By Ryan Benner, Anexinet
A recent Wall Street Journal article titled, Russian Hackers Have Targeted 200 Groups Tied to U.S. Election, has Microsoft stating that “Russian government hackers have targeted at least 200 organizations tied to the 2020 U.S. election in recent weeks, including national and state political parties and political consultants working for both Republicans and Democrats.” The article goes on to point out that other bad actor nations such as China and Iran have also been identified by Microsoft as engaging in cyberattacks against “high-profile individuals” and “targeting personal accounts of people associated with President Trump’s campaign,” respectively. There is an understated cybersecurity progression to this piece: Ten to twenty years ago, bad actors were typically individuals or even small groups, often tied to organized crime, that were just looking for financial gain. Today we have the skills of a nation seeking to influence global politics.
The phenomenon of nation-states as bad actors has significantly risen over the last decade. These nations are not just seeking to steal data for financial gain, they are also looking at acquiring information to be used for economic espionage such as tapping into power grids or monetary gain from copying proprietary products and systems such as IT device codes. It’s a wake-up call for any organization to carefully review its downstream business relationships and contracts. Are they linked in any way to government entities? Is your company manufacturing proprietary parts for a military vehicle that can be copied and reproduced cheaper in other parts of the world? If the answer is “yes,” you may be a target for very well-trained, deep-pocketed bad actors that are extremely persistent in their pursuit of your intellectual property.
The following are documented cyberattacks performed by bad actor nations:
One of the biggest issues constantly exploited by bad actors is an unpatched system. Over the last few years, we’ve seen a plethora of new attacks that leverage exploits that have not been published to the world yet. According to Security Boulevard, “cyberattacks increased 17% over the past year  and their severity rose 27% compared to 2018.” The most notable result from the polling was that “60% of breaches were linked to a vulnerability where a patch was available, but not applied.”
Organizations must realize that bad actor nations have the funding and the manpower to methodically dig into software and firmware and find these exploits before they would traditionally be found by the manufacturers themselves. And they leverage these exploits in ways that make it very difficult to find them because the attacker doesn’t want to just exploit a single system, they want to use the entry system as a jump-off point to exploit many areas of the network. While in stealth mode, many security tools are not capable of identifying their presence, because they don’t trip any wires or alarms. It’s their mission to stay hidden in the network and to take over as many parts of the infrastructure as possible.
CSOonline states that phishing attacks account for more than 80% of reported security incidents and RiskIQ estimates that $17,700 is lost every minute due to phishing attacks. Why are these figures so high? Because the end-user is always the weakest link in the chain and by nature, most people are trusting individuals. That’s why when an email looks official, perhaps from their bank, or their company’s IT Help Desk, the target willingly hands over their credentials.
Over the years, there has been considerable advancement with email security tools to help recognize spear-phishing and block it from getting to end-users. This protection includes web and DNS tools that block end-users’ attempts at clicking fraudulent email links. Ultimately, the responsibility resides with the end-user to look for oddities in the email such as misspellings or signs in the nomenclature that it’s not written by a native English speaker. When these emails are identified, end-users must be trained to report the incident to the IT security department immediately.
Brute Force Attacks and Password Sprays
Brute force leverages a computer system to break an encryption protocol or a password. With the ever-increasing processing power, millions of password attempts can be performed per second. From a network policy perspective, it’s all about ensuring the appropriate, complex passwords are being used and password lockout policies, such as after 5 bad attempts, are in place. Although brute force attacks are less successful, the attackers will often come back to test a company’s security policies to see if the latest protocols have been put into place.
Similar to brute force attacks, password spraying is going after the end-users’ accounts. However, instead of focusing on one account and trying hundreds of thousands of password combinations, a password spray attempt will focus on going after a large number of accounts with a handful of commonly used passwords. This type of attack is effective because many individuals set the security credentials as their email address and “password 1-2-3,” or similar, simplistic easy-to-remember permutations. Over the last few years, newer recommendations call for “phrase passwords” to be used, where the end-user selects a line from their favorite song, wedding vow, or quote; much easier to remember than a ten-character string.
A Much Bigger Attack Surface
Exacerbating the cyberattack problem is the fact that we now have an immense, remote workforce that has increased the attack surface exponentially. Now that a much larger percentage of workers and students are remote and using a lot of new collaboration style software, these bad actors have a much larger target to hit.
Preventing a cyberattack is extremely difficult, but there are many ways to mitigate the risk. The first step is to become intimately familiar with every aspect of the network, including hardware, software, end devices as well as anything connected that could be considered an entry point e.g IoT devices, card readers, and even printers. From there it goes to ensuring the right policies are in place and building the right programs around these policies such as the aforementioned methods discussed in the documented attacks. Once those areas are taken care of, the right tools and software need to be utilized to ensure the adequate layers of defense are in place to detect and defend critical intellectual property (IP) assets. With all these checkpoints taken care of, the final step is to layer monitoring on top to ensure credible alerts are being escalated for proper attention.
You Don’t Have to Go It Alone
A Managed Security Provider (MSP) can help an organization create a customized security program leveraging premise and cloud-based security tools to protect users and IP assets. Layered on top of the security program is 24/7 monitoring from trained staff within a Security Operations Center (SOC). MSPs were created because it’s very difficult and expensive for companies to have all the in-house talent—across all the various cybersecurity disciplines.
From a hacker’s point-of-view, monetary gain seems like table stakes compared to effectively influencing a nation; and yet, this too may be a stepping stone to even more diabolical efforts. Mitigating risks with solid security policies, layering security tools, and cutting-edge monitoring systems that prompt immediate action is the best course of action to protect your organization’s private information and IP.
About the Author
Ryan Benner is Vice President of Presales at Anexinet – a 20-year digital business solutions provider offering customers a complete digital experience from engaging front-end interactions to dependable back-end solutions, all informed by data-driven insights. Ryan has expertise in building new revenue streams and significant growth in technology consulting companies. Prior to Anexinet, Ryan was VP Solutions & Services / VP Enterprise Infrastructure at Arraya Solutions, where he was instrumental in enabling the company to achieve 4X revenue growth and transform from a small VAR to a provider of strategic solutions. Ryan holds a Bachelor of Science degree in Information Systems from Penn State University. Anexinet can be found on LinkedIn and Twitter.