sb-eu logo
Story image

Cyber attackers using businesses to target nation states

04 Sep 2018

Article by Carbon Black security strategist Rick McElroy

Since the dawn of the internet, geopolitical tension has been the harbinger of increased cyber attacks.

Over the years, Carbon Black witnessed many incidents of nation-state-sponsored actors launching campaigns to infiltrate and disrupt critical national infrastructure targets, following some tried and tested tactics.

However, recent research carried out by Carbon Black among incident response professionals uncovered intelligence that attack vectors are changing.

The evolution of cyber attacks and the growing frequency of ‘island hopping’ mean that companies risk becoming unwitting recruits in the global theatre of cyberwarfare.

Nation-state threat activity – the enemy in our backyard

As sanctions, diplomacy and government rhetoric flow back and forth, below the geopolitical surface nation states continue to conduct “politics by other means” in cyberspace.

Whether they’re aiming to steal intellectual property, conducting economic espionage by hacking the systems of their biggest competitors, or more directly intent on disrupting infrastructure, their first step is to gain access in the networks and systems of their targets.

They’re the enemy set on proving their capabilities and establishing strategic outposts from which to launch attacks at will.

Those outposts are in the networks of the businesses that supply services to the target organisations.

When businesses defending themselves against the latest ransomware attack or phishing campaign, it’s important to realise that their company may not be the primary target.

It might instead be a strategic stepping stone on the way to a bigger prize – a bank, transport department or hospital that it has contracts with.

This tactic is growing in prevalence and organisations cannot afford to bury their heads in the sand where island hopping is concerned.

The new threat environment – smarter and more agile adversaries

Carbon Black’s recent research among incident response professionals noted concerning trends indicating that cyber attackers are growing smarter and more strategic.

Adversaries are now prioritising achieving advance states of persistence within their victims’ networks, living off the land to secure a platform for further malicious activity.

Here are the red flags Carbon Black has discovered:

  • 46% of incident response specialists experienced counter incident response when mitigating attacks. The attacker changed tactic during the course of a campaign, demonstrating an understanding of the expected response and acting to evade it. Attackers are using basic psychology to sidestep incident response and continue the attack.
  • 64% of incident response professionals had experienced attackers launching secondary command and control after an initial attack was shut down.
  • 60% of attacks involved attempts at lateral movement within the victim’s network. 
  • 36% of incident response professionals have uncovered evidence of island hopping.

Taken together, these figures are a canary in the coal mine.

They point towards bids to establish persistence in networks through lateral movement and attempts to compromise the web of trust between companies.

Adversaries are taking advantage of the hyperconnectivity of the supply chain to move not just from system to system, but from company to company.

They’re establishing footholds in businesses that partner target organisations and weaponising them as cover as they zone in on the true target.

This means that businesses need to ensure they have visibility into their partner networks – everyone from marketing agencies to legal counsel.

Penetration testing needs to be conducted in both directions because the brands a company trusts could be used to target it.

Prediction: Attacks will grow more destructive

Still more concerning is that the type of attacks that Carbon Black is seeing are becoming more destructive.

It’s not just the theft of privileged data that’s at stake.

Infiltrators are now seeking to get in, get what they want, and cause chaos when they leave by destroying networks.

Carbon Black predicts that we’ll see more of this tactic going into 2019.

There are three key takeaways for organisations that want to guard against becoming part of an attack vector:

Agility

Cybersecurity is about human vs human activity, not tech vs tech. Incident response teams need to understand the attacker’s motivations and learn as much as they can about their tools, techniques and procedures so we can sharpen up our own defence.

Part of that means lowering the volume on incident response and giving opposition less intelligence on a defence strategy.

This could mean not immediately shutting down an attack before the real goal of an attack is learned.

Visibility

Companies need oversight of that web of trust to make sure it understands the potential attack paths via partner networks to can harden them as much as possible.

It’s the network endpoints that are the islands that will be hopped and when facing an adversary that understands endpoint detection and response, incident responders need to make sure they can see and mitigate every anomaly in real-time.

Proactivity

Instead of sitting and waiting for attacks to happen, companies need to start proactively threat hunting to get a better understanding of the psychological profile of adversaries and put intelligent pressure on their primary tactics.

Preventing a business from becoming a weapon in the hands of malicious nation-state actors (or any other kind of cybercriminal) is strategically imperative to the organisation and should be a board-level concern. 

Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Yubico launches latest YubiKey with NFC & USB-C support
Yubico has released a new hardware authentication key, designed to provide security through both near-field communication (NFC) and USB-C connections and smart card support.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More