More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today?

While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the financial and healthcare sectors, over a third of breaches are the result of insider threats.

External vs. internal threats

Microsoft delivers an alert in the form of a nation-state notification (NSN) when an organization or account holder is targeted or compromised by observed nation-state activities. As per the Microsoft report, the total number of NSNs has risen, as well as the percentage targeting critical infrastructure.

The report also points out that nation-state actors are targeting software and IT services supply chains. Apparently, nation-based threat groups tend to target IT, think tanks, NGOs, education and government entities. Meanwhile, state-sponsored attacks target finance and healthcare sectors far less often.

Despite the rising nation-state threat, the actual number of breaches attributed to these actors remains limited. In Verizon’s 2023 Data Breach Investigations Report (DBIR), researchers found that actual breaches are still largely traced back to organized crime groups in more than 70% of cases. Meanwhile, end-user (internal) threats lead to breaches more often than state-based attacks.

Rising nation-state threat

As per the Microsoft report, the countries of origin for the most commonly observed state actors targeting customers over the past year were Russia, China, Iran and North Korea. And nation-state targeting of IT service providers can be an attempt by actors to exploit other organizations by taking advantage of trust and access granted to supply chain providers.

According to Microsoft, nation-state cyber threat groups target IT services providers to gain illicit access to downstream clients in government, policy and critical infrastructure sectors. The report notes that IT service providers are attractive intermediary targets as they serve hundreds of direct and thousands of indirect clients of interest to foreign intelligence services.

Meanwhile, zero-day vulnerabilities are a particularly effective means for initial exploitation. Once publicly exposed, other nation-states and criminal actors can rapidly reuse these vulnerabilities. Alarmingly, Microsoft has observed a reduction in the time between the announcement of a vulnerability and its commoditization. As per the report, it takes only 14 days on average for an exploit to be available in the wild after a vulnerability has been publicly disclosed. This makes it essential that security teams patch exploits immediately.

What about insider threats?

It’s impossible to deny the growing danger posed by state actors. However, security teams must also decide where to focus limited resources. It’s impossible to be 100% prepared for any and every attack. Yes, cyber pros should keep an eye on the rising state actor threat. But perhaps they should be even more careful about their own users’ behavior.

Verizon’s DBIR states that the internal variety of end-user breaches show up more often than the external variety of state-sponsored attacks. Plus, organization employee breaches are typically due to internal malicious activity or human error. This finding “suggests where we should be paying more attention on our day-to-day security management,” according to Verizon.

The DBIR authors expected increased activity in state-sponsored attacks due to the ongoing conflict in Ukraine. But they didn’t see much of an increase. They acknowledge the anecdotal evidence of increased ideological or hacktivism-related attacks related to the geopolitical situation. But as per Verizon, it really isn’t making a dent in larger statistical terms.

The hard data tells the story behind most attacks, as per the DBIR:

• 74% of all breaches involved either human error, privilege misuse, use of stolen credentials or social engineering
• 83% of breaches involved external actors, and the primary motivation for attacks was overwhelmingly financially driven (95% of breaches).

Meanwhile, for educational services, finance and healthcare, 30% of incidents involved internal threat actors.

Why internal threats matter

While external threats are more common, internal threats do significantly more damage per incident. For example, according to one report on insider breaches, the number of records compromised by external threats is approximately 200 million. But in cases involving an insider actor, the number of exposed records balloons to over 1 billion.

Defending against insider breaches

Here are some useful tools that can protect against insider threats.

Data Loss Prevention (DLP): This tool prevents sensitive information from being leaked or lost, whether by accident or intentionally. DLP can monitor and control the movement of sensitive data across networks and endpoints. It’s actually a tool kit that includes encryption, access controls and content analysis. DLP identifies, classifies and protects sensitive data.

Privileged Access Management (PAM): With PAM solutions, privileged accounts can be managed and secured. PAM works well for accounts used by system administrators, database administrators and other users with elevated access rights. The purpose of PAM is to prevent unauthorized access and ensure that privileged users can only perform actions necessary for their job function. Features like password management, privileged session management and two-factor authentication are common in PAM.

User and Entity Behavior Analytics (UEBA): This tool leverages big data and machine learning algorithms to analyze patterns of behavior in users and entities within an organization. One of the advantages of UEBA is the ability to analyze large amounts of data, including logs, network traffic and other security-related information. This establishes normal patterns of user behavior and compares them against anomalies. From there, machine learning algorithms identify deviations from normal patterns which trigger alerts sent to security analysts.

The threat exists inside and outside

The increased complexity of cyber threats continues to challenge even the best security teams. While the activity of state-sponsored attacks is a concern, keeping one’s own house secure against insider threats might be a higher priority — for now.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:

U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.