Skip to main content

Defending against state-sponsored cyber-attacks

(Image credit: Image Credit: Geralt / Pixabay)

With 648 cyber threats occurring every minute and cybercrime costing organizations $1.79 million per minute, the global scope of many cyber-attacks – such as the SolarWinds and the Microsoft Exchange vulnerabilities, which affected almost everyone – is putting pressure on CISOs. In recent months, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident.  

Hackers taking advantage of digital transformation  

The frequency of advanced persistent threats (APTs) is rising and becoming increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400,000 servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

The problem is that each of the internet's components is an individual thread woven together to create the web. If an organization has an internet presence, it is interwoven with every other entity on the web, including attackers. For the state-sponsored threat actors executing attacks against businesses all running the same vulnerable systems, they are counting on this interconnectivity. 

Since digital transformation is not going anywhere, businesses must ensure they do not fall back on outdated cybersecurity methods to solve this crisis. First, they must realize that the internet's deep interconnectivity has the good guys, bad guys, and everyone in between linked via deep digital relationships. Then, they must understand how cyber threat actors are using this to their advantage and how the security community can begin to use it to theirs. Ultimately, those organizations that understand how those connections work – the good or the bad – will win.

The extent of the SolarWinds breach  

In today’s digital world, the internet is the perimeter – one that we all share whether we like it or not – and the hack involving SolarWinds is proof of that. With the SolarWinds breach, foreign hackers were able to exploit a backdoor, called SUNBURST, in SolarWinds’ Orion IT-monitoring software. It was nothing short of Orion’s full takeover. Every business that ran the corrupted technology was affected at once. 

The SolarWinds attack raised huge alarm bells for the cybersecurity community. After all, victims included the Department of Homeland Security, the Treasury Department, Deloitte, and Microsoft, to name a few. SolarWinds proved that APTs are more sophisticated than many thought possible. The revelation that hackers could Trojanize software from an IT company as trusted as SolarWinds was an eye-opener.

Just as the cybersecurity sector came to grips with the unprecedented SolarWinds intrusion, the Microsoft Exchange vulnerability emerged. This pattern will undoubtedly continue, meaning that everyone – not just the most valuable IP holders – is at risk due to the nature of big data and the sophistication of APTs and nation-state actors.

Effective threat defense 

The scale of a business’s attack surface – including digital supply chains, partners and IT to enable a remote workforce – has simply become too large. Meanwhile, internet-scale cyber threats are the smallest of needles in massive data haystacks. Companies must be able to crawl the internet and build a real-time map that exposes the deep digital relationships that makes up the global attack surface. 

Mapping the internet shows the relationships between cyberattack victims and perpetrators. Indeed, organizations are often not aware that they are running the vulnerable systems that act as inroads for attackers, so preventing attacks, let alone responding to them, is impossible. With complete visibility, organizations can know what they don’t know and understand – from a global perspective, once thought to be impossibly large – where the threats and vulnerabilities most critical to them are hiding. 

Actionable security intelligence 

Security teams need actionable security intelligence that provides a bird's eye view of the global attack surface, showing precisely how their organization's unique internet relationships fit inside it. Businesses need security intelligence with a view of the global attack surface and keen insight into threats most critical to the enterprise's one-of-a-kind digital footprint.

Security programs also need a robust budget for threat intelligence and forensic hunting capabilities. Security teams must be able to respond immediately and decisively to attacks and investing preemptively into threat intelligence data and systems is critical. CISOs must also have an advanced incident-response function and accompanying data. Indeed, it’s important CISOs can answer questions, such as what is the nature of the attack? Which features of the network are vulnerable? Has the company been breached? What clues exist as a result of the attack? Answering these questions when the attack is already happening is challenging.

To this end, it is vital to rely upon in-depth internet reconnaissance to understand the different threat actors. After all, specific threat actors will exhibit different tactics, techniques, and procedures – they will also possess different assets and exploit unique vectors. Intelligence gathering on the deep and dark web – the natural hiding place of threat actors – will provide additional context of an adversary; for example, where have they attacked before and where might they attack again or what sort of information they are stealing. 

These investigations take time as they deal with a huge number of events occurring every day. This being the case, automation is required to integrate internet visibility into core security applications used within security operations. This can take the form of techniques such as reputation scoring and event enrichment to efficiently automate responses. 

The huge cyberattacks of 2021 are likely to increase in cadence as the global powers continue to exploit the seamless boundaries of the internet, targeting organizations and their digital supply chains. In this dynamic, the task of CISOs and their security teams has never been as important as the capabilities of the enemy only increases. Holistic intelligence into the cyber threat dynamic is the only true way that companies can best remain safe. 

Rather than taking an ‘on-the-fly’ approach, businesses must invest in and hone their incident response infrastructure before the inevitable attack happens. Ultimately, organizations must take a preemptive approach to cybersecurity. After all, even the most secure organizations in the world can be victimized by the vulnerability of big data.

Adam Hunt, CTO and Chief Data Scientist, RiskIQ

Adam Hunt leads the data science, data engineering and research teams at RiskIQ, pioneering research automating detection of adversarial attacks across disparate digital channels including email, web, mobile, social media.