While it might seem like the script of a James Bond movie, or a Mission Impossible sequel, the reality is that state sponsored cyber-attacks are anything but fictional. Increasingly the professional services of criminal elements are utilised, and in some cases even funded, by Governments keen to keep the upper hand in this new battlefield. So how can organisations fend off a nation-sponsored cyber-attack?
History repeating itself
Centuries ago monarchs would recruit mercenaries and send them to neighbouring cities and countries to plunder riches and battle for territories. Today, these hired thugs, instead of being given swords and guns, are afforded extensive resources and technology to flex their fingers and plunder treasure in a bid to gain the upper hand. However, rather than gold and silver that’s being pillaged, the chosen spoils of the 21st Century are intelligence and disruption.
While many cyber-attacks are crude in their design and sloppy in their deployment, state sponsored attacks can sometimes exude sophistication. The two biggest differentiators between a nation-state actor and a cybercriminal are capital and time. A nation state actor can invest a significant amount of research and development time to target an organisation and isn’t driven by recouping costs or generating profit.
Taking ‘Stuxnet’ as one example, in the attack against Iran’s nuclear installations, the malware was highly advanced and programmed specifically to target the control systems of centrifuges used in the enrichment of uranium. This would have taken a significant amount of time to develop without any chance of generating a profit for the work done.
Another high profile breach that bears the hallmarks of a government funded attack is the recent Office of Personnel Management (OPM) breach. It is rumoured to have been perpetrated by nation state actors in China, leading to a massive loss of personal data, including 21.5 million details of U.S. Citizens. What was most concerning about this breach was the exfiltration of data collected on the 127 page SF-86 (Standard Form 86) which contained highly sensitive information of anyone that had a background check run on them for the purpose of gaining federal employment.
To quantify this, if you printed out the 14 million SF86 documents lost, you’d have a 185 mile high stack of sensitive information on past, present and future government employees. It has also surfaced that nearly 6 million fingerprints were grabbed in the breach, which could be used in the future for further exploitation or manipulation.
You’re making a Deal with the Devil
While many of these cyber-elite may originally have been motivated by a political agenda, ultimately they were, and remain, criminals with exceptional skills. Having had access to superior resources, technologies and funded code leaves them with the temptation to utilise these cyber-weapons on other targets.
In fact, looking back to the Sony Pictures attack, there are some that now question if the attack was state-sponsored after all with officials suggesting it may have been the work of these ‘cyber-privateers.’
Who’s at Risk?
Anyone with anything of value could be targeted by sophisticated malware either as part of a state-sponsored attack, or from tactics financed originally by one or other Government. A medical company could offer clues into sensitive illnesses that the target wouldn’t want disclosed. Breaching a gambling company could indentify individuals with huge losses or an addiction. Hacking a dating site or mobile phone company could reveal an individual having an affair.
The technology to collect huge amounts of personal data has significantly outpaced the ability to keep the information secure. The reality is it’s easy for someone to sit on the other side of the world, targeting systems, hunting out weaknesses and leveraging exploits to gain access.
Fighting a Bigger Enemy
The reality is, few need to be concerned about a Nation State leveraging an unknown vulnerability against them, many should concern themselves with basic security hygiene to defend against the more common tech assailant – the cyber-criminal.
Nation State threat actors could be a consideration when developing a robust approach to securing the private data stored in an organisation, but less time should be spent concerned about the zero-day, and more on addressing the vulnerabilities and massive security issues that have already been disclosed or discussed for years as best practices.
The probability that an organisation will be targeted by cyber-criminals is exponentially higher than a Nation State, and with their focus primarily on filling their pockets with victims money, they can be easier to defend against.
Unlike Nation State based actors, cyber-criminals take the quickest path to profit. Why would they spend years in a dark room trying to find a flaw in an industrial control system when millions of browsers are running vulnerable plugins like Flash and a high proportion of users happy to click any link set or executable offered?
The focus on the latest, greatest vulnerability whilst ignoring the basics could be likened to watching a police car chase on the news in the front room of your house whilst criminals are easily breaking into the unprotected bedroom window and swiping the jewellery that’s just left out in the open. Basic security hygiene starts with some simple controls: know your network, address easily exploitable vulnerabilities, enforce good configuration policy, ensure systems are protected by firewalls, encrypt all confidential data and enforce password best practices.
Defending against cyber-attack, be it sponsored by a Nation State or just your run of the mill cyber-rogue, is difficult with the tools they have available to them. But by focusing on good security hygiene we can make it harder to break in and grab the data we all hold dear.