'Russia, China and the USA lead the sophisticated nation-state cyber-attackers that are increasingly targeting businesses, new report reveals'.
Newly published research suggests that nation-state attacks have evolved to the point where business cannot afford to ignore them.
The Carbon Black report, published this afternoon, concludes that most organisations are "woefully unprepared to combat" nation-state attacks. Yet with geopolitical tensions rising, and the likes of Russia, China and the United States operationalising what are referred to as 'cyber-militias' attack methodologies that were once reserved for sophisticated campaigns are becoming an everyday business reality.
The key findings of the report included that the majority of cyber-attacks originate from two nation-states; no prizes for guessing that's Russia and China respectively. Perhaps a little more surprising is that North America ranks third on the nation-state attack origination chart.
When it comes to the industries that are bearing the brunt of geopolitically motivated attacks, finance and health are neck and neck with government (again perhaps surprisingly) a distant third.
The way in which these attack methodologies are evolving will come as no surprise whatsoever to cybersec insiders: lateral movement rules the roost. Island hopping strategies are also being applied in just over a third of attacks, with smaller affiliates in the supply chain being used as a stepping stone to the 'real' target.
Just under half (46 percent) of the incident response professionals that took part in the research also confirmed that they have been on the sharp end of the counter incident response stick. Nation-state attackers are now sophisticated enough to mitigate non-stealthy incident response tactics it would seem.
So, what should the enterprise be doing differently, in terms of best practice strategic thinking, to mitigate the geopolitical, state-sponsored, threat?
"Modern enterprises should aim to create more robust security postures by deploying iron boxing, endpoint detection and response, as well as deception technologies" Carbon Black’s Chief Cybersecurity Officer, Tom Kellermann, told SC Media UK. "In addition, these enterprises must modernise their incident response strategies, starting with increasing visibility and responding to attacks in a clandestine fashion as we are hunting too loudly."
SC Media put the same question to the broader IT security industry. Ian Trump, Chief Technology Officer at Octopi Research Lab (UK), agrees that the first priority is to plan for an attack and refine your incident response capabilities. "Test your defences regularly and do as much as you can to reduce the attack surface" Trump adds, continuing "deploying honeypots to detect attacks and deploying web application firewalls are also really helpful in maintain a robust security posture against any type of cyber-attack."
"State-sponsored and other APT level attacks typically rely on multiple breakdowns in the chain of security" Andrew Ellis, Senior Researcher with the Cyxtera Threat Analytics team, reminds us. "This means that while some phases of an attack are incredibly difficult to detect, others are much more detectable" Ellis continues "by effectively implementing security controls at multiple layers, the odds that a defender will catch or defeat some part of the attack are increased dramatically."
Understanding the threat landscape, and where within it the enterprise sits, is crucial for any business serious about security posture. "Intelligence led adversary emulation exercises using real-world tactics, techniques and procedures will inform organisations about how to improve incident response playbooks, internal procedures and technology gaps" Zeki Turedi, Technology Strategist at CrowdStrike insists. And F-Secure Security Adviser, Sean Sullivan, agrees that it's important to understand the enterprise's risk profile. "Even if the enterprise isn’t state controlled, it could be a target as damaging the sector would affect the country’s government" he told SC Media UK "company leadership teams should keep this in mind when formulating strategy."
They should also bear in mind that, as Ross Rustici, Senior Director of Intelligence Services at Cybereason says "defending everything equates to defending nothing against a threat of this capability and determination." Understanding that is the first step in effectively frustrating and undermining nation state capabilities. Dr. Al Hartmann, Chief Scientist at Ziften, adds that "targeted enterprises will be under continual attack by multiple state-sponsored agencies, which will likely place them in a state of continual compromise, demanding strong threat hunting capabilities across the cyber, signals, and human dimensions of attack operations." So, developing a strategic data defense plan, including layering, compartmentalisation, and segmentation, so that the inevitable penetration events will not result in a catastrophic breach of your entire data assets, is key.
"All of this stuff should be driven from a dynamic risk assessment as the business environment changes, the defences need to adapt to the new reality because the bad guys are not going away anytime soon" Ian Trump sagely concludes.