Cyber attackers using businesses to target nation states
Article by Carbon Black security strategist Rick McElroy
Since the dawn of the internet, geopolitical tension has been the harbinger of increased cyber attacks.
Over the years, Carbon Black witnessed many incidents of nation-state-sponsored actors launching campaigns to infiltrate and disrupt critical national infrastructure targets, following some tried and tested tactics.
However, recent research carried out by Carbon Black among incident response professionals uncovered intelligence that attack vectors are changing.
The evolution of cyber attacks and the growing frequency of ‘island hopping’ mean that companies risk becoming unwitting recruits in the global theatre of cyberwarfare.
Nation-state threat activity – the enemy in our backyard
As sanctions, diplomacy and government rhetoric flow back and forth, below the geopolitical surface nation states continue to conduct “politics by other means” in cyberspace.
Whether they’re aiming to steal intellectual property, conducting economic espionage by hacking the systems of their biggest competitors, or more directly intent on disrupting infrastructure, their first step is to gain access in the networks and systems of their targets.
They’re the enemy set on proving their capabilities and establishing strategic outposts from which to launch attacks at will.
Those outposts are in the networks of the businesses that supply services to the target organisations.
When businesses defending themselves against the latest ransomware attack or phishing campaign, it’s important to realise that their company may not be the primary target.
It might instead be a strategic stepping stone on the way to a bigger prize – a bank, transport department or hospital that it has contracts with.
This tactic is growing in prevalence and organisations cannot afford to bury their heads in the sand where island hopping is concerned.
The new threat environment – smarter and more agile adversaries
Carbon Black’s recent research among incident response professionals noted concerning trends indicating that cyber attackers are growing smarter and more strategic.
Adversaries are now prioritising achieving advance states of persistence within their victims’ networks, living off the land to secure a platform for further malicious activity.
Here are the red flags Carbon Black has discovered:
- 46% of incident response specialists experienced counter incident response when mitigating attacks. The attacker changed tactic during the course of a campaign, demonstrating an understanding of the expected response and acting to evade it. Attackers are using basic psychology to sidestep incident response and continue the attack.
- 64% of incident response professionals had experienced attackers launching secondary command and control after an initial attack was shut down.
- 60% of attacks involved attempts at lateral movement within the victim’s network.
- 36% of incident response professionals have uncovered evidence of island hopping.
Taken together, these figures are a canary in the coal mine.
They point towards bids to establish persistence in networks through lateral movement and attempts to compromise the web of trust between companies.
Adversaries are taking advantage of the hyperconnectivity of the supply chain to move not just from system to system, but from company to company.
They’re establishing footholds in businesses that partner target organisations and weaponising them as cover as they zone in on the true target.
This means that businesses need to ensure they have visibility into their partner networks – everyone from marketing agencies to legal counsel.
Penetration testing needs to be conducted in both directions because the brands a company trusts could be used to target it.
Prediction: Attacks will grow more destructive
Still more concerning is that the type of attacks that Carbon Black is seeing are becoming more destructive.
It’s not just the theft of privileged data that’s at stake.
Infiltrators are now seeking to get in, get what they want, and cause chaos when they leave by destroying networks.
Carbon Black predicts that we’ll see more of this tactic going into 2019.
There are three key takeaways for organisations that want to guard against becoming part of an attack vector:
Cybersecurity is about human vs human activity, not tech vs tech. Incident response teams need to understand the attacker’s motivations and learn as much as they can about their tools, techniques and procedures so we can sharpen up our own defence.
Part of that means lowering the volume on incident response and giving opposition less intelligence on a defence strategy.
This could mean not immediately shutting down an attack before the real goal of an attack is learned.
Companies need oversight of that web of trust to make sure it understands the potential attack paths via partner networks to can harden them as much as possible.
It’s the network endpoints that are the islands that will be hopped and when facing an adversary that understands endpoint detection and response, incident responders need to make sure they can see and mitigate every anomaly in real-time.
Instead of sitting and waiting for attacks to happen, companies need to start proactively threat hunting to get a better understanding of the psychological profile of adversaries and put intelligent pressure on their primary tactics.
Preventing a business from becoming a weapon in the hands of malicious nation-state actors (or any other kind of cybercriminal) is strategically imperative to the organisation and should be a board-level concern.