Nation-state attacks are growing in number as well as complexity, utilizing very sophisticated tools and techniques to make their mission more targeted and successful. Nation states also proactively research the latest defense capabilities implemented by businesses in order to get the upper hand.
A survey polling Black Hat 2015 attendees found that 64% of respondents believe their organization is a target for nation-state attacks.
Cybereason recently participated in a panel discussion at the Cyber Security Summit in Minneapolis that addressed nation-state attacks among other topics. Below are some highlights from the discussion.
Companies are outnumbered by their adversaries
When it comes to defending against nation-state attacks, companies are outnumbered by their adversaries.
A nation may deploy thousands of cyber soldiers to search for exploits in an enterprise IT system while businesses have only a handful of people fighting back, making it very difficult to compete, according to panelists.
As a defender, a company has just one chance to deploy the right defensive tactics. The wrong decision could prove disastrous and lead to a persistent attack. On the other hand, cyber soldiers can bombard an organization with thousands of attacks, unconcerned if nearly all of their attempts fail because infiltrating a company only requires one successful attack.
The other difficulty when defending against nation-state attacks is determining the attack’s origin. This information can help organizations understand the motive behind the attack and help them choose an appropriate response plan. However, tracking down the starting point of a cyber attack is challenging since the Internet wasn’t designed to tie IP addresses to a person’s location. Additionally, attackers try to deceive investigators. For example, adversaries can include Chinese characters in the malware’s code to make it appear like the program was developed in China when it was actually created in a different country.
Nation states launch attacks to gain intellectual property, military intelligence or as an alternative to traditional warfare
Nation states engage in cyber attacks to primarily gather intelligence, according to the panel. Attacks targeted businesses are aimed at collecting intellectual property, especially if companies in the nation that launched the attack are struggling to compete globally. By pilfering company secrets from a more innovative organization, an ailing business can use this information to develop competing products and services.
With attacks targeting governments, nation states want to understand their counterpart’s view on policy issues and acquire military intelligence that could give them a tactical advantage in future conflicts.
Finally, some cyber attacks seek to physically destroy an object, such as the Stuxnet virus that targeted the centrifuges that were part of Iran’s nuclear program. Instead of using missiles to take out the centrifuges, malware was developed that caused the machines to essentially spin out of control.
U.S. government looks to better protect companies from attacks
Panelists discussed the role the U.S. government should play in protecting businesses from cyber attacks and noted that federal authorities are beefing their defensive efforts.
The government collects threat intelligence data, for example, and alerts businesses when potential threats are detected.
According to a PricewaterhouseCoopers survey, in 2013 the FBI warned 3,000 U.S. companies that they had been attacked. And, according to one of the panelists, the FBI is hiring more employees to handle notifying companies about looming cyber attacks.
What should organizations do to better defend themselves?
The speakers recommended that companies decide whether they’re going to invest in cyber security technologies or accept the risks of getting breached, such as losing data.
Organizations that opt to buy security products should assess their defense capabilities before making a purchase, the panelists said. For instance, a power plant may have new servers, but its SSL encryption library could be dated and buggy.
For companies that decide to accept the spectre of a breach, speakers noted that it is nearly impossible to quantify the data can be lost and calculate the risk. Additionally, when companies hire a third party to clean up the aftermath of a data breach, they’re paying to learn what happened and what their next steps should be related to a specific attack. This approach still leaves them vulnerable. Instead, companies should focus on detecting future attacks.
