Why Nation State Hackers are on the Rise
Most technological fields are constantly evolving, and cybersecurity is no exception. With new data privacy legislation popping up on a weekly basis, cybersecurity professionals have to keep an eye on the future so that they can modify their approach in the present.
However, legislation is not driving the change in cybersecurity–attackers are. As soon as we catch on to a method of attack, hackers find another way to fight back and use our expectations against us. The cybersecurity strategies of today will soon be outdated, because attackers will always find a way to work around them.
Cybersecurity is becoming a game of cat and mouse. You need to be a few steps ahead of attackers. Of course, this is easier said than done. The truth is, they are probably already a few steps ahead of you.
Tom Kellermann, the Head of Cybersecurity Strategy at cloud computing company VMware Inc., is well aware of this issue. Here’s what he says about how cybersecurity professionals can adapt to the morphing landscape:
Cyber Criminals Are Becoming National Assets
In 2000, cybersecurity started to become a national concern, when top White House counterterrorism advisor–Richard A. Clarke–warned about a war in cyberspace, likening the threat to a “digital Pearl Harbor.”
Looking back, Kellermann seems to think that was an understatement. “We’re dealing with a multiplicity of actors,” he says. “It’s more like a free fire zone…you have nation states that have created a protection racket around their very best cyber criminals, seeing them as essentially national assets.”
In exchange for protection, these privateers have three obligations: They can’t hack anything within sovereign boundaries; when called upon to share interesting access, they must do so; and most importantly, they must attack any targets picked by the nation state.
This dynamic has become more significant in recent years. “This pandemic has been a boon to the cybercrime cartels,” says Kellermann. Considering how the lockdown has hindered the ability of organized crime groups to sell drugs or traffic humans, many criminals migrated to the Internet.
The establishment of cybercrime as a geopolitical weapon has led to a more mainstream, accessible, brokerage market. Kellermann describes this market as one where direct access to backdoors are being dealt to attackers. Around $25,000 will get you into a large corporation, while U.S. government agencies go for closer to $100,000.
The SolarWinds Hack Did Not Occur In A Vacuum
When mapping out the future of cybersecurity, Kellermann references the infamous SolarWinds hack that occurred in late 2020 and left several U.S. agencies compromised. While viewed as something of an anomaly at the time, Kellermann seems to think it will set the tone for the new era of attacks.
The attack was groundbreaking because it used malware that gave the attackers full access to their victims’ network traffic and systems. This meant that if your company downloaded the malware, the hackers could target your customers too, creating an endless chain of potential victims. Even after the attack was discovered, it was clear that many victims unknowingly continued to be infiltrated.
Kellermann has an analogy for this. If the attacks of the past were a burglary, they have now escalated to the point of a home invasion.
“[It goes] beyond the theft of sensitive information, whether it’s trade secrets, PII, credit card numbers or even wire transfers,” he says. “[Attackers] want to maintain persistence. They want to essentially commandeer the environment and use it to attack the constituencies.”
This phenomenon of attackers infiltrating a company’s infrastructure and using it to attack their customers is called island hopping–and it’s amplifying the potential consequences of cyber attacks. “Our worst case scenario is no longer the exfiltration of our sensitive data. It’s no longer ransomware crippling our systems. It’s our infrastructure being used to attack our customers.”
Of course, this begs the legal question of whether victims of island hopping will be held liable for the damage experienced by their customers, even if they weren’t aware of the attack. Kellermann seems to think so. “I do think this is going to be the year where you’re going to see lawsuits associated with negligence, as it relates to entities who either didn’t know an attack was happening or were criminally negligent in stopping it.”
Adversaries Are Already Omniscient. So When Do They Become Telepathic?
When attackers invade a network, chances are they’re all-knowing. That’s the current reality.
However, Kellermann’s biggest concern is the next step. At what point will they become telepathic, not just reading our minds but changing them?
This transition to so-called “digital telepathy” might already be happening–41 percent of attackers manipulate timestamps as part of their strategy. “When that actually moves and progresses to another level of manipulating the integrity of data, we have serious consequences,” says Kellermann.
