Nation State Threats

By Blake J. Darché

Each nation-state cyber threat actor has its own goals and reasons for conducting cyber attacks. Some state-sponsored actors concentrate their efforts on espionage, while others focus on warfare-type operations. While these types of actors rarely turn their attention to generating money, they are nonetheless well-funded, typically through consistent money streams from their respective governments.

Since at least 2001, China has focused almost exclusively on espionage-driven cyber attacks. Their goal has been to steal key intelligence information and intellectual property secrets in the hopes of replicating or even surpassing, America’s innovative edge. Chinese cyberattacks have been so successful in the intellectual property area that some Chinese manufacturers can actually build an American company’s product during the day—and then at night change the same assembly line to print a Chinese company’s logo on the product.

In other cases, Chinese-affiliated cyber actors infiltrate major global corporations to gain insight into mergers and acquisitions. In these cases, Chinese companies are usually seeking an edge in order to outbid the U.S. or another western company. They accomplish this by understanding the bottom line prior to the commencement of formal negotiations.

In 2014, Russia established a goal of resurrecting the might of the former USSR. To this end, the country has greatly expanded its cyber operations over the last three years in a multi-pronged approach. This comprises not only espionage operations but information warfare as well. Demonstrated tellingly during the 2016 U.S. election cycle, Russia’s information warfare capability was extremely successful, using asymmetric operations involving proxy organizations such as Wikileaks. The Russians managed to hack countless Republican and Democratic-based political organizations with little effort and to damage those they were most interested in.

Attackers Work More Methodically Than First Thought

Today’s attackers have formerly unsuspected commonalities, actually operating in a unified, professionalized, and sophisticated manner when conducting cyber attacks. We like to think of attackers as a disjointed set of individuals loosely collaborating—when in fact they often work more like an assembly line; from a technical perspective, they are quite routine. Cyber actors rely on operational efficiency, reusable modular toolkits, and infrastructure stability to attack a large number of targets successfully.

This means we fail to recognize the scale at which these attacks can unfold. Within each attacker group, individual people have extremely specific jobs. Typically, some are assigned the task of acquiring infrastructure, while others work to develop a target database—that list of people or organizations which they plan to attack. Still, others analyze the data they pull from the victim to find key usernames, passwords, and other details that can fuel further attacks. Each of these occupations maps well to Lockheed Martin’s Cyber Killchain, which outlines the 7 stages of a typical cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Action on Objectives.

While the security industry focuses significant resources on attribution, true attribution often remains elusive. It’s human nature to seek an understanding of who is behind a cyber attack. However, attribution is not even necessary in order to adequately protect yourself or your organization from a successful attack. In fact, “assembly line” cyber attacks actually provide preemption opportunities for defenders at a point in time when it is possible to change outcomes.

While a nation-state actor might focus heavily on intelligence gathering; a financial actor such as Carbanak turns its attention to financial gain. Nevertheless, each actor utilizes similar Tactics, Techniques, and Procedures (TTPs) to conduct their attacks. TTPs offer a way for cyber defenders to think about attacks in a unified, cohesive manner, in order to develop an effective risk-based approach to cybersecurity. In fact, TTP overlap has become so common, that the MITRE Corporation has released its MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework, which outlines TTPs used in attacks as “a threat model… for describing adversary behavior within different computing environments.”

Developing a Risk-Based Cyber Security Approach

The Lockheed Martin Killchain and MITRE’s ATT&CK constitute an effective model for constructing a risk-based approach to cybersecurity. This is because, regardless of their differing end-goals, attackers target individuals and organizations in only a few specific ways. For instance, Russian information warfare and Russian espionage actors both employ phishing to gain access to their targets. Email-borne phishing attacks represent 90 percent of all sophisticated nation-state attacks. Social media-based attacks rely on the social engineering component of phishing in order to coerce a target into clicking on a link. Over the last several years, multiple actors have utilized fake Facebook profiles of attractive women to coerce men into accepting their friend requests. This new wave of targeting provides yet another vector to phish users.

Formerly, phishing attacks relied primarily upon a malware-based payload such as a backdoor. This strategy, however, is changing with the evolution toward cloud-based Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). Attackers now leverage credential harvesting attacks to a greater degree to gain quick access to the identifying credentials required by these services. This trend will likely continue, as link-based attacks are difficult to detect and to remediate, and they can be rotated quickly. Such attributes give the attacker an additional edge against the target and allow the attacker to more easily overcome legacy-based security solutions.

In the future, prevention of cyber-attacks will rely on machine learning and artificial intelligence. While such terms and buzzwords may be frequently thrown around, learning from past cyber-attacks through automated models greatly reduces an organization’s risk and exposure. For example, credential harvesting pages set up by one actor are often similar to those set up by another.

Which Actors Are Winning the Cyber War?

When we think about cyberwar, China has already won the first battle for many reasons, having exfiltrated terabytes of valuable intellectual property, personally identifiable information, and intelligence data. Iranian-backed interests attacked Saudi Aramco in 2012, wiping out tens of thousands of computers; this act represented the first strike in a destructive cyberwar. Russia too has altered the threat landscape with its successful information warfare operations campaigns, which injected doubt and discord into a foundational process of the free modern-day society. Russia thus exploited freedom of speech to its own advantage and effectively won the third battle of the cyberwar. North Korea, quietly copying Iran, “won” its skirmish with Sony.

The future of cybersecurity is continually evolving toward greater complexity. With mobility increasing, the former defense-in-depth approach involving multiple layers of network security has fallen flat in the face of SaaS, PaaS, and IaaS-based applications. To evolve effective protection, defenders must now look to the means of attack delivery: phishing: email, social media, SMS attacks, and application exploitation.

New Attacks Arrive in Deceptive Packages

A glance at the headlines is enough to convince us that evolution is well underway in attack delivery. The multi-vector nature of phishing means that these attacks now happen across email, web and network vectors. While email-borne phishing generates the most dramatic headlines and notorious infections, such as WannaCry and BEC deceptions, a cyber attack is actually a three-vector interaction: when users encounter a phishing email, they are customarily induced to click on a link to a compromised web site, such as their own bank’s (phony) online page. At that point, the user is captured, and the hackers can do as they please, stealing data that then flows to attacker recipients over the network. Thus, the only protection that extends across all three vectors can be effective. Defense calls for rapid web crawling to detect threats under construction; deep context and analysis of threat origin as to vector, type, and targets; and the ability to strip and disable phishing links within messages, plus DNS-based live blocking and redirection—all vital elements of a successful anti-phishing defense strategy.

Area 1 Security is the first and only cloud-based company to deliver preemptive detection, analysis, and disruption of phishing campaigns across the email, web, and network vectors. Shutting down phishing attacks before they arrive at the network edge protects companies from such risks as BEC, ransomware, malware, credential harvesting sites and others.

About the Author
Blake J. Darché is a Co-Founder and the Chief Security Officer at Area 1 Security. Prior to Area 1, Blake worked at CrowdStrike as a Principal Consultant, and at the National Security Agency as a Computer Network Exploitation Analyst. Blake holds the degree Masters of Science in Security Informatics from The Johns Hopkins University and a Bachelors of Science in Information Technology from the Rochester Institute of Technology.
Blake has built his career across a range of information security skill areas including experience in both offense and defense. Blake has experience in Incident Response, Network Analysis, Malware Analysis, Threat Mitigation, Threat Intelligence, Computer Network Operations (CNO), and Counter Intelligence operations. You can follow Mr. Darché on Twitter at @blakedarche.