The global pandemic has caused a shift in the connectivity of everything and increased the risk of severe data breaches and cyberattacks. Two years later, in the present day, the world has never been closer to the brink of an all-out cyberwar. What does that mean for businesses, nation-states, and information security leaders?
Cyber warfare, cyber espionage, and advanced persistent threats
Cyber warfare is defined by nation-states or groups targeting information systems with the intent to cause disruption or damage. In contrast, cyber espionage is the act of gathering intelligence or spying on adversaries with the use of computer systems and information technology. The internet and the 4th Industrial Revolution have opened doors for these two critical conflict factors to sprawl.
Cyber espionage can include extortion, corporate/industrial espionage, theft, misinformation, etc. On the other hand, cyber warfare can have more physical implications for victims. When a nation-state launches an attack on a target nation’s critical infrastructure or resources, it can directly impact the lives and livelihoods of the citizens of that nation. However, cyber warfare should be seen less as military operations and more as intelligence operations.
The motives behind these operations are not necessarily to cause physical harm or damage. The costs and risks involved with these operations are too high to outweigh the outcomes. When it comes to causing physical damage, it’s much more effective to launch a physical military offensive. Thus said, it doesn’t make the effects of cyberattacks and data breaches less harmful and severe. Cyberattacks still have significant implications; businesses can be compromised entirely due to data breaches. The potential reputational damage, financial loss for the organization, and potential financial gain for the threat actors are what make cyber operations effective.
For a nation-state, cyber operations are much more cost-effective and lower risk than physical military operations. Nation-states can directly employ hackers and cyber operators. These operations can be funded indirectly, allowing these nation-states to easily deny involvement. When we talk about state-sponsored cyberattacks, we often hear about the time before and after Stuxnet. The Stuxnet worm completely changed how we, as a digital society, look at cybercrime and cyberattacks. Stuxnet was malicious software designed and written by two unknown nation-states, used in an offensive operation against Iran and its nuclear facilities. This attack was in response to intelligence and rumors that Iran was building nuclear weapons of mass destruction. The worm was designed to target critical infrastructure and control systems, known as SCADA systems. These systems control the operations of industrial machines, which were used in these Iranian plants.
The most recent example of such an attack was the Nvidia data breach. The incident, currently under investigation by Nvidia, was first thought not to have put sensitive data at risk; however, the Lapsus$ ransomware gang has claimed responsibility for the attacks and since released the password hashes of ‘all’ Nvidia employees. They then stated that they would release nearly 1TB of intellectual property in five separate leaks. The ransom was set at $1 million and has since prompted a response from POTUS, who stated that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”
There is currently nothing linking this incident to the Russia-Ukraine conflict, and Lapsus$ has denied any affiliations with a nation-state. This just proves the effectiveness of state-sponsored attacks. A nation can launch an attack, most often by proxy, and deny any involvement in the attack or affiliation to the group.
What are advanced persistent threats (APTs)?
The U.S. National Institute of Standards and Technology (NIST) defines an APT as “an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.”
Motives behind these types of threats
What motivates a threat actor to launch this type of attack? There are many potentially motivating factors behind these threats. Some notable examples of these threats include corporate/industrial espionage, state-sponsored cyber espionage and sabotage operations, and cybercrime. The motivation behind these threats is mainly to gain the upper hand or advantage in an industry, political conflicts and financial gain.
Who’s behind these threats?
Anyone can benefit from launching an APT — public sector and private. The largest attributions to APTs have been to government entities attempting to cause political damage, disrupt military or intelligence operations, sabotage critical infrastructure, or conduct their own intelligence operations against adversaries. Naturally, nation-states have access to more cyber weapons and tools than cyber gangs and independent criminals. Examples of state-sponsored attacks include Stuxnet, GhostNet, and Titan Rain. Smaller threat actors and groups use less complicated tools, techniques, and procedures (TTPs) but can still wreak havoc on organizations and businesses.
Defense in times of cyber warfare and espionage
It is near impossible to defend yourself or your organization against acts of cyberwar. If a nation-state or adversary wants to launch an attack against your organization, they will. Naturally, there are organizations of higher risk than others. Organizations, such as telecommunications companies, power utilities, oil refineries, and government entities have a lot larger targets than a small accounting firm or a fishery. Ideally, the fishery should take its security just as seriously as a telecommunication company, but we’re not there yet.
