Governance, Risk and Compliance, Threat Intelligence

A strategy for reacting to the surge in nation-state cyberthreats

Today’s columnist, Brian C. Reed of NowSecure, says while President Biden’s EO lays out the need for a software bill of materials, the industry needs to take another step and develop an SBOM for mobile apps. https://www.flickr.com/photos/183493676@N07; https://creativecommons.org/licenses/by-nc-sa/2.0/legalcode

Just a few years ago, nation-state cyber threats were a peripheral risk for most CISOs. The landscape has changed dramatically today. As the past few months have taught us, the enterprise has become the number one target for such attacks.

Attacks have hit a supply chain provider like SolarWinds, hijacked as a stepping-stone to higher-value victims. Other attacks may go after intellectual property. Either way, this has become our new reality, it’s a dangerous escalation in activity that may take us one step closer to advanced cyber conflict, a concern that prompted the Biden administration to issue its cybersecurity executive order.

At the very least, it will force businesses to re-evaluate their approach to managing cyber risk. Part of this should consist of a renewed focus on the ground zero for most attacks: the endpoint. And a recognition that we need to root resilience in hardware and extend up to software and services: defending endpoints from BIOS to browser.

Caught in the crossfire

It’s not always been easy to understand the scale of nation-state threat activity. After all, attacks are usually designed to fly under the radar — to achieve persistence for as long as possible. However, a recent HP-sponsored report from Dr. Michael McGuire of the University of Surrey offers some fascinating insights. It paints a picture of escalating nation-state attacks increasingly spilling over into the business world. There was a 100% increase in significant nation-state cyber-incidents from 2017-2020. And enterprises now comprise more than one-third (35%) of state-sponsored victims, with the number of supply chain attacks in particular jumping 78% in 2019.

Victim organizations are often useful conduits for attacks on others, or they are even targeted in their own right. Surveillance remains the most common end goal for attacks (50%), accounting for half of those studied in the report, and there has been a concerning escalation since 2017. Some 14% of attacks were designed with damage or destruction in mind.

Two sides of the same coin

The involvement of organized cybercrime has further complicated the picture. Traditional lines between statecraft and financially-motivated crimes have blurred. Today, 10-15% of dark web vendor sales may go to “atypical” purchasers, including state actors looking to stockpile zero-day exploits. There are also increasingly prolific buyers of low-grade tooling to complement sophisticated homegrown cyber weapons. While 20% of state attacks involved custom malware or exploits during the past decade, half (50%) consisted of low-budget tools straight off the dark web. Nation-states also feed the cybercrime underground, albeit sometimes indirectly. NSA exploits like EternalBlue, used in WannaCry, are a classic example.

In some cases, it appears that the lines are deliberately blurred. Over half (58%) of the report’s expert panel claimed it’s becoming more common for nation-states to actively recruit cyber criminals to carry out attacks for plausible deniability purposes. Even more (65%) said some states are seeking to monetize cyber-attacks.

In the future we can expect such tactics alongside a new push to develop next-generation cyber-weapons. As such, how do enterprises mitigate these escalating risks?

Security starts at the endpoint

Those hoping for geopolitical détente need to wait some time. Most experts believe an international cyber-conflict treaty could take years, maybe even decades to hammer out — assuming the diverse countries can agree on a solution. Enterprise CISOs really must take matters into their own hands, including a focus on the endpoint.

Why focus here? Because it’s where most attacks start, even by nation-states. Attackers use the same route into an endpoint, relying on social engineering to get the user to invite malware onto their devices.

Think of the endpoint as the intersection of flawed humans, unsecured technology and network access that keeps attackers coming back time and again. Unfortunately, most tools, which are built around a “detect to protect” mantra, are flawed. The advent of machine learning-powered polymorphic malware variants has made it much easier for the bad guys to circumvent traditional endpoint controls today. And once a device has been hijacked, there are myriad ways for an attacker to move around the corporate network.

So what’s the alternative? The industry needs a new breed of endpoint security rooted in zero-trust principles to stay ahead of modern-day threats. This approach will make the endpoint more resilient, so it’s easier to reimage and recover in the event of a destructive attack, as well as monitor and restart security processes if an attacker tries to disable them. It extends up to micro-virtualization, where security teams can create a sealed environment for any risky action like clicking on a link or opening an unsolicited email and have it run on its own virtualized hardware. If something bad happens and the endpoint gets compromised, the attackers are trapped inside a VM which admins can simply delete.

The past few months has seen an unusually high number of nation-state attacks — from SolarWinds to the Exchange Server exploits and attempts to steal vaccine intellectual property. In time, this level of activity may become the norm. Enterprises will be caught in the crossfire. The threat landscape has evolved significantly over the past few years. To stay ahead of the game, it’s time to advance the company’s endpoint protection.

Ian Pratt, global head of security, personal systems, HP Inc.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.