Behavioral detection becomes critical as nation-state hacking capabilities go mainstream

September 26, 2016 | 2 minute read

Sophisticated hacking tools that can penetrate even the most heavily defended organizations are no longer the exclusive property of nation-states. Nation-state hacking has become much more mainstream, meaning Russia, China and the U.S. are not the only entities capable of pulling off advanced attacks using complex hacking tools.

I’ve made this point several times before, but recent events have shown once again how easy it is for any cyber criminal to hack like a nation-state and the financial benefits for nation-state hackers who sell their services.

Nation-state hacking tools are available to anyone

Many nation-state tools and techniques are available on the dark web, giving anyone the means to learn how to hack like a nation-state. You can also pay for the know-how and talent. Many nation-state employees have realized that cyber crime pays much better than the government and sell their hacking services in exchange for a lucrative paycheck.

Or you can get lucky, which is what may have happened to Russian hackers who supposedly stumbled on a computer filled with NSA hacking tools. According to a Reuters story, the Federal Bureau of Investigation is looking into the possibility that a former NSA employee carelessly left the tools on a remote computer after using them for an operation. The tools, which exploit software flaws in hardware from major vendors like Cisco and Fortinet, were posted on public websites last month by a group calling itself Shadow Brokers.

With all these hacking tools readily accessible to any interested hacker (not to mention the repercussions for enterprise information security over the Yahoo data breach), organizations need to re-evaluate how they approach security. Detecting malicious activity by reviewing static properties like MD5 hashes of malware files or domain names of botnet command-and-control servers isn’t effective since nation-state tools were designed to get around these defenses. This means antivirus programs, firewalls and other traditional security tools can’t protect a company from these threats. You can’t detect the bad guys just by looking for indicators of compromise.

Use behavioral analysis to detect, stop attacks

What’s needed is an approach that uses behavioral analysis to discover malicious activity. Information security teams should question that activities that are occurring on their networks. For instance, a scheduled task could be used by attackers to maintain persistence in a network or a PowerShell command that appears legitimate could really be part of a fileless malware attack.

Another point worth mentioning is that nation-state attackers designed attacks to endure an incident response investigation. These techniques are undoubtedly being used by cyber criminals against their targets. Deceptive tactics will be used to make analysts believe they’ve fully shut down a threat when they’ve only discovered and remediated a small portion of a much more complex operation. Malware that’s easy for an analyst to discover and disarm was probably intentionally placed there to give security teams the false impression that they quickly remediated an incident.

Cyber criminals have changed their approach to hacking by adopting nation-state tools and techniques. To stay safe, organizations need to change their defensive techniques to focus on analyzing behavior.

Lior Div is the CEO of Cybereason.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div