Organizations around the world tend to build cybersecurity defense strategies that are based on an assessment of risks these organizations are more likely to encounter and the extent to which they plan to handle each of these risks. Based on these definitions, as well as the business and operational attributes, organizations create cybersecurity defense programs that include concepts, technologies, appropriate personnel, methodologies, incident response plans, insurance coverage and more.
It is common to divide threat actors into three categories — individual attackers, cybercrime groups, and nation-state attackers. These days, organizations around the world allocate many resources to cybersecurity, with budgets reaching tens and even hundreds of millions of dollars in large enterprises.
When considering these categories, it is important to decide which risks to address, but just as important to decide which risks not to address. Overall, most organizations make a calculated decision not to include nation-state attacks in their defense programs.
But why do organizations not include nation-state attacks in their programs? The answer lies in understanding that most organizations have tough choices to make when balancing threat prioritization and budget issues.
What is a nation-state attack?
A nation-state actor is characterized by the ability to focus on a single target in a way that doesn’t correlate with the financial benefit of the cyberattack; to plan a complicated sequence of actions; and to use unique and destructive types of malware. Such actors typically have a backend operation equipped with advanced control capabilities and they support their activities with various intelligence sources.
Cybercrime attack groups continuously get more sophisticated and business savvy. In most cases, their activities are planned and implemented in correlation with potential financial gains. In some cases, cyber actors may abandon a target (even one in which they have invested significant effort) once they cross a predefined threshold beyond which the potential gains cannot be justified.
Out of scope and out of time
As part of the budget plan, organizations identify their priorities and the solutions chosen to protect themselves against the defined risks. A healthcare institution, for example, would put a different set of solutions in place than an entertainment company. However, in many cases, both of these organizations would likely exclude solutions for nation-state attacks. While security programs may partially address advanced persistent threat (APT) attacks, it’s usually agreed that these are ad-hoc efforts and that preventing nation level attacks is out of scope.
The assumption made by most Chief Information Security Officers (CISOs)/Chief Security Officers (CSOs) is that solutions for nation-level threats are more complex, require a higher level of expertise and likely have a low probability of occurring — an assumption that gets a seal of approval from the management team. This is understandable because for many years, the commonly held belief was that national entities typically target governmental agencies and not private companies. In light of the notable cyberattacks this past year, however, corporations can no longer assume that they will fly under the nation-state attack and cybercrime radar.
Sea of change in the private sector
Recently there has been a sea of change in cyberattacks that should greatly concern business entities. The supply chain attacks that started with the SolarWinds incident have brought nation-state methods into play in the business arena. The creation of complex infrastructure, which enables access to companies via a legitimate platform and then selects them as targets for attack, is a significant state level approach. It is not surprising that a few months later, the Kaseya attack employed a similar technique — this time leveraging a managed security platform instead of an IT management platform.
More recently, the Praying Mantis attack operated using a methodology in which attackers penetrate secure environments by infiltrating Microsoft Web Servers (Windows Internet Information Services-based and internet facing) and gaining permission and flexibility, enabling them to move laterally to other organizational domains. The threat actor uses a tailored malware toolkit and zero-day exploits, abusing deserialization mechanisms to compromise and infect sensitive systems.
The fact that commercial companies have experienced such attacks casts doubt on the assumption that they don’t need to include nation-state level attacks as a threat to be addressed. Whether it is a nation-state entity that targeted a commercial company or a cybercrime organization that assembled a nation-class attack array, the threat is real and the consequences of debunking this assumption are very far-reaching.
Rethink strategy and resiliency programs
Management teams and boards of directors should rethink their approved strategy that constitutes the basis of their cybersecurity organizational program. CISOs must revisit their resiliency programs and insurance companies should evaluate the level of requirements they pose for large organizations.
There is no doubt that these cyberattacks against the private sector are a wake-up call for global governments as well. They should act at the legislative, enforcement and collaborative levels that, in the long term, may prove to be a lasting bulwark against these types of threats.