In cybersecurity circles, there are a couple of well-worn beliefs about nation state threats. One holds that they are only relevant to a relatively small number of critical infrastructure, defense, and government organizations. The other is that such attackers are so replete with the latest tools, techniques, and resources that it’s pointless for most targeted firms to even mount a defense. Both certainties are now starting to crumble, with far-reaching implications for cybersecurity strategy. In fact, the vast majority of enterprise execs now fear state-sponsored attacks, according to new research.
If nation state attacks are a growing threat to a growing range of organizations, and effective countermeasures can be mounted, then it’s time to start planning how.
The current state of play
In a new report sponsored by global technology coalition the Cybersecurity Tech Accord, the Economic Intelligence Unit interviewed over 500 director-level or above executives from businesses in Asia-Pacific, Europe, and the United States. Some 80% said they’re worried about falling victim to a nation state attack, with a majority claiming these concerns have increased over the past five years. Interestingly, the research was conducted before the Kremlin-sponsored SolarWinds attacks rocked the world. One can imagine the findings would be even more emphatic today.
The question remains: is this a fair reflection of the current cyber risks facing organizations? On the one hand, the report’s respondents came from companies with more than $500m in global annual revenue, so it certainly skews towards large enterprises. However, there is mounting evidence to suggest companies of all sizes are at greater risk of state-sponsored attacks today than they’ve ever been.
First, the growing popularity of supply chain attacks, like SolarWinds, means attackers target large or strategically important organizations via their suppliers. These entities may be chosen because, like managed service providers (MSPs), they provide a useful way to compromise large numbers of companies for greater RoI. Or they may be seen as relatively undefended and therefore a useful stepping stone for attacks. Some suppliers, while ostensibly pretty innocuous-seeming SMBs, may actually be a valuable source of strategically important information in their own right. Law firms are a key example.
Second, state-sponsored threat actors are increasingly being given the bandwidth to moonlight, using their skills in self-serving financially motivated attacks to earn some money on the side.
Finally, it’s worth remembering that attack tools and techniques initially used by state actors often find their way eventually onto the cybercrime market. Thus, we have seen the emergence of tactics reminiscent of advanced persistent threat (APT) groups deployed by various ransomware gangs — causing major problems for healthcare organizations in particular.
Why it matters
As more organizations invest in digital transformation technologies to survive and thrive in post-pandemic markets, they will expose themselves to such threats. SaaS apps, cloud infrastructure, IoT devices, and more can drive fantastic innovation-fuelled growth, but if not properly secured, they also expand the corporate attack surface.
The bottom line for organizations facing nation state threats could be major financial and reputational damage, including:
- Major staff productivity losses due to downtime
- IT overtime costs to investigate, clean-up and remediate a breach
- Legal costs to deal with breach fallout
- Operational costs/lost revenue associated with downtime
- Damaged brand
- Customer churn
Even if the organization is used merely as a stepping stone to breach a partner, the financial and reputational impact could be severe — especially in sectors like legal, where data security is paramount.
A false sense of security
The bad news is that, according to the Economist Intelligence Unit, over two-thirds (68%) of respondents said they feel their organization is “very” or “completely” prepared to deal with a cyber attack. The report notes that this false sense of security is a product of the fact that most execs still have little or no direct experience of being on the receiving end of such an attack.
Their ignorance can be compounded by security tools that fail to probe deeply enough into IT assets, providing inaccurate risk assessments. Even one missed endpoint that goes unpatched could be enough for an eagle-eyed state operative to breach your organization. Research from 2020 found that nearly all (94%) IT leaders have discovered unknown endpoints in their environment, and 71% do so on a weekly basis.
What happens next?
The truth is that nation state attackers are not the unstoppable force often believed. In fact, they will often go for the low-hanging fruit where possible, as this requires less time and effort. That means organizations able to do the security basics immediately have an advantage over those that don’t.
This is a view echoed by VMware’s Security Business Unit GM, Patrick Morley, who says in a new report:
“We have been long time advocates of cyber hygiene principles that focus on protecting mission-critical business applications and data. These basic principles have never been more important and, when adhered to, can make a meaningful difference.”
The expert offers business owners the following best practice advice for mitigating the threat from nation states and APTs:
- Carry out behavior-based threat hunting, baselining normal network activity to understand what suspicious looks like, and using open source tools for red team exercises.
- Unite IT ops and security around a single set of data to drive effective patch management and system hardening.
- Multi-factor authentication (MFA) for all external-facing assets, combined with Single Sign-on.
- Restrict access according to the least privilege principle to reduce opportunities for attackers.
- Set up a secure comms channel for incident responders that can’t be hacked.
- Rather than kick the bad guys out immediately, observe them until you know the full breadth of the attack.
- Understand your most important assets to better prioritize threat detection efforts.
- Ensure you can detect and respond across cloud, containers, microservices, etc.
- Segment corporate networks (micro-segmentation) and personal from professional networks (in WFH environments) to reduce lateral movement.
Some of these steps will be a bigger ask for smaller firms. But the good news is that, while the risk of nation state attacks continues to grow, so do the tools, resources, and best practices needed to mitigate those risks for businesses.