CISOs in the U.S. should expect the Russian government to respond with an attack of its own if the Obama administration decides to launch a retaliatory cyber attack against the country for attempting to interfere with the upcoming presidential election.
The line between military and civilian targets in cyber attacks has become fluid. Hackers have no issue going after entities with little or no government connection. For example, targets of North Korea’s cyber attacks have included South Korean banks as well as Sony. And, allegedly, China was behind the 2015 attack against health-care company Anthem. More recently, in September Yahoo claimed a “state-sponsored actor” infiltrated its network and stole email account information on 500 million users, although the Internet company has yet to accuse a specific country.
Considering this history, there’s no reason to believe that the Russian government won’t go after U.S. businesses. And with the likelihood that cyber attacks in the near future will cause physical damage, critical infrastructure could even be a target depending on how hard the U.S. strikes back.
If Russian hackers are intent on souring voters to the prospect of a Clinton presidency, they could have conceivably hacked the companies that have paid her to give speeches or targeted executives who she’s interacted with in an effort to find controversial and sensitive information. Even if the attackers don’t come across scandalous material on Clinton, they could find a company’s intellectual property, trade secrets or other information that would fetch a sizeable sum on the black market. Or attackers could sell their access to a corporate network to other hacking groups, allowing them to carry out additional attacks.
Know what’s happening on your endpointsUnfortunately, spotting and stopping nation-state attacks is challenging for even large organizations with advanced information security programs. Utility providers are particularly vulnerable since a local gas company lacks the security resources to defeat a nation-state attack.
With many attacks starting and spreading from PCs and servers, endpoint visibility is critical. Phishing emails, guessing or stealing user log-in credentials or evolving commodity threats are just a few of the vectors attackers use to infiltrate endpoints.
Less faith should be placed in the ability of traditional security tools like firewalls and antivirus to detect attacks. Adversaries can easily modify indicator of compromise artifacts, allowing the threats to slip past legacy security applications and go undetected.
Finally, organizations should implement a detection process that uses behavioral analysis to spot malicious activity. Unlike indicators of compromise, changing the tactics, techniques and procedures (TTPs) used in an operation is costly and time consuming. Discovering just one TTP, no matter how small, can help security professionals detect other bad behavior. Piece enough activity together and, eventually, an entire hacking operation can be discovered.