In order to develop a rational approach to nation-state hacking, it’s important to understand the background and change the way we perceive it.
Accurate attribution is difficult to achieve; even when the attacker is identified the consequences are minor as geo-political boundaries usually prevent direct action.
Companies don’t solely focus resources on security, so attackers have the upper hand; they have unlimited time and resources and across multiple international borders little recourse can be taken.
But they must also sustain visibility on their areas of interest and be able to communicate back out.
Attackers can only see what they can access over the network as they are not physically present within the target company. It’s common to find attackers using the same malware strain; it will be rewritten and upgraded, but the core code and functionality remain the same. This malware can attain large amounts of valuable data whilst evading detection for years.
In many examples that we investigate there were also long periods of inactivity.
Companies should accept that doing business means dealing with nation-state actors who will penetrate their networks. Although detection is possible, it can take years– often with attackers compromising a machine and letting it sit dormant until they strike.
Attackers are usually discovered when they attempt to make outside communication or when persistent behaviour is seen. It’s also likely that the country hosting the IP will not be friendly with the country of the victim machine, making attempts to trace it likely to fail. Every attempt at attribution comes with an element of uncertainty and is therefore futile for anyone other than a government power.
The knee-jerk reaction of wanting to stop and eradicate an attack immediately is irrational; firstly, the malware has likely already done anything it was going to do. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many that the attacker had deployed.
Often when businesses are the subject of hacking attacks, emotions run high. The knee jerk reaction is one that comes from an emotional place – “how could someone do this to me?” “Who is responsible?” etc.
A more successful approach would be to detect and contain the threat actor. Monitor it, without alerting the attacker that they’ve been spotted. They’re fooled into thinking they still have a foothold when the reality is different. If you are also watching and reading their traffic, you know their exact impact.
As soon as you reveal that you’ve spotted them and remove their malware, you lose your advantage. They disappear leaving you with the challenge of finding them when they inevitably return.
There needs to be a fundamental transformation from responding to attacks with our emotions and reflex actions overtaking reasoned and rational thinking, to one where these attacks are viewed as a part of doing business.
If this leap is made, then calmly responding to these attacks with measured, strategic actions will be completely possible. By accepting that the people who are intent on breaking into systems, will achieve it if they really want to, we can design networks to ensure that the most valuable things for our business are those that are most protected.
Mike Auty, senior security researcher for MWR InfoSecurity, gives background on the evolution of nation state attacks and delves into how this mindset about how we protect IT needs to change to a reasoned and rational approach that sees attacks as part and parcel of doing business.
By Mike Auty senior security researcher for MWR InfoSecurity
About MWR InfoSecurity
Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list consisting of Dow Jones, NASDAQ, FTSE 100 companies and Government agencies & departments. MWR consults with clients around the world, providing specialist advice and services on all areas of security, from mobile through to supercomputers.
Central to its philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients. MWR’s focus is working with clients to develop and deliver a full security programme, tailored to meet the needs of each individual organisation.
MWR’s services range across professional and managed services, technical solutions and training covering areas such as security research, incident response, web defense, phishing, mobile and payment security.