Nation-state threat actors are fast emerging as one of the biggest security challenges facing nearly all organizations in light of the Ukraine crisis. Hackers that are either directly sponsored by nation-states or are simply given the leeway to act, have the time and resources to launch potentially devastating attacks against public and private sector organizations. One recent study suggests a 100% increase in significant nation-state incidents between 2017 and 2020, with enterprises now the most common target. 

The threat posed by nation-state hackers is back in the spotlight with the growing concern over Russian-backed cyberattacks. As the war in Ukraine ensues, the Cybersecurity and Infrastructure Security Agency (CISA) warned that malicious malware against organizations in Ukraine may spread to businesses in other countries. A threat like this can infiltrate a business’ network, cutting off access to critical data. 

To put these types of threats into perspective, last year, a group of criminals exploited critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication and access data from a wide variety of U.S. and European Defense firms and government agencies. Significantly, at least one of the security flaws exploited by the hackers was zero-day, meaning that the security industry was effectively blindsided by the attack.

Breaches do not get much more serious than this. By managing to side-step two-factor authentication, the hacker strikes at the heart of a fundamental tool of modern enterprise security and the only line of defense for many applications. Moreover, these types of attacks are also almost impossible to detect. This is because once hackers gain initial access to a victim’s network, they can move laterally to establish a connection with a command and control (C&C) server, which they then use to communicate with and exfiltrate data. 

The Limits of Intrusion Detection

What can organizations do to protect against unknown threats that penetrate the network? What’s clear is that traditional intrusion detection systems (IDS) are unlikely to deliver the various forms of detection required. IDS techniques only work for known threats — they rely on a library of signatures and known behavior to identify breaches and alert the security team. With zero-day attacks, these signatures don’t exist, so the breach goes undetected. 

Network Pattern Analysis

Sensors can now be embedded into networks to monitor traffic as it flows not only “north-west” as a traditional firewall would detect but also “east-west” (i.e., from server to server within a customer’s network or from one virtual cloud to another). This data can then be interrogated by machine learning-based ML/AI models to understand the baseline of normal network activity. From there, any east-west communications that differ from this baseline can be flagged instantly for further investigation — if unusual lateral movement is detected from a server that typically is used to house a database, for example. With the increase in cloud apps and global collaboration by employees working from home and from various corporate and personal devices — detecting a “bad actor” is increasingly difficult for security teams. The hope is that the next generation of threat detection — one that is behavior-based — provides security responders with rapid, high-fidelity alerts that enable them to stop attacks in their tracks, zero-day or otherwise. But that would be utopia, and we don’t live in a utopia.    

As anyone who has worked in security long enough knows, there is never one silver bullet to solve threats on the scale posed by nation-state hackers or insiders, especially with vulnerabilities like Log4j. If anything, the simplicity and complexity of such attacks underline the need for organizations to adopt a layered security model. 

Sync Security with DevOps

In this case, organizations should look beyond network-based threat detection and user/endpoint behavior analytics and seek to embed security within the DevOps cycle. 

When security is an afterthought in the development lifecycle, vulnerabilities can creep into code. In such cases, vulnerabilities are often only exposed when a system is in production or, worse, when an organization is hacked. As well as exposing the business to unnecessary risk, costs mount up as time and resources are spent trying to find the root cause of a security issue. 

Conversely, by incorporating security into the development process early, fewer resources are required to identify and repair vulnerabilities.

Because data breaches are becoming increasingly common, business leaders should look to encourage a shift in mindset and culture so that security runs through the organization from the initial design of any app. 

Additionally — and specific to the zero-day threat — arming DevOps teams with testing tools and processes, organizations can better understand communication patterns and destinations to help identify C2 Tunnels (i.e., a technique that hackers often use to communicate with networks), allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen. 

Monitor All, Not Just Stealth Attackers 

Nation-state hackers operate differently than those solely motivated by money. The latter often don’t care if they are noticed, so long as they can get away with monetizable or high reputational damage data. Indeed, ransomware attacks are entirely predicated on the victim knowing they’ve been hacked. 

Conversely, nation-states will often hope to go unnoticed. The longer they’re roaming around your network, the better they can understand their target and, ultimately, the more data they can slowly exfiltrate. Unfortunately, in many cases, they have been in stealth mode for over a year, and in others, their stealth activity will be perceived as normal. However, no matter how subtle the hack, at some point, activity needs to happen on the network for attackers to carry out their objectives. When that happens, it’s the organizations that are vigilant and tracking all behavior and monitoring all network traffic in real-time for anomalous lateral movement or unusual server command and control (C2) communications which will be best positioned to intervene or stop an attack before data is lost and the damage is done.

Two Things Needed to Detect C2

In order to detect C2, organizations need to monitor all network communications or the portion of network communications that access their most valuable assets. First, organizations need to assess what assets are vital to their operations and profitability and prioritize understanding and monitoring the access to those assets. 

The best way to monitor your network is with Network Detection and Response (NDR) solutions that capture information about your communications to establish a baseline of your communication patterns. Next, decide how intensely you need to monitor your network communications. NDR solutions can be simple such as notifying if communications are established to a known bad location based on IP address or country. (For example, an IP address in a country which your business does not have employees or does business with. For many, that is now any IP address in Russia.) 

An alternative is to collect metadata from packets or store all packets of communication for further analysis if an incident needs to be investigated. 

In many cases, those that depend on a high volume of financial transactions for their business will capture all packets. Unfortunately, collecting all packets can be expensive; more and more solutions create metadata about the communications capturing important information from the communication protocols. The most modern NDR solutions correlate a series of alerts and use rules to determine if there is a need to alert of suspicious behavior. The challenge with NDR is noise. For many, it begins to appear as though regular normal business sets off too many alarms (too many false positives). Identifying an NDR solution that can be configured to alert the organization regarding potentially suspicious network activity without overwhelming IT and security teams with too many alerts is the balance that every organization needs to achieve to fight nation-state threats and the proliferation of increasingly sophisticated zero-day attacks.

Hopefully, the fear of nation-state attacks will motivate organizations to adopt NDR tools which have become much more user-friendly with instructional guided user interfaces. Many show the progression of attacks against popular frameworks like the MITRE ATT&CK framework so that novice threat hunters can follow the progression of an attack and see what the root cause might have been and how long an attacker has been lurking. The time to adopt NDR is now.