Reports of attacks against U.S. government networks and thousands of private companies, allegedly by hackers working for China and Russia, have raised the profile of state-sponsored cyberattacks.
The Center for Strategic & International Studies keeps a running list of such attacks, and they numbered more than 20 this year as of mid-March. That includes the Chinese government attack on Microsoft Exchange Server users and the Russian attack via the SolarWinds software platform. The latter allowed hackers to monitor operations of U.S. government agencies and exfiltrate data.
Precisely to what extent state-sponsored attacks, also called advanced persistent threats, are increasing is hard to measure, says Brian Kime, an analyst at research firm Forrester. “Since state-sponsored groups generally have better operational security and place a premium on acting clandestinely and covertly to achieve their desired effects, we likely lack a significant amount of visibility into the true scope of state-sponsored threat activity.”
Rather than just keeping up with news about these incidents, IT and cybersecurity executives — working with the support of CFOs — need to take action to protect their networks and data. Understanding the “why’s” and “how’s” of state agents’ attacks is a good starting point.
The Long Game
“State-sponsored threat actors are not some mystical unicorn,” says David Monahan, business information security officer at Bank of America Merrill Lynch. “They don’t even have smarter people than organized cybercriminals.”
The big differentiator of state-sponsored breaches is not the attackers’ personnel or methods but their motivations. While organized cybercrime attackers typically go after targets they think will generate income, Monahan says, “state-sponsored threat actors are geared toward actions that benefit the ‘state.’” To further the state’s agenda, they seek control over infrastructure and other vital systems and information used by another country’s military organizations, energy providers, or government agencies.
”Any country with a track record of harvesting intellectual property would love to get their hands on this kind of information.”
— Neil Edwards, CFO, Vesselon
For example, a suspected hack of government agencies in the United Arab Emirates by Iranian agents in February was allegedly related to the normalization of relations with Israel. During the pandemic, infectious disease researchers and government vaccine operations have been frequent targets.
These kinds of cybercriminals “are in it for the long haul, for strategic advantage,” Monahan explains. Their incursions often begin at the tiniest holes in an organization’s defenses. They can also take weeks or months to attain their ultimate goal, so they rely on going unnoticed.
Neil Edwards, CFO at Vesselon, a medical technologies and drug provider, is concerned about the potential for state-sponsored cyberattacks.
“We have secret manufacturing processes and scientific research data used in the development of our breakthrough cancer drugs,” Edwards says. ”Any country with a track record of harvesting intellectual property would love to get their hands on this kind of information.”
Vesselon, to date, has not detected any state-sponsored attacks levied against its IT environment. The company is “vigilant and follows good practices,” says Edwards, like those from the National Institute of Standards and Technology.
The company has upped its spending on cloud security a modest amount. Some of it, though, is to ensure compliance with data privacy regulations.
“I think all costs around securing data will continually increase in the years ahead,” Edwards says. “Securing data due to cybersecurity or data privacy laws brings a level of overhead and liability to any company. Cyber insurance is not exactly cheap to buy.”
Old Entry Points
As state-sponsored attacks proliferate, some companies call for governments to implement effective policy solutions at the national and international levels. They may have to wait, at least in the United States. As of late March, President Joe Biden had yet to appoint a cybersecurity czar (also known as the national cyber director). And the Biden administration may have bigger fish to fry in the tech space, namely, mitigating the market dominance of FAANG companies.
As a result, patrolling companies’ ever-widening perimeters will, as it has been, their responsibility.
With state-sponsored threats, awareness of attack vectors is essential. One particularly effective technique state-sponsored agents use is to remain concealed inside company systems leveraging native administration tools in the Windows and Linux operating systems. Those platforms are still widely used within corporations.
“It’s challenging for defenders to distinguish illegitimate from legitimate usage of those tools,” Kime says. “Additionally, all threats must communicate [via botnets and other means]. They may not all need malware, but they will all have to communicate at some point.”
For example, in the SolarWinds attack, the company’s compromised Orion IT performance monitoring platform began communicating with the threat’s command and control servers via the domain name system (DNS), Kime says. “Network management software or infrastructure automation platforms should have a consistent pattern of network traffic, and thus a new connection could reveal a compromise,” he says.
The concrete practices to adopt include being constantly aware of your company’s critical systems and applications and their vulnerability to attacks.
“We are still awful at the basics — hardware and software inventory, vulnerability risk management, and controlled use of administrative privileges,” Forrester’s Kime says. He again cites the SolarWinds attack as an example.
“Many victims were unaware of where SolarWinds’ Orion was installed in their environments,” Kime points out. “This lack of asset inventory severely impeded the incident response process. Without comprehensive hardware and software inventories, it is nearly impossible for any security team to reduce cyber risk to their company’s operations and those of their customers.”
Organizations should continuously conduct hardware and software inventory and include in that accounting on-premises assets, mobile devices, cloud services, containers, and application programming interfaces (APIs).
Organizations must also weigh supply chain risks, Kime says, not just from third-party partners but also from their partners’ partners.
Endpoint security is also vital. “Windows and Linux host logs are huge to detect criminal and state-sponsored threats,” Kime says. “Turn on logging and script blocking. Cloud-based endpoint detection and response tools are very valuable for detecting threats and lateral movement.”
Another effective tool is network telemetry. “Since all threats must communicate over the network at some point, it’s imperative to monitor and audit network logs,” Kime says. “Modern tools using machine learning or artificial intelligence can reveal when a device begins communicating with something new and unexpected.”
Because the vast majority of attacks focus on compromising identities or vulnerabilities, good identity and access management (IAM) and vulnerability management platforms also help, Monahan says. “Ransomware uses identity and in many cases vulnerability to get to the files and encrypt them,” he says. “Other malware uses mainly vulnerabilities.”
The Human Element
Beyond technology, organizations need to hire the necessary talent to defend against state-sponsored attacks. Having professionals on the security team who are experts in various attack methods can be immensely helpful. However, it might be a challenge to find them given the current skills gap. Demand for cybersecurity talent is at least twice as great as supply, according to Emsi, a national labor analytics firm.
In Edwards’ previous position as vice president of corporate development at Verisign, a network infrastructure provider, he received what he calls the best education of his career on cybersecurity.
“We had attacks 24/7 from nefarious characters around the world,” Edwards says. The number one takeaway for Edwards was the importance of having an expert on the team full-time or on contract.
Another critical lesson Edwards learned is to investigate what the major cloud providers are doing to protect against attacks and, if possible, imitate them. “Go with the configurations the big companies use,” CFO Edwards says. “You can’t go wrong following what the herd uses. You are not going to invent a better security stack than Amazon Web Services or Microsoft or Google.”
Bob Violino is a freelance writer based in Massapequa, N.Y.