November 13, 2024 By Doug Bonderud 4 min read

Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, “nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities.”

These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.

Thankfully, there’s an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are better prepared to track, manage and mitigate these attacks.

Know your enemy: Nation-states in action

The Cybersecurity & Infrastructure Security Agency (CISA) identifies four prolific nation-state actors: The Chinese government, the Russian government, the North Korean government and the Iranian government. Each of these actors uses various methods to compromise security and gain access to victim networks.

According to CISA’s associate director for threat hunting, Jermaine Roebuck: “These include phishing, use of stolen credentials and exploiting unpatched vulnerabilities and/or security misconfigurations. They conduct extensive pre-compromise reconnaissance to learn about network architecture and identify vulnerabilities. With this information, these state-sponsored actors exploit vulnerabilities in edge-facing devices and take advantage of system misconfigurations to gain initial access. They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities. Once they gain access to victim networks, advanced actors use living-off-the-land (LOTL) techniques to avoid detection.”

By understanding the techniques and tactics used by threat actors, organizations are better prepared to allocate limited security resources where they will be the most effective. “Knowing these tactics allows defenders to apply specific security concepts and classes of technologies to mitigate adversarial actors and focus on clearly-defined data properties and value to detect their techniques,” says Roebuck.

In other words, the more enterprises and agencies learn about nation-state attack methods, the better.

Explore cybersecurity services

Back to basics: The other side of the security coin

While the actions of each nation-state offer protective insight for American cybersecurity, there’s another component in effective defense: Getting back to basics.

These approaches aren’t mutually exclusive — for example. At the same time, government agencies need to identify and dismantle disinformation campaigns, it’s just as critical to ensure that systems include tamper-resistant multi-factor authentication (MFA) to reduce the risk of compromise.

According to Roebuck, other CISA recommendations include:

  • Implementing strong authentication: Multi-factor authentication provides an additional layer of security for organizations. “MFA improves security because it mitigates risks of compromised credentials, reduces the impact of phishing attacks, protects sensitive data, enhances compliance and adapts to evolving security threats,” says Roebuck.
  • Regularly updating and patching systems: Nation-state attacks are constantly evolving. If cybersecurity remains static, organizations are at risk. Regular system updates and patching provide key security benefits, such as improved system stability, enhanced security compliance and reduced vulnerability risk.
  • Educating employees: Roebuck makes it clear that employee education is a critical component of effective cybersecurity.

“Organizations should conduct regular training sessions on recognizing phishing attempts and practicing good cyber hygiene,” he says. “According to trusted Open-Source Intelligence (OSINT) sources, 75% of the intrusions were ‘malware-less.’ This means that threat actors ‘walked through the front door’ with valid accounts obtained via phishing and social engineering. Users need to be well-trained to identify social engineering techniques and phishing emails.

  • Using antivirus and anti-malware solutions: According to Roebuck, antivirus and anti-malware tools act as “digital sentinels” by standing guard against evolving threats. Advantages of these solutions include early threat detection, reduced malware spread and real-time protection for critical data.
  • Hardening credentials: Credentials are a popular compromise point for nation-state attackers. If bad actors obtain legitimate user credentials, they’re often able to compromise enterprise systems without being detected.

To limit credential concerns, Roebuck recommends that all accounts have strong, unique passwords and suggests that companies change default credentials. “Strong, unique passwords prevent unauthorized access by making unauthorized access much tougher, limit damage by ensuring threat actors can’t easily access other accounts, reduce common attacks targeting default or weak password, protect sensitive information and improve overall security.”

  • Monitoring and logging activity: It’s also critical for companies to monitor and log all network activity. Roebuck recommends that businesses establish centralized log management and regularly review these logs for suspicious activity. He notes that centralization makes it easier to detect suspicious activity and take immediate action and improves the ability of organizations to carry out forensic analysis to pinpoint the origin and discover the scope of the attack.
  • Securing remote access: Remote access has become commonplace as organizations embrace the need for agile operations. The access points, however, are tempting targets for nation-state attackers. By using secure configurations for remote services and limiting access to trusted IP addresses, enterprises can minimize remote access risks. “The implementation of secure configurations and IP limitations for remote services are pivotal for minimizing attack surface, preventing unauthorized access, reducing exposure to threats, enhancing monitoring and complying with security standards,” says Roebuck.

A team effort: Navigating the new reality of nation-state attacks

The coordinated nature of nation-state attacks means that no enterprise or governmental agency is an island. Instead, it’s the cooperative efforts of organizations that make improved security possible.

CISA is doing its part to help as well. Roebuck points to the agency’s joint advisory on the People’s Republic of China (PRC), which provides recommended actions to detect, mitigate and remediate emerging threats. “We know, however, that sophisticated nation-state threat actors constantly evolve their TTPs,” he says. “Accordingly, CISA has a strong partnership with government agencies, commercial and critical infrastructure partners to provide actionable information to combat evolving malicious cyber activity, such as the PRC.”

CISA also recently published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, which offers a roadmap to help public and private sector organizations improve cybersecurity coordination and better defend against nation-state threats.

Ultimately, Roebuck’s security advice is straightforward: “To protect against the increased prevalence of malicious actors, implement and maintain an effective solution to detect intrusions and evict attackers as quickly as possible.”

More from Risk Management

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

What Telegram’s recent policy shift means for cyber crime

4 min read - Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today