How to protect organizations from attacks by advanced persistent threats
An effective cybersecurity defense strategy requires a multi-layered approach and should not focus on technology alone. The approach requires the work of all business functions and departments to succeed.
- Don’t rely on a single tool or technology. An effective defense strategy requires controlling every aspect of an organization’s IT ecosystem through up-to-date security tools, authentication and access management, next-generation perimeter security and endpoint protection, security information and event managers (SIEM), vulnerability management and software patching.
- Focus on prevention of cyber-attacks. A focus on preventative measures will keep your systems cleaner and empower your security operations elements to combat the APTs that make it past the perimeter.
- Whitelisting apps ensures that any unauthorized software installation is brought to your attention.
- Actively monitor your environment for anomalous access and login requests, potentially malicious processes on endpoints, potential network intrusions, and malicious emails. This will allow anomalies to be brought to light and addressed efficiently and appropriately.
- Empower your security operations (SecOps) with apt threat intelligence. Threat intelligence feeds use raw data on prevalent and emerging threats to provide actionable information on those threats. In combination with next-generation software and endpoint protection, this information allows security personnel to discover threats faster, more effectively, and rapidly contain incidents.
- Educate employees and create a security-first culture. The most common attack vectors for APTs are spear-phishing emails and social engineering. By educating your workforce and making them aware of the different attack vectors and how to spot them, you add one more layer to your approach. The most vulnerable aspect of your business is sitting between the computer and the chair. It used to be that phishing emails were noticeable due to poor grammar or spelling errors, but modern phishing attacks are highly advanced and easily fool the end-user.
- Lastly, a solid reactive approach to security incidents and data breaches is required when all else fails. This is easily the costliest aspect of cyber defense due to the loss and damage tied to a cyberattack. Active defense will only allow you to protect and prevent attacks from happening. APT’s are empowered by government-level funding, ample resources, and highly skilled individuals. That said, if you have been targeted in a cyberattack and your frontline defenses failed, you need to be able to respond and react accordingly. The stakes are even higher if you are a large corporation or utility. The incident will be in the news, and the public will lose trust in the organization's ability to provide services and protect information. It is worth noting that response to an incident is a lot more expensive than preventing attacks. You need to be able to react hard and soft. By a hard response, I mean the actual incident response process; you need to make sure that your critical information systems are up and running as soon as possible, manage the potential data loss, recover any severely affected systems, and implement lessons learned. A soft response is what the public sees. The CISO or CEO will probably end up in some other article or news network. The media will be asking questions. You need to form a narrative that everything is under control. The magnitude of this response can be big or small; you might just have one blog article written on the incident, but you also might have every news agency jumping on the story. We’ve seen this happen a few times in the past few weeks, with the Lapsus$ group targeting large corporations.
Active defense uses offensive tactics to outsmart or out-hack potential hackers. These tactics are used to slow down or completely thwart an attack on your organization. An active defense approach aids organizations in preventing attackers from advancing through their business networks and increases the chances of the attackers making a mistake and exposing themselves or their attack vectors.
This approach involves deception technologies and systems that detect threats early in the attack cycle. Active defense may also involve striking back or retaliating against an attacker; however, this is primarily reserved for law enforcement agencies.
With active defense, organizations can detect threats and identify potential intrusions before attackers can steal any data. On top of that, active defense techniques provide your security operations element with vital intelligence on threats and attacks. Active defense is also a crucial tool for enhancing your organization’s security measures. By enabling security teams to gather intelligence on the TTPs that threat actors use, how they exploit vulnerable software and services, and the types of data and information they look to exfiltrate, you’ll have the knowledge and capability to employ controls and measures that protect your environment from these attacks.
Security models and frameworks
When it comes to developing the organization’s security strategy, there is no need to reinvent the wheel. Several security frameworks and models are readily available for you to tailor towards your ecosystem and implement within your business. The most common and widely used is the NIST Cyber Security Framework. The framework sets out five pillars in which your security operations should succeed. They are as follows:
- Your SecOps should be able to identify information assets in your inventory and identify the threats, vulnerabilities, and risks surrounding those assets.
- Your SecOps should be able to detect any threats outside and inside of your organization.
- Following that, you need to be able to protect your assets and information against detected and undetected threats.
