Posted: 3 Min ReadFeature Stories

Help! A Hostile Nation-State Just Targeted Me

As more enterprises are likely to wind up landing in the cross hairs of nation-state attacks, here’s what you can do to protect your organization

Targeted attacks were a big story these last few years, whether it was suspected Russian hacking of data from the Democratic National Committee (DNC) to influence the U.S. presidential election or a hostile nation-state attempting to breach the power grid in Ukraine.

Yet it’s not just government bodies and countries that sit in the crosshairs of targeted attacks. Private enterprises and corporations are more likely to find themselves under siege as hostile nation-states become more embolden to pursue cyber espionage while also ramping up subversion and sabotage activities. The recent spate of nation-state hacks has also had more widespread collateral damage—for example, last June’s NotPetya cyber attack on Ukrainian tax software also infected global giants such as FedEx, which pegged costs related to the incident at around $300 million.

According to Symantec’s 2017 Internet Security Threat Report (ISTR), there’s been a notable shift in cyber espionage to more overt activity focused on destabilization and disruption and taking aim at both targeted organizations and countries. At the same time, covert measures such as stealing intellectual property and trade secrets have dropped off somewhat.

The groups responsible for this new wave of targeted attacks have also begun to switch up methods, the 2017 ISTR found, moving away from customized malware to “living off the land” tactics for orchestrating strikes. As a result, operating system features, legitimate administrative tools, and cloud services are being employed to compromise targets, making detection all the more difficult, the Symantec ISTR found.

“The vast majority of targeted attacks have already been against the corporate enterprise, but now we’re shifting away from espionage to subversion and sabotage,” says Eric Chien, a distinguished engineer and technical director for Symantec’s Security Response team.

Chien chalks up the shift to a growing desire to achieve political gain and the snowball effect among perpetrators once it’s become clear that such attacks are indeed possible. “The idea is to disrupt, gain access, and maintain access to showcase a political message,” he explains.

So, what do corporations or smaller companies have to do with propagating political messages? The answer is a lot, especially if the political message becomes amplified through sabotage of infrastructure, for example. Enterprises and smaller entities, not government agencies, are generally the ones with oversight of critical infrastructure like power grids, Chien explains, making it more likely that they’d be targets in these nation-state-sponsored sabotage and subversion incidents.

“You’re not going to go after the White House, the Pentagon, or even the Department of Energy to turn off power,” he explains. “You’re going to go to [companies like] AT&T, Pacific Gas & Electric (PG&E), or a mom and pop energy provider who pumps biomass energy to the grid. You’re going to go after someone in the supply chain.”

Multi-Pronged Security: The Best Defense

For IT and security professionals, the message is clear: Don’t be lulled into a false sense of security that the possibility of a nation-state attack is someone else’s problem. Info-sec professionals should keep this threat vector in their sights and address their security posture, not by investing in some new and unproven solution, but rather by ensuring that multiple, overlapping, and supportive defensive systems are in place and used the way they are intended.

That’s the strategy David Berry, a contract CIO, takes during assignments serving companies across industries, from fashion to aerospace. “Many companies think why would a nation-state want my data and how naïve is that,” he says. “We have to defend our perimeter because we don’t know where the threats are coming from.”

Enforcing security policies that mandate encryption of customer data and sensitive data at rest and in transit, receiving alerts for new vulnerabilities and threats, patching known vulnerabilities as quickly as possible, and mandating robust password policies are all part of a proven playbook and are essential for protecting the enterprise against a targeted attack. Educating employees on the dangers posed by spear-phishing emails and implementing a full security stack covering emails and endpoint protection are also essential safeguards against possible infiltration.

“The reality is at some level, these attacks are no different,” Chien explains. “All the security solutions are out there--they are just not always implemented today.”

Consider, for example, the hacking of Clinton campaign manager Jon Podesta’s email, which was a clear nation-state attack. Chien says the incident might have been averted if standard security measures like two-factor authentication were in place as a standard best practice, he explains.

Where targeted attacks by nation-states differ from the garden variety hack done by some script kiddie in a basement lies with their persistence. This makes it all the more critical for security professionals to be vigilant and prepared.

“The difference is about money and motivation, Chien says. “Because nation-states have unlimited funds to do damage, you need to expect persistence. They’re not just going to move on, they’re going to do everything they can and may be more difficult to predict.”
 

If you found this information useful, you may enjoy:

Uncovering the Next Significant Cyber Attack

Internet Security Threat Report 2017

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.