When asked why Chinese hackers would use Russian tactics in a recent targeted attack against an engineering firm in the United Kingdom, F-Secure Principal Security Consultant Tom Van de Wiele had a simple answer:
“Nation states use each other’s attacks because they work.”
Almost everything about repurposing attacks works to the advantage of online criminals. This is true whether they are backed by a nation-state or not.
“If attackers can steal from each other to bring down the cost and to be more effective then that is what they will do,” he said. “Add to that that it provides plausible deniability or at least the capability to muddy the waters even more when it comes to attribution; then you’ll see that stealing attacks and methods is just part of the MO of attackers.”
If the only goal is improving the odds of success and diminishing the chances of being caught, any practical advantage will be sought.
“Of course, certain techniques will be preferred more than others,” Tom said.
For instance, attackers will favor keeping their people and infrastructure in countries that do not extradite. This could make them easier to detect “though attribution is always challenging.”
Tom calls the constant switching up of attacks and tactics “the everlasting cat and mouse game.” So how do you defend against these nation-state generated attacks? Is your network won’t be a docile mouse just waiting to be devoured by a wily cat?
“The defense approach is not different from any other approach against targeted attacks.”
What does that look like? Here are the steps Tom recommends to any organization:
Make a threat model (or at least a list of worst-case scenarios)
“You can’t protect everything and certain things are more important than others,” Tom said. “Find out what the priority list is and start talking about the ‘what ifs’ with the right stake holders when looking at the attacks of today and how they might affect your business and how.”
In this talk, Tom explains how thinking and acting like an attacker can help you. Check it out to get a sense of the defensive thinking necessary to know which threats your organization should be focused on:
Detect and respond to targeted attacks
“Targeted attacks cannot be stopped but the adversary can be forced to make mistakes that can be detected. Make sure detection points are set up in the correct areas and make sure the level of log detail is sufficient in order to be able to handle an incident.”
Endpoint protection is a necessity. But it isn’t always enough to protect against targeted attacks. F-Secure’s Broad Context Detection™ is designed to give you the visibility you need on all relevant events on your network.
Expect a breach
It’s not of question of when you’ll be hit. The question is: will you be ready when you are?
“Make sure you have ran the necessary crisis management and incident response simulations to know what to do when, how, by whom and when to take the right actions when it comes to identification, containment and other actions and changes you might take or make,” Tom said.
“Your defense strategy cannot be based on no-one clicking on any out of the ordinary or someone not being able to access your building. Both will happen and you need to know what that would look like through the medium of your monitoring and alerting processes and mechanisms.”
“Most malware comes in through e-mail. Do your employees who receive e-mail receiving need be connected to mission critical networks that contain important assets and/or intellectual property?”
F-Secure’s Incident Response Report from early in 2018 found that 34% of breaches were the result of phishing and malicious email attachments.
“Separate both domains and ensure detection at all the relevant choke points,” he recommends. “Are file attachments really required from unknown parties on the internet? Can file exchange methods be set up using company-controlled assets to ensure that employees can exchange files with people outside the company for which they are expecting attachments?”
He added, “How many MS Office file attachments are your employees receiving out of the blue from someone not linked to the domains of the company? Very little. For some departments it might even be excessive with all the file sharing services that are possible nowadays that can be managed and monitored in a cost-efficient way.”
Inform and spread awareness
Cyber criminals utilize their knowledge of user psychology to make attacks more successful. By educating your users about the tactics they’re most likely to fall for, you can take away some of that advantage.
“Inform staff about their responsibilities and the dos and don’ts of the technology they are using as part of their daily work,” Tom said. “Use examples that come from the outcome of regular testing of your own defenses through standardized testing and performed red-team testing and involve your employees in the discussions.”
These strategies are not original but the best-defended companies around the world use them. And given all the advantages attackers have, you may want to borrow some tricks for yourself.