Enterprise Security Leaders Prepare For Nation State Cyber Attacks

Military Strategies Increasingly Using Cyber Forces Over Field Soldiers



Jeff Orr
01/06/2020

Nation-State Cyber Warning

Over centuries of battles and wars, military strategy has proven that slowing or disabling a government’s critical infrastructure is the surest means to impact its economy and force both parties to negotiate an end. The military battlefield has evolved in the Internet Age to give countries with fewer fighting forces an opportunity to impact their foes. And the weapon of choice is software to launch cyber-attacks.

A lot of concern has been expressed by security leaders as a result of military conflict between the U.S. and Iran. While a military response via Iranian forces has been downplayed, Iran has demonstrated itself a capable cyber attacker in the past.

Computer systems quickly emerged as potential targets. Christopher C. Krebs, leader of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), made clear on social media that the threat went beyond the federal government. “Pay close attention to your critical systems,” Mr. Krebs said on Twitter. “Make sure you’re also watching third party accesses!”

Asked to comment on the current situation, Bob Gourley, CTO of OODA, LLC and former CTO for the U.S. Defense Intelligence Agency told Cyber Security Hub, “The sentiment among corporate America varies widely, but those who are mature enough to realize they need a professional security program have all found that advanced cyber threat intelligence is key to an efficient operation.”

See Related: Task Force 7 Radio - Former NSA Officer Talks Dangers Of Information Ops

Rationalizing A Cyber-Attack Warning Amongst Intelligence Signals

Unless you are standing up your organization’s first cyber security program, the warnings are more of a nudge than a cause for change in enterprise security posture. Any major worldwide event is cause for reassessment and ensuring that you are ready for the current threat landscape, and more specifically, those things that are most likely to impact you.

Signals to reassess current controls can be everything from situations such as the most current news, national disasters, or a major holiday. The threats change and one can imagine different types of attacker motivations.

“Don’t immediately change anything,” said Brian Haugli, co-founder at vCISO firm SideChannel and former U.S. Department of Defense and Pentagon cyber security lead in an interview with Cyber Security Hub. “The news should not be the trigger” to initiate change in an existing enterprise cyber posture. When the news of Heartbleed came out in 2014, there was a rush to react. Even if the outbreak did not apply to their industry, “organizations believed Heartbleed was huge and they tried to fix it,” noted Haugli.

Those seemingly irrational people – likely the organization’s executive team and/or board of directors – understand the risk of such news, but not how to factor it into an appropriate assessment and action plan. “The security head needs to be calculated and present back in a way that this cyber alert is or is not within the risk tolerance,” said Haugli.

An organization that has a SOC in place along with incident detection and threat intelligence capabilities likely has the potential for nation state attacks factored into their current security strategy. But it doesn’t hurt to self-reflect and ask yourself, “Does our executive leadership or the board believe that a foreign government’s retaliation is going to trickle down to this business entity?” Communicating effectively with other business leaders and advisors is a key trait of a successful security leader.

See Related: Six Traits Of Successful Enterprise CISOs

From the perspective of a likely attack from nation-state actors, “the risk is continuous and while there may well be an uptick in attempts, the well-known target organizations should already be actively defending against these as a matter of course,” said Christopher Hudel, VP & Principal Information Security Architect for First Citizens Bank in North Carolina during a Cyber Security Hub interview.

What’s Different With The Current Nation-State Alerts?

The differences with each cyber-attack alert now are about the ability for an attacker (whether it be an individual, a group or a nation state) to use emerging technology to shift from a few narrow targets to roles-based targets (phishing for whales) and broad-based attacks.

“The most likely victim may well be those of collateral damage if attackers are willing to break from targeted attacks to indiscriminate ones,” said InfoSec architect Hudel. “As you can see from constant ransomware news that these types of attacks would likely continue to be successful.”

Cloud technology is a key component of attack systems as is the more "old fashioned" attacks that leverage already compromised computers as part of a botnet. “The Command and Control or C2 networks are typically cloud-hosted,” noted Hudel.

Machine learning is another consideration with emergent attack vectors, though the experts we spoke to haven’t observed automated intelligence creeping into the common attacker's modus operandi yet – perhaps because it's an investment and the old ways still work so reliably well.

Actions For Enterprise InfoSec Leaders

The DHS and CISA reporting is helpful but frequently needs contextualizing to be actionable for specific sectors or companies, said Gourley. “This can be done by industry information sharing and analysis centers or outsourced managed security service providers. It is clear, however, that DHS and CISA are contributing [to the discussion]”.

There are several ways that the latest round of cyber alerts can fit into existing enterprise security program priorities. Brian Haugli suggested the following points:

  • Recheck and make good on threat intelligence ingest and the ability to action it. Without outside knowledge, you’re probably not developing your own intel capabilities to discriminate a nation-state from a hacker group. As a result, your workflows are good and teams know what to do with it when they see it. Furthermore, the appropriate detect and response is in place.
  • Review your penetration testing outcomes. Did the pentest provide insight into areas that could help change priority areas in your program?
  • Get back to basics! Beware of organizations promoting quick fixes for a specific nation-state or bad actor. Get back to basics such as patching and make sure the fundamentals within your control are managed.
  • Connect with your local FBI or CISA office. If you don’t have a relationship with your local FBI or CISA office, now is the time to make it, said Haugli. “The government has a complete and substantial security operation. They have access to data intelligence that no business has.”
  • Share cyber intelligence. ISACs work really well for building a community of like-minded security leaders. Sharing cyber intelligence should not be treated as a competitive practice.
  • The cyber version of Neighborhood Watch. When moving from the physical world to the digital world, don’t forget hundreds of years of retail experiences where owners watched out for other storefronts. Take care of each other and be a good neighbor.

See Related: Nation-State Security Trends Report

RECOMMENDED