Mike Auty, senior security researcher from MWR InfoSecurity, writes on what nation states’ cyber attacks really tell us.
The initial reaction following a breach is usually emotional – “how could somebody do this to me?”. Although once we understand the background to nation-state hacking and how these types of attacks operate, it’s necessary to develop a rational approach that sees attacks just as a part of doing business. For most nation-state sponsored attackers, targeting foreign companies is a day job –it is more economically feasible to steal information. The consequences are negligible, partly as it’s hard to achieve accurate attribution; even when the perpetrator is identified, geo-political boundaries usually prevent direct action. Realistically, the main risk is being caught and needing to start over. The game is stacked in favour of hackers for several reasons:
· They have unlimited time and resources.
· Little recourse can be taken across international borders.
· An organisation doesn’t primarily focus on its defences.
There are, however, a few rules that the attacker must play by as well:
· The attackers need their code to run inside the target organisation.
· To have control, they need to communicate back out.
· Attackers need to maintain visibility on their areas of interest.
The risk and cost are considerably greater if the attacker is physically present within the target company; therefore, they can only see what they can access via the network. They are trying to maintain access, so their biggest dilemma is being detected and then booted out. Attackers commonly use the same malware strain, regardless of the target size. It will be rewritten and upgraded, but the core functionality and code remains the same. It has been observed numerous times and this malware can attain large amounts data whilst evading detection.
In many investigated examples, malware infections were identified months after the initial infection and with only a few machines compromised. Additionally, there were long periods of inactivity between the bursts of attacker activity and the techniques in use progressively showed advancement. However, simple and obvious methods of persistence and beaconing behaviour have also been witnessed. Companies should accept that doing business means dealing with nation-state actors who will penetrate their networks via spear phishing and targeting specific, underused machines. It can also take years to detect these incidents as attackers often compromise a machine and let it sit dormant until they strike.
Attempts to make outside communication or showing persistent behaviour is usually when attackers are discovered. An aspect of naivety is still seen in the thought that the host country of the IP addresses noted to be conducting the attack must be that of the attackers. When they could actually be the last in a long chain of connections. It’s likely that the country hosting the IP will not be friendly with the victim’s country, making tracing attempts likely to fail. All attempts at attribution come with a degree of uncertainty and thus is, on the whole, futile for anyone other than a government power.
The knee-jerk reaction of an organisation wanting to immediately stop and eradicate the individual causing the company harm is irrational for several reasons: firstly, the malware has likely already done anything it was going to do. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many. A more successful approach would be to detect and contain the threat actor. Monitor it, know it’s present without letting the attacker know they’ve been discovered. This fools them into believing they still have a foothold when in reality you have the upper hand. If you are also watching their traffic and are able to read that traffic, you know their exact impact.
You lose your advantage as soon as you reveal that you’ve spotted them and remove their malware. They disappear from sight leaving you with the challenge of finding them upon their inevitable return. There needs to be a fundamental transformation from seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, to one where these attacks are viewed as a part and parcel of doing business.
If this leap is made, then responding to these attacks with calm, measured actions driven from strategic thinking will be completely possible. By accepting that the people who are intent on breaking into large and complex IT systems, will achieve it if they really want to, we can design networks to ensure that the things of most value to our business are those that are most protected. This will make organisations more resilient and in a position to accept the minor losses and be in a world where incursions will be of less consequence in the board room, leaving time to grow business rather than a mounting sense of despair and paranoia.
