August 2, 2023 By Jonathan Reed 4 min read

More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today?

While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the financial and healthcare sectors, over a third of breaches are the result of insider threats.

External vs. internal threats

Microsoft delivers an alert in the form of a nation-state notification (NSN) when an organization or account holder is targeted or compromised by observed nation-state activities. As per the Microsoft report, the total number of NSNs has risen, as well as the percentage targeting critical infrastructure.

The report also points out that nation-state actors are targeting software and IT services supply chains. Apparently, nation-based threat groups tend to target IT, think tanks, NGOs, education and government entities. Meanwhile, state-sponsored attacks target finance and healthcare sectors far less often.

Despite the rising nation-state threat, the actual number of breaches attributed to these actors remains limited. In Verizon’s 2023 Data Breach Investigations Report (DBIR), researchers found that actual breaches are still largely traced back to organized crime groups in more than 70% of cases. Meanwhile, end-user (internal) threats lead to breaches more often than state-based attacks.

Rising nation-state threat

As per the Microsoft report, the countries of origin for the most commonly observed state actors targeting customers over the past year were Russia, China, Iran and North Korea. And nation-state targeting of IT service providers can be an attempt by actors to exploit other organizations by taking advantage of trust and access granted to supply chain providers.

According to Microsoft, nation-state cyber threat groups target IT services providers to gain illicit access to downstream clients in government, policy and critical infrastructure sectors. The report notes that IT service providers are attractive intermediary targets as they serve hundreds of direct and thousands of indirect clients of interest to foreign intelligence services.

Meanwhile, zero-day vulnerabilities are a particularly effective means for initial exploitation. Once publicly exposed, other nation-states and criminal actors can rapidly reuse these vulnerabilities. Alarmingly, Microsoft has observed a reduction in the time between the announcement of a vulnerability and its commoditization. As per the report, it takes only 14 days on average for an exploit to be available in the wild after a vulnerability has been publicly disclosed. This makes it essential that security teams patch exploits immediately.

What about insider threats?

It’s impossible to deny the growing danger posed by state actors. However, security teams must also decide where to focus limited resources. It’s impossible to be 100% prepared for any and every attack. Yes, cyber pros should keep an eye on the rising state actor threat. But perhaps they should be even more careful about their own users’ behavior.

Verizon’s DBIR states that the internal variety of end-user breaches show up more often than the external variety of state-sponsored attacks. Plus, organization employee breaches are typically due to internal malicious activity or human error. This finding “suggests where we should be paying more attention on our day-to-day security management,” according to Verizon.

The DBIR authors expected increased activity in state-sponsored attacks due to the ongoing conflict in Ukraine. But they didn’t see much of an increase. They acknowledge the anecdotal evidence of increased ideological or hacktivism-related attacks related to the geopolitical situation. But as per Verizon, it really isn’t making a dent in larger statistical terms.

The hard data tells the story behind most attacks, as per the DBIR:

  • 74% of all breaches involved either human error, privilege misuse, use of stolen credentials or social engineering
  • 83% of breaches involved external actors, and the primary motivation for attacks was overwhelmingly financially driven (95% of breaches).

Meanwhile, for educational services, finance and healthcare, 30% of incidents involved internal threat actors.

Why internal threats matter

While external threats are more common, internal threats do significantly more damage per incident. For example, according to one report on insider breaches, the number of records compromised by external threats is approximately 200 million. But in cases involving an insider actor, the number of exposed records balloons to over 1 billion.

Defending against insider breaches

Here are some useful tools that can protect against insider threats.

Data Loss Prevention (DLP): This tool prevents sensitive information from being leaked or lost, whether by accident or intentionally. DLP can monitor and control the movement of sensitive data across networks and endpoints. It’s actually a tool kit that includes encryption, access controls and content analysis. DLP identifies, classifies and protects sensitive data.

Privileged Access Management (PAM): With PAM solutions, privileged accounts can be managed and secured. PAM works well for accounts used by system administrators, database administrators and other users with elevated access rights. The purpose of PAM is to prevent unauthorized access and ensure that privileged users can only perform actions necessary for their job function. Features like password management, privileged session management and two-factor authentication are common in PAM.

User and Entity Behavior Analytics (UEBA): This tool leverages big data and machine learning algorithms to analyze patterns of behavior in users and entities within an organization. One of the advantages of UEBA is the ability to analyze large amounts of data, including logs, network traffic and other security-related information. This establishes normal patterns of user behavior and compares them against anomalies. From there, machine learning algorithms identify deviations from normal patterns which trigger alerts sent to security analysts.

The threat exists inside and outside

The increased complexity of cyber threats continues to challenge even the best security teams. While the activity of state-sponsored attacks is a concern, keeping one’s own house secure against insider threats might be a higher priority — for now.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:

U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today