- Your SecOps’ response to data breaches and security incidents is critical to ensure the same incident does not occur in the future and that the necessary mitigation controls have been put in place.
- Lastly, your organization needs to be able to recover from any disastrous event, data breach, or cyberattack. The security operations need to enable the business to maintain its continuity and reputation in the market. Cyberattacks can be devastating, especially if they come from an advanced threat actor, so it is critical to maintain the ability to recover from any incident.
It is worth noting that a framework is a generalized outline of necessary security controls. Not all of the controls will fit into your business environment, and one needs to sift through the appropriate controls and tailor the framework to the business environment.
Cyber threat intelligence
Cyber threat intelligence (CTI) is an umbrella term for the collection and analysis of data and the use of tools and techniques to generate information on existing or emerging threats in the cyber landscape. Threat intelligence had existed long before cyber was a thing. In military terms, intelligence is used to understand the adversary and their techniques, tactics, and procedures (TTPs) and predict their next moves. In cyberspace, intelligence is used to understand the threat landscape, what threats are targeting your organization or industry, and what TTPs they use so you can quickly bring them to light once they’re in your network.
Actionable vs. unactionable intelligence
You often hear the term ‘actionable intelligence, and I don’t think that’s correct. Any intelligence collected and analyzed was done to meet an intelligence requirement (IR). The IR states what intel needs to be collected, and for what purpose. One would not collect intelligence if it wouldn’t be used for a specific task. This rings true throughout the military, intelligence, and infosec community. Unactionable intelligence would just be information gathered with no use or purpose.
There are several threat models that infosec professionals and research organizations have developed. The most common and most popular are the Diamond Model of Intrusion Analysis, the Cyber Kill Chain by Lockheed Martin, and the MITRE ATT&CK (and DEF3ND) framework. The Diamond Model was designed to work in combination with the Cyber Kill Chain. All these models are used to analyze the behavior of threat actors during a cyber-attack. The ATT&CK framework is most commonly integrated into SIEM and EDR solutions.
It’s all fair and acceptable to use models readily available, but the situation might arise that you must model threat analysis tailored to your business or organization.
What is threat modeling?
Threat modeling allows potential threats to be identified, enumerated, classified and mitigated. Threat modeling is a proactive approach used to understand how different attacks may realize and affect your organization. An apt threat model should provide security teams with an analysis of the countermeasures needed to be implemented, the most likely attack vector, and the assets most likely to be targeted by a threat actor. Threat modeling lays out the areas in which one is most vulnerable, the greatest impact of threats, and what countermeasures need to be taken to safeguard against these threats.
The threat modeling process
- Establish the project team and scope of the threat model. The team should include stakeholders such as board members, network engineers, developers, and information security managers. The scope should be defined according to system architecture, security perimeters, data points and data flow, and system components.
- Decompose the systems or applications. This entails breaking down a system into different components, envisioning how data flows, and dividing out trust boundaries. One technique used for this step is building a data flow diagram (DFD). DFDs give a visual representation that illustrates how data flows within the system and the actions users can perform within a system state. Some models rely on Process Flow Diagrams (PFD) instead of DFD.
- Identification of likely threats. Threat identification involves identifying and documenting threat vectors and related security information and events. During this step, one needs to determine hazardous areas within the network and identify potential vulnerabilities that can be exploited. This can be done by simulating threat scenarios and using attack trees. This process can be automated using threat modeling tools.
- Attack modeling describes an attacker’s intrusion approach into the network or information systems. This enables the security team to identify mitigation controls and measures needed to defend the system(s) and where to prioritize their efforts. This step involves mapping the sequence of attacks, outlining tactics, techniques, and procedures, and creating threat scenarios. Attack frameworks such as MITRE ATT&CK and the Cyber Kill Chain can be used to model the attack.
- Implement mitigations. To apply appropriate security controls and cyber warfare countermeasures, you need to understand the threat landscape and your organization’s risk appetite. Strategies need to be developed to contain these threats, including avoiding or reducing the impact or probability of the threat, transferring the threat to a third party, and accepting some or all of the potential consequences of the threat.
