29th September 2020
SureCloud, a provider CREST and CHECK accredited Cybersecurity services, was approached by Verdict Magazine to explore nation-state hacking.
A recent UK report on Russian interference highlighted the issue of state-backed cyberattacks. SureCloud’s Cybersecurity Consultant, Corisande, spoke to the magazine, offering her insight into nation-state hacking and how businesses can stay protected. The full article can be found here, or check out her answer in full below!
The Nation-State Actor is motivated by nationalism and tasked with gathering intelligence from or disrupting other nations via cyber means, or exploiting money from systems and people. This type of warfare has proven itself a low-cost, high-payoff way to defend national sovereignty and project national power.
The most common targets range from the technology industry (Google, Intel, RSA’s SecureID authentication), Financial Services or Influential Businesses (Operation Aurora), The Media, or other critical infrastructures, such as Government or Military offices or Gas and Electricity companies.
Overall, targets are likely to be organisations that own sensitive intellectual property, control significant finance, or are otherwise important to the running of or economy in the target country. A local bakery is unlikely to be a target, whereas a chemical processing company with proprietary compounds is far more likely to attract the attention of nation-states.
There are exceptions, though, such as when the target is a specific piece of technology (in the case of WhatsApp) where a huge amount of research and exploitation effort went into the compromise.
But once a Nation-State attacker is inside the target network, they tend to break out the 0days. At this point, they will have greater situational awareness of an organisation and more chances to ensure they’re not detected. So, utilising a collection of 0day exploits is both more likely to help them achieve their goal and less likely to have the exploit caught and rendered uselessly or “burned.”
Cyber-attacks result in unquantifiable damage. Loss of reputation, loss of value, and the effects of data law breaches, such as GDPR, the after-effects of a nation-state cyber-attack vary from industry to industry, company to company, and from day to day.
In general, the following are often associated with the consequences of an attack of this nature:
Although large-scale companies that succumb to such attacks often come out on the other side, it can set them back decades of growth.
The most critical first step is to understand what the motive for an attack would be. If the company owns the sensitive intellectual property, theft would be a likely motive. Similarly, if the organisation opposes a nation-state on a particular topic, a destructive attack may be more likely. Defending against high-effort attacks is expensive, and understanding the most likely targets within an organisation can help apply protections more effectively. When defending against Nation-State levels of attack, having a mature and empowered security team is absolutely essential:
Integrate security into the culture. Teach all your employees the importance of Cyber Security, not just the IT department. The human level of defence is what is most often exploited, thus usually the weakest part of the chain, but it can also be the strongest!
The ISC’s report had a broad focus, and only 2 pages (sections 13 to 20) focused significantly on the UK’s defensive cybersecurity posture. What was clear is that the UK government has already adopted an attribution strategy. This means if a Nation-State is found to be the perpetrator of an attack, this attribution will be made public as a method to “name and shame” the responsible party on the global stage. The options for reaction are often limited when state-sponsored attacks are committed from within their own borders, no nation-state is going to extradite its own citizens to face justice in a foreign country. It is important to note that there was no mention of using offensive cybersecurity capabilities specifically as retaliation to nation-state cyber-attacks. The above response is based on the contents of the redacted ISC report without the classified Annex or evidence.
Corisande Evans, one of SureCloud’s Cybersecurity consultants, delivers a variety of pen-testing and cybersecurity-related engagements. Corisande has a background in Forensics and Open Source Intelligence Investigations as well as Red Teaming and both physical and technical Social Engineering.
Corisande is passionate about security, especially about security awareness. She has delivered training sessions to a range of different skill and seniority levels to ensure that the first line of defence, ‘The Human at the Keyboard’ has the best chance to fight against opportunistic attackers. Cori is a proud member of the Security Senoritas.
SureCloud provides Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization will benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products, enabling seamless integration of information, taking your risk programs to the next level.