War has arguably been one of the constant themes throughout human history. What has evolved, is the weaponry that we have utilised in warfare. We have seen the sword evolve into the musket, into the rifle, into the machine gun, into mechanised warfare, into nuclear bombs, and now – the cyber attack. Simon Townsend looks at what organizations can do to protect themselves.
Cyber attacks have come a long way since the ILOVEYOU virus that hit 45 million Windows PCs in May 2000. An early spam email, ILOVEYOU easily went through organizations’ scant cyber security defences and, due to its contagious nature, quickly multiplied. This caused a lot of damage at the time as mail servers couldn’t handle the tsunami of e-mail which caused them all to crash. Nowadays, mail servers are built to defend against spam (which makes up the majority of email), but organizations and nation states have much bigger fish to fry. Although, it is noteworthy that whilst we have come a very long way since the ILOVEYOU virus, the technical simplicity of creating a violent piece of malware is comparatively similar to this historic attack.
Moving on to present day, we have seen a huge growth in nation state attacks over the last few years. For example, in 2016 we saw Russian ‘hack team’ Fancy Bear breach the Democratic National Committee (DNC) during the US national election. During the election, a leaked NSA document also suggested that Russian cyber criminals had been trying to hack a voting technology firm. More recently, the City of Atlanta’s municipal government was shut down for five days. In April 2018, the US and UK also claimed that Russian hackers have been secretly running operations on ‘innocent computer accessories’ such as home routers. It is unknown what the purpose of this is yet, but the NCSC, FBI and US Department of Homeland Security have warned that this could be part of a wider attack targeting ‘government and private-sector organizations’, providers of critical infrastructure and Internet service providers.
In short, we are increasingly seeing nation-state hackers using powerful and sophisticated techniques to target not just government institutions, but businesses. Their primary intentions appear to be both destabilisation, and to leak confidential information. More than 60 countries have developed or are developing cyber weapons for computer espionage and attacks. This is driving a form of cyber cold war, where governments continue to attempt to outpace one another with a growing arsenal of cyber weapons and cyber defence strategies. And the common cyber criminal is learning quickly from these more ‘military-grade’ cyber weapons, causing the gap between nation-state attacks and other forms of cyber crime to close quickly.
It has also been predicted that the frequency and impact of these nation-state cyber attacks will grow, with greater coordination in the works as well, such as an attack on a power grid during a blizzard or extreme cold conditions.
As was feared during the WannaCry attack that severely disrupted parts of the NHS last year, it could soon be the case that human lives are at stake.
To defend against these attacks, any organization with sensitive information or valuable IP needs to remain vigilant. They need to know what sort of information is stored on their systems and passing through their networks. Not just government entities are at risk of this, because a wide array of industries may hold on to data which could be exploited against a country.
For example, law firms, manufacturers, financial services organizations, utilities, and media companies could all retain trade secrets or sensitive IP that nations wouldn’t want the wrong people getting their hands on. In this instance it can help to have deep visibility into traffic patterns across a network — so that organizations can identify anything unusual.
Organizations should also be careful when considering the origin of the vendors that they do business with. The US National Institute of Standards and Technology (NIST) provides recommended restrictions on purchasing from certain suppliers or countries.
Another smart move is to isolate internal networks from the Internet – if the Internet isn’t needed for certain application workloads of internal datasets, then organizations shouldn’t put themselves at risk by connecting unnecessarily. Proper network segmentation and isolation can help to prevent external, unauthorised access to critical data. It can also help to build up defences against attacks where criminals attempt to intercept communication between two friendly parties.
Of course, one of the most important ways to protect the organization is to employ thorough defence-in-depth cyber security practices. Firstly, organizations need to have a complete picture of what is going on in their environments, because they can’t protect or defend against things that they don’t know about. They should also be using technologies and processes to reduce their attack surface, detect attacks that do get through, and take rapid action to contain malicious activity and vulnerabilities. Technologies such as patch and vulnerability management, application whitelisting, privilege management, identity management, file and media protection, and ransomware remediation, will help to defend against attacks. Part of this also comes in the form of training employees on how to spot and report malicious activity.
Finally, businesses can ‘do their bit’ by sharing any insight that they may have into a cyber threat, whether they’ve been attacked or targeted by a failed threat. The more insight we all have on new threat trends and vulnerabilities that may be exploited, the better that all organizations – and the country at large – will be at defending against potential nation-state attacks.
What with the tensions between numerous countries around the world at this time, we simply don’t know when this cyber cold war’s détente will arrive. So, while it is the responsibility of our governments to protect us, as individual organizations it is also critical that we are defending our systems as well as we can against these new breeds of attack.
Simon Townsend is CTO – EMEA at Ivanti.