on what the adversarial nation-state is after. Currently, the main motive for nation-state attackers appear to be intellectual property. These attacks are not as spectacular as a power plant blowing up, but can be just as devastating to the economy long term.” Brian Wrozek, managing executive director at Optiv, believes that “all [systems] are vulnerable to some extent, especially as more systems become connected to the internet.”

“Nation-states recognise that they cannot compete with America's military might in traditional theaters but they can compete in cyber-space,” Wrozek adds. “There is also less risk in cyber-space to the attackers, due to the difficulty of attribution.”

As Bryson Bort, founder and CEO of SCYTHE, points out, most of these nation-state attacks rely not only on technical acumen, but human-enabled access as well (such as social engineering, exploitation or bribery of employees). “[Bad actors] don't need to build the most technically complex attack,” Bort says. “Every computer is inevitably exploitable.”

And, as Steve Grobman, chief technology officer for McAfee, says, “It's important to understand that cyber-attack and cyber-exploitation tools and expertise are readily available to those willing to pay for them. An entire underground cyber-exploitation ecosystem has evolved through which the latest malware can be rented, along with hacker services, to execute attacks,” Grobman says. “This magnifies the capabilities of even less-technical entities to launch sophisticated attacks.”

Here are a few soft spots where competing nation-states may look for access:

Election or voter record hacking

Nation-state hacking often seeks to “sow seeds of confusion and discord,” as well as to affect actual change, according to Bort. After more than one year, the United States is still embroiled in an on-going debate about whether the Russian government altered the outcome of the 2016 US Presidential election, which has had a profound impact on the American government and its citizens, according to Bort.

“Election systems have been proven to be not as secure as they should be,” Bort says. “You don't even have to hack the systems themselves, just do enough to create the doubt in people's minds.” Voter records could be a target as well. Last June, it was reported that more than a terabyte of personal data for nearly 200 million US voters was compromised and exposed due to a technical error on the part of Deep Root Analytics, a contractor that was managing the data for the Republican National Committee.

Financial systems

The banking and payments infrastructure have long been a prime target for cyber-criminals and national aggressors alike. Not only – to quote legendary bank robber Willie Sutton – is that “where the money is,” but large financial institutions represent a key tent pole in the stability and day-to-day workings of the country.

“If an adversary were to disrupt US interests in a more visible and short-term way, financial markets are a likely target,” Ullrich says. “In order to attack financial markets, one may choose to attack the market itself, but enhance the attack with a news or social media campaign to amplify the effect.” While such attacks could wipe out individual savings, create confusion and uproar among account holders, Ullrich adds that the ultimate goal of this maneuver for an enemy nation-state would be to significantly reduce confidence in financial markets, which in turn would deprive US companies of capital.

The New York Stock Exchange and a number of large US banks, including JP Morgan Chase & Co., came under cyber-attack in September 2012 in the notorious Operation Ababil. Although a foreign hacktivist group known as the “Qassam Cyber Fighters” took responsibility for this attack – and later phases of the operation carried on in December 2012 and February 2013 – many politicians and industry experts at the time claimed the sophisticated denial-of-service attacks were perpetrated by the Iranian government. “Nation states are looking to disrupt the economic machinery,” Bort points out. “They don't care about the little guys.” Hence, they are more likely to go after pivotal, centralised targets like stock exchanges or large banks, rather than smaller community financial institutions or ATM networks, which are more fragmented.

Healthcare organisations

While hitting a hospital or even a more broad-based healthcare network lacks the punch or the economic damage of targeting the banking system, it could effectively create a great deal of fear, distrust and chaos. Also, unlike most financial institutions and systems, industry experts point out that healthcare organisations and medical technology in general are much further behind the curve when it comes to adding or building security into their systems—so these tend to be easier targets, especially for well-funded nation-states. “Healthcare and public-sector health present [a major vulnerability] since even isolated incidents can result in the loss of human life and weaken faith in the system,” says Brian Wrozek, managing executive director at Optiv. “Tremendous cost pressures exist in healthcare, so funding is an issue.”

Case in point: Last May, the fast-spreading WannaCry malware hit a number of public utilities, agencies and companies around the world, but none were affected as much as National Health Service hospitals in the UK The attack slowed services to a halt in emergency rooms, forced doctors to postpone surgeries and other medical procedures, and generally created widespread panic for patients and medical workers alike. (The US officials at the NSA later announced that they were relatively certain the ransomware had exploit had been initiated by the North Korean government.) Also, the ability to hack medical devices like pacemakers, has been showcased by experts. “Security is very much behind in this space,” Bort agrees.

With the seemingly Sisyphean task of continually keeping enemy nation-states from accessing or hijacking these most crucial systems, what are public and private-sector organisations to do, especially when it comes to prioritising an ever-growing laundry list of demands that need to be overseen? To start with, Grobman says business and government leaders “really need to understand what their organisation is facing from a risk and threat perspective.”

“The CEO is not a cyber-security expert, but he or she is ultimately responsible for implementing a cyber-security plan that mitigates risk to the business and the potential impact it can have to their organisation,” Grobman adds. “As we have seen many times now, a successful attack can knock critical systems offline, disrupt major business functions, and even interfere with elections. Executives have lost jobs after attacks, businesses have lost proprietary data and in some cases hospitals and critical infrastructure have gone offline for multiple hours.” Since roughly 75 percent of critical infrastructure is owned by private industry, Grobman says it is paramount the government and private sector work together and share information.

Wrozek also recommends that the risk and impact of a major nation-state attack could be mitigated through “building strong partnerships and cooperation between the traditional corporate security resources that protect the business environment and the operational technology resources that work in the industrial controls environment.” Also, Wrozek believes that it's important to get back to basics, by being “maniacally focused on consistently performing the foundational elements of cyber-security particularly network segmentation, access control and patching.”

“In general, industrial control system environments were designed with availability and safety in mind. In most instances, there is adequate redundancy including manual options to minimise the impact,” Wrozek adds. “These industry professionals have experience dealing with natural (physical) disasters and have shown amazing capabilities to restore operations from events like hurricanes. The challenge is to leverage that experience and shift the attention to cyberspace.” 

FROM THE - March 2018 Issue of SCMagazine US »