Although artificial intelligence is being rightfully embraced as a cybersecurity tool, it has the potential to be targeted and manipulated too. That’s the natural Achilles heel of a technology that is so reliant on time and the integrity of inputs– two things that hackers are increasingly undermining.
Another concern is that attackers are targeting backups first. “First, they go into your backups, linger, move laterally from your backups into your infrastructure to exfiltrate sensitive documentation associated with the organization. And then they wait–then linger some more before they encrypt you,” explains Kellermann, explaining the concept of something called “dwell time.”
These complicated tactics are indicative of the fact that attackers have the resources and know-how of sophisticated corporations. Most malware is customized with built-in evasion techniques depending on the target. Attackers know organizations are over-relying on backups, so they exploit that in order to continue to extort after handing over the sensitive documentation. “Some of these groups are so aware of your business model that they will threaten to release your information or dox you with the regulators who regulate you.”
Incident Response Will Need To Become Modernized
In a simpler time, the sound response to a cyber attack was the most intuitive one: when you come across a command and control (C2) server, just terminate it!
Automatically terminating a C2 is no longer in your best interests. “The second you automatically terminate that initial C2 you’re setting off the timer for the secondary C2 and you’re making an assumption that there is no secondary C2,” says Kellermann. “Now the adversary is still in your house.”
Kellermann notes that counter incident response is deployed in 63 percent of attacks. Attackers are prepared for you to find them eventually, so when you do, they fight back to maintain persistence.
So what can we do? We need to eliminate these secondary C2s, which will inherently involve containing and hunting attackers–without them knowing.
This is all about assuming the worst. Assume that the attackers will have multiple paths back into an organization, such as a secondary C2. Assume they will manipulate timestamps. Assume they will drop ransomware or wipers into your system.
Kellermann poses some questions you need to ask yourself when dealing with an intrusion:
Where did the attack come from? Could it have been through a partner? A customer? A regulator?
If there is no destruction or exfiltration, how will you detect where the attacker is and where they are going?
Is the agent you’ve deployed for endpoint detection response in monitor-only mode?
Have you baselined your organization for telemetry?
Do you have the capacity to detect threats in workloads, given that everyone’s migrating to cloud and containers?
Do you have the capacity to dynamically segment networks, both professional and personal, specific to threats perceived on the endpoint or the network, because of behavioral anomalies, or because of lateral movement?
How do you decrease dwell time?
How do you account for the added risk of a remote work environment?
In a sense, it’s fighting fire with fire. “We really need to think about the behavioral cognitions that would generate behaviors, and focus on the second stage: maintain and manipulate.”
While all that sounds challenging, some defense tactics are as simple as selecting the right messaging platform. “I can’t believe how many times I run into organizations that are using Slack or Teams to communicate about an intrusion,” says Kellermann. “I highly recommend only one application for this type of communication: Signal.”
Perimeter Defense Is Dead, Zero Trust Is Not Enough
Anyone who is familiar with zero trust should be well aware of the death of the perimeter defense approach, also known as castle-and-moat. While cybersecurity used to be about keeping imposters out of your network, it’s now about not handing out access to any agent, even if they come from the inside.
“To do that, network detection response must be integrated with workload security, which must be integrated with Endpoint Protection,” says Kellermann.
He emphasizes that this means that network segmentation must be dynamic. It must be able to respond to anomalies in real time, segmenting the network so that the infrastructure can defend itself without the attacker being able to tell.
“This goes beyond zero trust,” emphasizes Kellermann. “Zero trust must go beyond endpoints and identities all the way to apps and infrastructure. Zero trust allows you to detect, deceive, divert, contain and hunt an adversary, unbeknownst to an adversary, in your environment–because they will get into your environment.”
In short, it’s not just about protecting yourself against internal threats. It’s about finding a way to navigate them without setting off alarms. The only way to remain one step ahead of attacks is to evade them, giving them no reason to activate their secondary C2. “The greatest trick the devil ever pulled was to convince the world he didn’t exist,” says Kellermann. “And the devil, my friends, is somewhere in your infrastructure.”