How to utilize threat intelligence
There are many ways an organization or security entity can utilize threat intelligence in its security operations. Investing or building a threat intelligence platform (TIP) is always the first and best option. There are many commercial and open-source TIPs available for use. Threat intelligence can, and should, be gathered from internal sources (firewall logs, intrusion detections and prevention systems, syslogs, etc.) and external sources (open threat intelligence exchanges, commercial threat feeds, government entities, ISACs, etc.).
Any intel gathered should be aggregated into a security information and event manager (SIEM) and/or security orchestration, automation, and response platform (SOAR) to be able to act on the intelligence. One standard method for gathering intelligence is through threat hunting. By scouring internal networks and the greater internet, analysts can collect and analyze threats that could impact the organization.
Intelligent threat hunting
The question is — how do we hunt? It is good to collect data and information and threats in the greater landscape. Still, you need to know what threats actively target the organization and what threats directly impact your sector, industry, and business. You should always assume a zero trust mentality when handling and hunting for threats. Assume a malicious actor has already gained access to networks. You need to employ tools, methods, and procedures to uncover the threats that will or may already have breached your networks.
Know what you’re looking for — if there are tensions between two countries and your business is based in one, stay up to date with political events and data breaches. You will be able to notice when a threat actor is targeting your industry and companies like you when other companies start getting hacked.
An excellent way to gather threat intelligence is to set up and deploy decoy systems inside and outside your organization. These are referred to as honeytokens and honeypots. How can you deploy decoy systems?
- Create fake email addresses. Emails are one of the largest attack vectors. By creating fake email addresses under your organization’s domain, you can monitor these addresses for any suspicious or potentially malicious login attempts and phishing attacks. With this information, you can then blacklist email addresses and IP addresses and raise awareness amongst employees on different types of phishing attacks and how to spot them.
- Deploy honeypot servers on the internet. These systems display themselves as actual servers running vulnerable services but contain no sensitive data or information. The goal is to attract potential hackers to those servers and lock them in. During the reconnaissance phase of an attack, the threat actor will notice these vulnerable servers and (hopefully) target them first. This will allow your SecOps to gather threat intelligence on these threat actors and prevent attacks from occurring. These systems can be deployed internally, on your own hardware, and/or hosted in a public or private cloud.
- Use browser cookies on your web server. This way, you can gather information on any malicious actor accessing your website and potentially thwart any Denial of Service (DoS/DDoS) attack.
- Deploying fake data and applications. By inserting fake data into an existing database, you minimize the risk of sensitive data being stolen. The aim is to trick attackers into stealing the fake data rather than the real data. Fake executables are applications that activate a phone home switch when the attacker accesses them. When this happens, you can gather information about the attacker’s machine, such as IP addresses and system details. This is commonly referred to as a ‘hack back.’
The challenges of threat intelligence
Inevitably, there will be mounds of challenges with knowing and understanding your adversary. This is an age-old problem. There will always be unknown threats yet to emerge that will be able to bypass all your security controls and measures.
The main challenge with threat intelligence feeds, platforms, and exchanges is subjectivism. Most threat intelligence available is shaped around the TTPs of Eastern threat actors. By now, we know how Russia conducts cyber operations and how China operates and have an idea of North Korea and Iran’s capabilities. The problem is that we do not know how Western nations conduct offensive cyber operations. Can we assume that they don’t? We know that they have the capabilities and resources to be classified as a threat to their adversarial nation-states. The closest we’ve gotten to uncovering Western tactics was with Stuxnet. Even then, no party came forward claiming responsibility. We can’t assume that every hacker group targets the West; what about the threats facing African and Eastern nations? As an information security professional in the Southern African market, I have noticed the school of thought with APTs targeting Western nations is “those threats won’t target my company” or “they don’t affect my business.” That couldn’t be further from the truth.
You need to find threat intelligence specific to your region, industry, and sector and act upon that. It is worthwhile gathering information on any other threat, but know what is targeting you first.
Prepare to respond
Cybersecurity has become an integral part of everyone’s life. Looming cyber warfare and advanced cyber threats pose a critical risk to IT infrastructure and ecosystems of all statures, grades, sizes, and complexities.
To mitigate these risks, we need to combat these advanced threats by defending our information systems and patching our vulnerable infrastructure. In a world where everything is connected, nothing is safe. It is not if you’ll be hacked; it’s a matter of when you’ll be hacked. As individuals, organizations, and businesses (small or large), we need to be prepared for advanced threats and be able to respond to these threats.