Cybercrime damages are predicted to go as high as $10.5 trillion in 2025 – around $333,000 per second, according to Cybersecurity Ventures. One of the reasons behind the predicted increase is the rise of hostile nation-state sponsored attacks.
Economies impacted by sanctions, those experiencing downward economic trends and those that simply want to see another state disrupted often target financial institutions to not only gain something but to inflict the greatest pain.
More than ever, it is imperative for financial institutions to proactively harden themselves against progressive cyber threats that have the backing of nation-states.
There are a few contributing risk factors that technology leaders should consider when taking preventative measures against these types of threats.
Organizations should give extra scrutiny to events and traffic originating from the geographic areas associated with known or potential hostile state actors.
Resources and Capabilities
Threat actors belonging to, or otherwise backed by, nation-states may have expanded capabilities and resources that are not typical to the average cyber criminals, which can result in more sophisticated attacks.
Intentions and Motivations
Typically, organized cybercrime groups are motivated by financial gain. That is not always the case with threat actors acting on behalf of nation-states. Their intentions may be to damage systems, cripple operations or otherwise incite chaos motivated solely by the objectives of the nation-state instead of financial gain.
Having strong cybersecurity fundamentals in place and a culture of security and compliance at every level of your organization is paramount. Here are seven ways you can prevent and respond to nation-state related cyberattacks:
1. Conduct thorough risk assessments. Identifying the risks your organization faces and understanding your level of risk is the first step in managing risks posed by nation-states. But to address nation-state sponsored threats, you need to go deeper and employ threat modeling as part of your risk assessment.
There is a plethora of threat models to choose from, but the aim is to improve security by identifying threats and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. You will of course want to validate the model and the threats as part of the exercise, to ensure you are not jumping at shadows.
When it comes to risk assessments, threat modeling can add some “science” to the equation. For example, the NIST SP 800-154 Guide to Data-centric System Threat Modeling produces a score that can indicate what is the best security control with the least impact on systems. Every control under the model is given a Negative Implication Score, which rates how a system will be impacted if a specific control were implemented. A second score is given to the effectiveness of a control. When the two numbers are multiplied together you get an indication of what provides the “best bang for your buck.”
That type of information can sway boards to fund budgets for the controls you want to put in place, so it’s good to supply actionable intelligence, rather than asking a board to trust your opinions.
Staying up to date with adversary tactics and techniques from sources such as MITRE ATT&CK and developing a list of attack vectors, which includes hostile nation-states, will round out your overall approach to risk assessments and management.
2. Minimize your attack surface. Your attack surface is the different points that allow an unauthorized user to infiltrate your systems. You can minimize your attack surface by:
- Eliminating complexity. The more complex something is, the harder it is to maintain and the easier it will be for a vulnerability to develop.
- Segmenting networks. This allows you to minimize the attack surface through additional controls such as access control lists, firewalls and properly configured routers.
- Testing and scanning. Regular vulnerability scanning and penetration testing is a must, but don’t just address “critical” or “high” findings; aim to remediate everything and allow time for remediation testing.
- Utilizing zero-trust policies based on identity authentication instead of trusting users once they crossed an external perimeter into your network. Changes in devices being used, location, lo-in frequency or the number of failed login attempts should trigger further verification.
Training staff properly is also essential. The better trained they are, the better one of your key lines of defense will be. NIST has developed what they call the Phish Scale to not only help with training, but score and measure the results of that training.
3. Maintain compliance. You may groan at the word compliance, but a lack of vigilance around compliance to a standard often leads to a breach. Even if you’re not required to be compliant to a standard, it’s useful to pick one as a baseline for your organization to help regulate controls.
4. Engage in rapid detection and response. Because of the increased resources and capabilities of nation-state threats, given enough time, an attack will eventually succeed. Accepting the elevated likelihood of a successful intrusion from nation-state sponsored threats means detecting potential intrusions quickly is as important as preventing intrusions. The speed at which you respond will determine the overall impact to your organization.
The challenge starts with detection. No single technology or solution will cover all your bases, so you may have multiple streams of detection/alert information ready to be evaluated. Alerts could be received from systems such as IDS/IPS, FIM, WAF, AV, firewalls and a host of other acronyms representing security systems.
Rapid detection is not something that results from these products alone – it includes the moment someone sees an alert and acts on it. To that end, tools like SIEM help triage alerts based on use cases that help ensure what may lead to the worst-case scenario is front and center for action.
5. Have a solid vulnerability management program. According to a recent Check Point Cyber Security Report, approximately 80% of attacks observed throughout 2020 utilized vulnerabilities reported and registered in 2017 or earlier. It concluded: “On average, it takes a vulnerability three years to reach its prime rate exploit.” The same report pointed out: “In 2020, the average time taken to identify and contain a cyber breach was 280 days.”
A traditional view of vulnerability management programs is a cycle of identifying, evaluating, treating and reporting on vulnerabilities, and there are a plethora of methodologies to choose from. However, earlier communications, prioritized remediation and continuous improvements all need to be part of that cycle.
A vulnerability management program should provide insights into areas that need improvement to shore up overall security posture.
6. Build resilience and contingency to a cyber incident. If an attack is successful, it is crucial that the organization has a resiliency plan in place, and that it is well documented and accessible so those assigned responsibilities can execute the plan effectively. Typically, they would take the form of business continuity plans or disaster recovery plans based on a business impact analysis.
Organizations cannot afford to have the continuity of their business and recovery of business-as-usual operations to be bottlenecked by lack of resources.
Anticipate the types of cyber incidents you may experience and plan the steps you would take to contain them. Aim to ensure your business-critical systems and processes can continue despite a cyber intrusion. Make sure to establish proper backups of critical systems and data, and that those backups are isolated from network connections.
Remember, the worst time to test your backups is when you are depending on them. Consider redundant connectivity and other backup and resiliency solutions, and conduct continuity tests to verify critical systems will continue to function.
7. Be ready to engage external help. Once an intrusion has been detected, tracing steps, responding, and talking to clients and the media can be overwhelming. Be prepared to augment staff where needed. That could mean engaging a managed services provider (MSP) with the ability to ramp up to your needs at critical times. Your contract with an MSP would already cover staffing issues, such as security clearances and background checks, so there is a level of engagement that could begin rapidly. While some may not be a good fit for sensitive data or workloads, time-consuming tasks like help desk and support could free up valuable time for other members of your existing security team.
You could also have retainers in place with forensic investigators or specifically skilled staff to help respond to incidents.
Take Action Today
In January, the BBC reported that North Korean hackers stole almost $400 million worth of digital assets in at least seven attacks on cryptocurrency platforms in 2021.
When a nation is struggling for funds, or is under sanctions, these stories shouldn’t be unexpected in a world dominated by the digital exchange of funds. It should be even less surprising that a financial institution would be key target for nation-state sponsored attacks.
This is why it’s never been more important to ensure your security posture gets the attention it needs.
Brian J. Odian is Director – Consulting Advisory Services at the Chicago-based cybersecurity firm VikingCloud.