Story image

Cyber attackers using businesses to target nation states

04 Sep 2018

Article by Carbon Black security strategist Rick McElroy

Since the dawn of the internet, geopolitical tension has been the harbinger of increased cyber attacks.

Over the years, Carbon Black witnessed many incidents of nation-state-sponsored actors launching campaigns to infiltrate and disrupt critical national infrastructure targets, following some tried and tested tactics.

However, recent research carried out by Carbon Black among incident response professionals uncovered intelligence that attack vectors are changing.

The evolution of cyber attacks and the growing frequency of ‘island hopping’ mean that companies risk becoming unwitting recruits in the global theatre of cyberwarfare.

Nation-state threat activity – the enemy in our backyard

As sanctions, diplomacy and government rhetoric flow back and forth, below the geopolitical surface nation states continue to conduct “politics by other means” in cyberspace.

Whether they’re aiming to steal intellectual property, conducting economic espionage by hacking the systems of their biggest competitors, or more directly intent on disrupting infrastructure, their first step is to gain access in the networks and systems of their targets.

They’re the enemy set on proving their capabilities and establishing strategic outposts from which to launch attacks at will.

Those outposts are in the networks of the businesses that supply services to the target organisations.

When businesses defending themselves against the latest ransomware attack or phishing campaign, it’s important to realise that their company may not be the primary target.

It might instead be a strategic stepping stone on the way to a bigger prize – a bank, transport department or hospital that it has contracts with.

This tactic is growing in prevalence and organisations cannot afford to bury their heads in the sand where island hopping is concerned.

The new threat environment – smarter and more agile adversaries

Carbon Black’s recent research among incident response professionals noted concerning trends indicating that cyber attackers are growing smarter and more strategic.

Adversaries are now prioritising achieving advance states of persistence within their victims’ networks, living off the land to secure a platform for further malicious activity.

Here are the red flags Carbon Black has discovered:

  • 46% of incident response specialists experienced counter incident response when mitigating attacks. The attacker changed tactic during the course of a campaign, demonstrating an understanding of the expected response and acting to evade it. Attackers are using basic psychology to sidestep incident response and continue the attack.
  • 64% of incident response professionals had experienced attackers launching secondary command and control after an initial attack was shut down.
  • 60% of attacks involved attempts at lateral movement within the victim’s network. 
  • 36% of incident response professionals have uncovered evidence of island hopping.

Taken together, these figures are a canary in the coal mine.

They point towards bids to establish persistence in networks through lateral movement and attempts to compromise the web of trust between companies.

Adversaries are taking advantage of the hyperconnectivity of the supply chain to move not just from system to system, but from company to company.

They’re establishing footholds in businesses that partner target organisations and weaponising them as cover as they zone in on the true target.

This means that businesses need to ensure they have visibility into their partner networks – everyone from marketing agencies to legal counsel.

Penetration testing needs to be conducted in both directions because the brands a company trusts could be used to target it.

Prediction: Attacks will grow more destructive

Still more concerning is that the type of attacks that Carbon Black is seeing are becoming more destructive.

It’s not just the theft of privileged data that’s at stake.

Infiltrators are now seeking to get in, get what they want, and cause chaos when they leave by destroying networks.

Carbon Black predicts that we’ll see more of this tactic going into 2019.

There are three key takeaways for organisations that want to guard against becoming part of an attack vector:

Agility

Cybersecurity is about human vs human activity, not tech vs tech. Incident response teams need to understand the attacker’s motivations and learn as much as they can about their tools, techniques and procedures so we can sharpen up our own defence.

Part of that means lowering the volume on incident response and giving opposition less intelligence on a defence strategy.

This could mean not immediately shutting down an attack before the real goal of an attack is learned.

Visibility

Companies need oversight of that web of trust to make sure it understands the potential attack paths via partner networks to can harden them as much as possible.

It’s the network endpoints that are the islands that will be hopped and when facing an adversary that understands endpoint detection and response, incident responders need to make sure they can see and mitigate every anomaly in real-time.

Proactivity

Instead of sitting and waiting for attacks to happen, companies need to start proactively threat hunting to get a better understanding of the psychological profile of adversaries and put intelligent pressure on their primary tactics.

Preventing a business from becoming a weapon in the hands of malicious nation-state actors (or any other kind of cybercriminal) is strategically imperative to the organisation and should be a board-level concern. 

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.