For many organizations undergoing a risk assessment, the threat of a nation-state attack never even enters the conversation. The reason? Many have a widespread misconception that nation-state actors only target the largest of enterprises that have the most money and the most data to exploit. Thus, many companies believe they don’t have anything to offer these adversaries, so they are safe from attack. But they’re wrong.
Nation-states are constantly looking for new revenue streams and ways to compete with U.S. technology, data and IP advancements – and corporate cyberattacks are an easy, cheap way for them to execute on both goals. Possessing any one of these desirable assets means any company – regardless of size or industry – presents itself as a target. And, even companies that don’t have any proprietary technology, IP or financial/customer data valuable to these adversaries can land in the crossfire through third-party/supply chain attacks.
The bottom line: no company is safe from the threat of nation-state attacks and security teams should make defending against them an important part of any organization’s risk assessment and cybersecurity strategy.
The nation-state players to watch out for
Organizations need to start by knowing who the players are and what they’re after. There are two main groups – the big players and the fringe nations.
Not surprisingly, examples of the big nation-state players are China and Russia. The former typically looks to weaponize and monetize personal data stolen in attacks. The latter often focuses on executing misinformation and disinformation campaigns to mold the public’s perception to their view and undermine democracy. We’re also starting to see a surge in deepfake attacks, which are fake videos typically of company executives or board members that aim to damage a company’s reputation or trick unsuspecting victims into committing some sort of fraudulent activity.
These larger players often recruit fringe organized crime and fringe hacker groups to help them advance their goals. The use by nation-state actors of groups called initial access brokers (IABs) has expanded the cybercrime threat landscape and lets nation-states spread the risk of law enforcement action across a larger group. It also allows criminal experts in areas such as network access and ransomware payload deployment to expand the victim base and wreak more chaos.
Additionally, smaller nation states such as Iran, North Korea and even Vietnam, have very effective hacker corps within their military that use known and unique strains of ransomware to make money and fuel their regime. Unlike big nation-states such as Russia and China, these smaller nations-state players usually shift with the changing geopolitical winds. If their relationships with the United States and Western Europe are good, then we see their involvement in attacks die down. But, when these relationships are strained, we see participation escalate. Organizations need to stay up-to-date on the changing threat landscape, so they know who the current adversaries are and what they may be after.
Once the security team has a baseline understanding of the players and the game, move on to the most pressing question: How to protect the company from these threats. Whether battling big nation states or smaller adversaries, here are five best practices:
- Identify the company’s crown jewels.
It seems like security 101, but companies can’t protect what they can’t see. It’s critical to identify the organization’s most valuable assets and where they reside. With today’s explosion of data, systems, services and connected devices, it’s impossible to protect everything. Typically, a company’s crown jewels relate to what drives the business, but for a security team having trouble figuring them out, ask this question: “What applications and data are so critical to the business that if an adversary took it or blocked it, the business would fail?”
- Eliminate unnecessary data and technology.
Once the organization knows what to protect at all costs, the team can evaluate the rest of its data, systems and technologies to see if they are still needed and helping the business. If not, get rid of them. Not only will this help streamline IT infrastructures, but it will also reduce the attack surface and strengthen the organization’s security profile – because, odds are, antiquated and unnecessary assets aren’t being updated and secured on an ongoing basis, which introduces vulnerabilities and security gaps.
- Implement security controls that make the adversary’s job more difficult.
Inside the organization’s IT ecosystem, implement security controls, processes and protocols that make it difficult for adversaries to transit through the network. For example, embrace zero-trust methodologies, extended detection and response technologies, and employee behavioral tactics that ensure good cyber hygiene. Cybercriminals of any kind want to reap maximum value from the least amount of work. Making it too difficult and time consuming for them to get at what they want will limit the damage they inflict and can even deter them to the point of looking for easier targets.
- Assess new technology that can bolster the company’s defenses.
Security tools are just that – tools. They are not a strategy. And, if they produce too much data, they result in noise, which does more harm than good. To get maximum ROI out of the company’s existing security ecosystem, evaluate new technologies that can help turn the raw data the security tools produce into valuable insights the team can use to detect and deter threats, initiative response actions and strengthen overall security strategies. Artificial intelligence, machine learning and data analytics are prime examples of new technologies helping security teams make sense of their data to make better security and business decisions.
- Build a security culture.
Security technologies and processes are impactful, but people are arguably the most important in the ongoing cybersecurity battle. For security plans to succeed, everyone in the organization must be involved: from the board to the mailroom. Each employee needs to understand the elements of good cyber hygiene, best practices for identifying and responding to threats, and their specific role in incident response and overall security plans. How the security team engages with each employee will vary. For example, to get board members and business leaders to pay attention, break down how data or IP theft impacts the bottom line. For general staff members, it’s often effective to educate them on how their individual actions can affect the company’s security posture. Most importantly, make the time and put in the effort to reach every individual and build a culture that puts security at the center of everything the company does.
With everything going on in the world today, nation-state attacks are only going to increase. It’s time companies face the reality that everyone is at risk. And, it’s time they put the right people, processes and technologies in place to defend against this growing threat.
James Turgal, vice president of cyber risk, strategy and board relations, Optiv Security
