Security threats from states and state-sponsored actors have been around since before the field of cybersecurity was defined. They have now evolved to cyberspace, and present unique challenges for defenders.
While there are fundamental differences between activist and criminal activity, and those who operate directly for (or with the tacit approval of) sovereign powers, there can often be a significant overlap in their agendas and techniques. But there are also significant difference — the most important of which is resourcing.
Where activists and small criminal gangs may have limited technical resources, states and state-sponsored actors have no such limitations. State actors can draw upon the skills and resources of their national intelligence communities, while state-sponsored actors, while not actually part of a state organization, can still draw upon the financial and technical assets of their sponsors.
Another fundamental difference between “civilian” and “state” actors is that law-enforcement agencies are better equipped to address threat actors who don’t have state backing. Even in cases where threats are acting across international borders, mechanisms exist where legal teams from different nations can work together to bring attackers to justice. However, when those attackers are working with the approval of their host countries, the situation becomes more difficult. It becomes nearly impossible for conventional law enforcement to address the issue when the attackers are working for a foreign power directly. In that case, the only recourse is diplomacy, or an escalation into what amounts to outright cyberwarfare.
We Can’t Return Fire
Cybersecurity professionals in the civilian space, and in most government agencies outside the intelligence and military communities, are restricted to an almost entirely defensive position. For legal and ethical reasons, we’re not allowed to “return fire” no matter how obvious, or egregious, the attack. While some individuals have been known to play the game on the attacker’s terms, it puts them firmly into a gray area where they are operating outside the law even if they have the moral high ground.
This all serves to put defense in the hands of mostly civilian cybersecurity professionals who develop the tools, techniques, training and processes needed to provide some level of defense. Fortunately, deploying defenses built to resist a well-funded state actor should be enough to defend against the average criminal gang. This means that it is more than worth the effort to raise our game to handle the worst-case scenario.
While recent reports from the National Security Agency [PDF] and the Cybersecurity and Infrastructure Security Agency have kept us abreast of the exploits and technical techniques most often employed by these adversaries, they also point out a reliance on social engineering, cast netting and spear phishing to infiltrate their target organizations. This is the same playbook we see used by criminal-level attackers where users are the assumed to be the weak link and technical attacks are deployed when they can’t find a vulnerable user. In fact, many state attackers lead with a phishing or social-engineering angle based on this very assumption.
Our Users Are Still a Target
Of course, one difference here between state adversaries and criminal organizations is that even well-funded criminals often lack the budget, and requisite skills, to use blackmail or bribery to turn an insider from an employee into a threat. It does happen, of course, as it did earlier in 2020 when a Russian adversary tried to bribe an employee of a major U.S. auto manufacturer to place malware on a network. That effort failed as much because of the target’s personal integrity as any technical or business-culture defenses.
Historically, user-education programs have been focused on countering the most common vectors. In most cases that is some form of phishing, whether a cast-net aimed at the target organization, or spear phishing aimed at an individual. Unfortunately, not every organization trains their employees to identify, let alone resist, social-engineering attacks. Also, not every organization fosters a culture where an employee would come forward and report a bribery attempt or similar effort, rather than take the money and run.
This is the first place where organizations need to up their game if they want to resist well-resourced state and state-sponsored actors. And it must include more than just the annual anti-phishing and business-ethics classes, but also more focused training on how to spot and avoid social-engineering efforts outside the context of email. There is also a place here to review the business culture and foster one where employees are willing to come forward when an outsider tries to compromise them.
Technical Defenses
On the technical side, the usual advice of keeping systems patched and properly configured is an obvious early step and one we have been talking about for years. But the NSA and CISA reports have shown that even sophisticated high-level attackers will leverage known exploits. That means staying on top of your patches isn’t just a best practice; it is a vital technique to keep the organization safe.
Making sure the security operations team (SecOps) is trained, adequate and prepared is another vital step. Budgets may be tight and qualified talent may be hard to attract and retain, but these are the people who run the last line of defense. This holds true when an organization’s security is a managed service. Your managed security service provider (MSSP) needs to be trained and prepared to confront threats at every level, from script kiddies to foreign-intelligence agencies.
There are other technical steps as well. Every organization needs to evolve their security stack to keep up with potential and active threats, making sure their tools and processes are up to the task. As new threats emerge, old technologies evolve and new ones emerge to fill the gaps. However, the stack needs to be looked at as a holistic whole. Perimeter devices and endpoint protections need to work in concert with some mechanism to consolidate the whole range of security telemetry into a coherent whole. And that whole needs to be processed, analyzed and presented in a way that SecOps personnel can use and understand, and can be leveraged to orchestrate and automate the organization’s defenses.
State and state-sponsored threat actors are the apex predators of the cybersecurity world. They have time, skills, effectively unlimited resources and can be very specific in their agenda. But if we keep our defenses up to date with the appropriate tools, training and best practices, we can reduce the risk to our organizations even from the most challenging adversaries.
Saryu Nayyar is CEO of Gurucul.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.