4 min read
Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, “nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities.”
These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.
Thankfully, there’s an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are better prepared to track, manage and mitigate these attacks.
The Cybersecurity & Infrastructure Security Agency (CISA) identifies four prolific nation-state actors: The Chinese government, the Russian government, the North Korean government and the Iranian government. Each of these actors uses various methods to compromise security and gain access to victim networks.
According to CISA’s associate director for threat hunting, Jermaine Roebuck: “These include phishing, use of stolen credentials and exploiting unpatched vulnerabilities and/or security misconfigurations. They conduct extensive pre-compromise reconnaissance to learn about network architecture and identify vulnerabilities. With this information, these state-sponsored actors exploit vulnerabilities in edge-facing devices and take advantage of system misconfigurations to gain initial access. They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities. Once they gain access to victim networks, advanced actors use living-off-the-land (LOTL) techniques to avoid detection.”
By understanding the techniques and tactics used by threat actors, organizations are better prepared to allocate limited security resources where they will be the most effective. “Knowing these tactics allows defenders to apply specific security concepts and classes of technologies to mitigate adversarial actors and focus on clearly-defined data properties and value to detect their techniques,” says Roebuck.
In other words, the more enterprises and agencies learn about nation-state attack methods, the better.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
While the actions of each nation-state offer protective insight for American cybersecurity, there’s another component in effective defense: Getting back to basics.
These approaches aren’t mutually exclusive — for example. At the same time, government agencies need to identify and dismantle disinformation campaigns, it’s just as critical to ensure that systems include tamper-resistant multi-factor authentication (MFA) to reduce the risk of compromise.
According to Roebuck, other CISA recommendations include:
“Organizations should conduct regular training sessions on recognizing phishing attempts and practicing good cyber hygiene,” he says. “According to trusted Open-Source Intelligence (OSINT) sources, 75% of the intrusions were ‘malware-less.’ This means that threat actors ‘walked through the front door’ with valid accounts obtained via phishing and social engineering. Users need to be well-trained to identify social engineering techniques and phishing emails.
To limit credential concerns, Roebuck recommends that all accounts have strong, unique passwords and suggests that companies change default credentials. “Strong, unique passwords prevent unauthorized access by making unauthorized access much tougher, limit damage by ensuring threat actors can’t easily access other accounts, reduce common attacks targeting default or weak password, protect sensitive information and improve overall security.”
The coordinated nature of nation-state attacks means that no enterprise or governmental agency is an island. Instead, it’s the cooperative efforts of organizations that make improved security possible.
CISA is doing its part to help as well. Roebuck points to the agency’s joint advisory on the People’s Republic of China (PRC), which provides recommended actions to detect, mitigate and remediate emerging threats. “We know, however, that sophisticated nation-state threat actors constantly evolve their TTPs,” he says. “Accordingly, CISA has a strong partnership with government agencies, commercial and critical infrastructure partners to provide actionable information to combat evolving malicious cyber activity, such as the PRC.”
CISA also recently published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, which offers a roadmap to help public and private sector organizations improve cybersecurity coordination and better defend against nation-state threats.
Ultimately, Roebuck’s security advice is straightforward: “To protect against the increased prevalence of malicious actors, implement and maintain an effective solution to detect intrusions and evict attackers as quickly as possible.”
IBM web domains
ibm.com, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, think-exchange.com, thoughtsoncloud.com, alphaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, community.watsonanalytics.com, datapower.com, skills.yourlearning.ibm.com, bluewolf.com, carbondesignsystem.com, openliberty.io