Story image

Cyber attackers using businesses to target nation states

04 Sep 18

Article by Carbon Black security strategist Rick McElroy

Since the dawn of the internet, geopolitical tension has been the harbinger of increased cyber attacks.

Over the years, Carbon Black witnessed many incidents of nation-state-sponsored actors launching campaigns to infiltrate and disrupt critical national infrastructure targets, following some tried and tested tactics.

However, recent research carried out by Carbon Black among incident response professionals uncovered intelligence that attack vectors are changing.

The evolution of cyber attacks and the growing frequency of ‘island hopping’ mean that companies risk becoming unwitting recruits in the global theatre of cyberwarfare.

Nation-state threat activity – the enemy in our backyard

As sanctions, diplomacy and government rhetoric flow back and forth, below the geopolitical surface nation states continue to conduct “politics by other means” in cyberspace.

Whether they’re aiming to steal intellectual property, conducting economic espionage by hacking the systems of their biggest competitors, or more directly intent on disrupting infrastructure, their first step is to gain access in the networks and systems of their targets.

They’re the enemy set on proving their capabilities and establishing strategic outposts from which to launch attacks at will.

Those outposts are in the networks of the businesses that supply services to the target organisations.

When businesses defending themselves against the latest ransomware attack or phishing campaign, it’s important to realise that their company may not be the primary target.

It might instead be a strategic stepping stone on the way to a bigger prize – a bank, transport department or hospital that it has contracts with.

This tactic is growing in prevalence and organisations cannot afford to bury their heads in the sand where island hopping is concerned.

The new threat environment – smarter and more agile adversaries

Carbon Black’s recent research among incident response professionals noted concerning trends indicating that cyber attackers are growing smarter and more strategic.

Adversaries are now prioritising achieving advance states of persistence within their victims’ networks, living off the land to secure a platform for further malicious activity.

Here are the red flags Carbon Black has discovered:

  • 46% of incident response specialists experienced counter incident response when mitigating attacks. The attacker changed tactic during the course of a campaign, demonstrating an understanding of the expected response and acting to evade it. Attackers are using basic psychology to sidestep incident response and continue the attack.
  • 64% of incident response professionals had experienced attackers launching secondary command and control after an initial attack was shut down.
  • 60% of attacks involved attempts at lateral movement within the victim’s network. 
  • 36% of incident response professionals have uncovered evidence of island hopping.

Taken together, these figures are a canary in the coal mine.

They point towards bids to establish persistence in networks through lateral movement and attempts to compromise the web of trust between companies.

Adversaries are taking advantage of the hyperconnectivity of the supply chain to move not just from system to system, but from company to company.

They’re establishing footholds in businesses that partner target organisations and weaponising them as cover as they zone in on the true target.

This means that businesses need to ensure they have visibility into their partner networks – everyone from marketing agencies to legal counsel.

Penetration testing needs to be conducted in both directions because the brands a company trusts could be used to target it.

Prediction: Attacks will grow more destructive

Still more concerning is that the type of attacks that Carbon Black is seeing are becoming more destructive.

It’s not just the theft of privileged data that’s at stake.

Infiltrators are now seeking to get in, get what they want, and cause chaos when they leave by destroying networks.

Carbon Black predicts that we’ll see more of this tactic going into 2019.

There are three key takeaways for organisations that want to guard against becoming part of an attack vector:

Agility

Cybersecurity is about human vs human activity, not tech vs tech. Incident response teams need to understand the attacker’s motivations and learn as much as they can about their tools, techniques and procedures so we can sharpen up our own defence.

Part of that means lowering the volume on incident response and giving opposition less intelligence on a defence strategy.

This could mean not immediately shutting down an attack before the real goal of an attack is learned.

Visibility

Companies need oversight of that web of trust to make sure it understands the potential attack paths via partner networks to can harden them as much as possible.

It’s the network endpoints that are the islands that will be hopped and when facing an adversary that understands endpoint detection and response, incident responders need to make sure they can see and mitigate every anomaly in real-time.

Proactivity

Instead of sitting and waiting for attacks to happen, companies need to start proactively threat hunting to get a better understanding of the psychological profile of adversaries and put intelligent pressure on their primary tactics.

Preventing a business from becoming a weapon in the hands of malicious nation-state actors (or any other kind of cybercriminal) is strategically imperative to the organisation and should be a board-level concern. 

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.