Stories in the national and international media about State Sponsored Cyber teams targeting rival, and in some cases, allied Government IT networks for intelligence and intellectual property seems like something out of an Ian Fleming novel. But what relevance does this have to a print works owner in Milton Keynes, or a small legal firm in Aberdeen?
Just this month, CrowdStrike released its mid-year threat report which highlighted that China was the most prolific nation-state threat actor during the first half of 2018. Data shows that Chinese adversaries have made targeted intrusion attempts against multiple sectors of the economy, including biotech, defence, mining, pharmaceutical, professional services, and transportation.
The threat is very real and growing. CrowdStrike’s report suggested that 48 per cent of the cases it identified in the past year involved targeted intrusions from adversaries with a nation-state nexus, while 19 per cent were conducted by eCrime actors.
But many business owners struggle to see why this matters to them, and why this is anything other than the script of a spy novel or film.
The reality is that we should all be concerned and aware of these sorts of attacks and realise that this is the new normality of business and IT and be prepared against it.
The often-sophisticated tools and techniques employed by these state agencies are released, intentionally or otherwise, into the Dark Economy and then are employed by other criminal enterprises.
For example, the infamous WannaCry attack last year which crippled large parts of the NHS in a ransomware attack reportedly by the Stardust Chollima Group, which works on behalf of the North Korean government, employed a hacking tool called ‘Eternal Blue’ which exploited vulnerabilities in some Microsoft Windows applications. It was reported as being a leaked ‘cyber weapon’ developed by the US’s own National Security Agency (NSA), America’s powerful military intelligence unit, to gain access to computers used by terrorists and enemy states.
Targeting the supply chain
Sometimes, in return for conducting their host Government’s politically or economically motivated campaigns as required, these groups have a kind of ‘safe haven’ to freelance and conduct their own cyber campaigns and attacks, using the very same tools and techniques.
Furthermore, the increased sophistication of the cyber defences in place in many Government agencies, banks, and other critical infrastructure providers, means cybercriminals are now looking for the next weak links in their desired target’s defences and often that is their supply chain and partner businesses which are being targeted to gain access to the real target’s network and systems.
In January 2018, the UK National Cyber Security Centre warned of the increased risk to the supply chain of most organisations from Third party software providers, Website builders, third party data stores, and Watering hole attacks – attacks targeting a website that's frequented by users within a targeted organisation, or even an entire sector, such as defence, government or healthcare.
CrowdStrike’s own report into this suggested software supply chain attacks occur when malicious code is injected straight at the source of a signed and trusted application. This application can then be distributed using the legitimate software update mechanism. The idea is to contaminate the trusted source and thereby gain access to a huge pool of trusting victims.
An example of this was NotPetya in June 2017. A ransomware payload was injected into a new version of a Ukrainian accounting software that was then distributed with the update. This happened again with the CCleaner attack of August 2017 when attackers found a way to insert malicious code into the CCleaner 5.33 update.
From the cybercriminal’s perspective, it makes sense to target the supply chain. After all, why go direct to the target and have to contend with sophisticated and layered cyber defences which while could be compromised, would take a long time to do? Far better to find the weak link and target them.
Ensuring a fast response
Rather easier could be to hack into that small vendor provider or a partner and use their software applications to quietly spread the malicious code to larger enterprises, bypassing most of their cyber defences in the process.
To stop these sorts of attacks and make it harder to make the leap into the partner network it is important to make use of behavioural-based attack detection solutions that can defend against sophisticated supply chain attacks. In addition, segmented network architectures and real-time vulnerability management solutions will ensure better visibility for businesses faced with this threat which is the first step in ensuring protection. It is also vital there are improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts) as those can quickly escalate the proliferation of the bad code.
But defending against the threat as it happens is only one part of a successful cyber defence strategy. Additionally, enterprises need to get ahead of future attacks, by making use of threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. Proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and table top exercises, are critical as threats and techniques continue to evolve.
Today’s adversaries are persistent in their mission to target and infiltrate all types of industries. So organisations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organisation's network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organisation can prevent an incident from turning into a breach.
Cybercrime is a threat which all businesses face, not matter how small or remote, and ignoring that threat is tantamount to the ostrich sticking its head in the sand. The threat remains, but they do not see it coming.
Richard Olver, VP EMEA, CrowdStrike
Photo credit: karen roach / Shutterstock