Adversaries at the national level are shifting their strategies, moving away from destroying data towards emphasizing stealth and espionage. As stated in the Microsoft 2023 Digital Defense Report, “nation-state attackers are boosting their investments and executing more advanced cyber assaults to avoid detection and meet strategic objectives.”
These entities present a significant danger to the infrastructure and confidential information of the United States, jeopardizing the safety of citizens if either asset is compromised.
Fortunately, there is a positive aspect to these malevolent endeavors: knowledge. By scrutinizing the tactics of nation-states, governmental bodies and private businesses are better equipped to monitor, handle, and reduce the impact of such attacks.
Familiarize yourself with your adversaries: Nation-states in motion
The Cybersecurity & Infrastructure Security Agency (CISA) identifies four significant nation-state culprits: The Chinese administration, the Russian administration, the North Korean administration, and the Iranian administration. Each of these agents employs diverse approaches to breach security and infiltrate target networks.
According to Jermaine Roebuck, CISA’s associate director for threat hunting: “These methods involve phishing, utilization of pilfered credentials, and exploiting unpatched vulnerabilities and/or security misconfigurations. They extensively study network structures and vulnerabilities before intruding. Armed with this knowledge, these state-sponsored agents exploit weaknesses in exterior-facing devices and leverage system misconfigurations to gain initial entry. They frequently utilize readily available exploit codes for known vulnerabilities but also demonstrate proficiency in identifying and leveraging zero-day vulnerabilities. Advanced actors, once inside target networks, employ living-off-the-land (LOTL) tactics to avoid detection.”
By comprehending the methods and strategies employed by threat actors, organizations are better positioned to allot their security resources effectively. Roebuck elaborates, “Awareness of these methods enables defenders to apply specific security principles and technology categories to mitigate hostile actors and concentrate on well-defined data attributes and values in order to detect their strategies.”
Simply put, the more insights enterprises and agencies gain into nation-state attack techniques, the better.
Explore cybersecurity services
Back to fundamentals: The opposite aspect of the security equation
While each nation-state’s actions provide valuable intelligence for American cybersecurity, there’s another crucial element in bolstering defense: Revisiting the basics.
These approaches are not contradictory — for instance. While government agencies are engaged in identifying and dismantling disinformation campaigns, simultaneously, it is imperative to ensure that systems incorporate tamper-resistant multi-factor authentication (MFA) to diminish the vulnerability to compromise.
According to Roebuck, additional recommendations from CISA include:
- Implementing robust authentication: Multi-factor authentication furnishes an extra layer of protection for organizations. Roebuck affirms, “MFA heightens security by diminishing the risks associated with compromised credentials, minimizing the impact of phishing assaults, safeguarding sensitive data, ensuring compliance, and adapting to evolving security threats.”
- Regularly updating and patching systems: Nation-state attacks are continuously evolving. Stagnant cybersecurity exposes organizations to risk. Routine updates and patching confer crucial security advantages, such as improved system resilience, heightened security compliance, and reduced vulnerability.
- Educating employees: Roebuck underscores that employee education is a pivotal facet of robust cybersecurity.
“Organizations should conduct routine training sessions on detecting phishing attempts and adhering to good cyber practices,” he stresses. “According to credible Open-Source Intelligence (OSINT) sources, 75% of breaches were ‘malware-less.’ This indicates that threat actors ‘entered through the front door’ with valid accounts obtained through phishing and social engineering. Users need to be adequately trained in recognizing social engineering methods and phishing emails.”
- Utilizing antivirus and anti-malware solutions: As per Roebuck, antivirus and anti-malware tools act as vigilant guardians against evolving threats. The advantages of these solutions encompass early threat identification, diminished malware proliferation, and real-time protection for crucial data.
- Strengthening credentials: Credentials are a favored target for nation-state intruders. If malicious actors acquire legitimate user credentials, they can often infiltrate enterprise systems undetected.
To mitigate credential-related risks, Roebuck advocates for utilizing strong, unique passwords for all accounts and discarding default credentials. “Strong, unique passwords enhance security by making unauthorized access significantly harder, reduce harm by impeding threat actors’ ease of access to other accounts, diminish common attacks against default or feeble passwords, safeguard sensitive data, and elevate overall security.”
- Monitoring and logging activities: It is imperative for enterprises to monitor and log all network activities. Roebuck advises companies to establish centralized log management and regularly scrutinize these logs for suspicious behavior. Centralization facilitates the detection of suspicious activities, prompt responses, and bolsters forensic analysis capabilities to trace the source and extent of an attack.
- Securing remote access: Remote access has become standard as businesses embrace the necessity for agile operations. However, these access points are prime targets for nation-state attackers. By implementing secure configurations for remote services and restricting access to trusted IP addresses, organizations can minimize the risks associated with remote access. Roebuck emphasizes, “The adoption of secure configurations and IP constraints for remote services are crucial for reducing attack surface, thwarting unauthorized access, lowering exposure to threats, bolstering monitoring, and adhering to security standards.”
A collaborative endeavor: Navigating the emerging landscape of nation-state attacks
The collaborative nature of nation-state assaults implies that no individual enterprise or government agency operates in isolation. It is the joint efforts of organizations that pave the way for enhanced security.
CISA is playing its part in this mission. Roebuck highlights the agency’s joint advisory on the People’s Republic of China (PRC), which furnishes recommended steps for detecting, mitigating, and remediating emerging threats. “We acknowledge that sophisticated nation-state threat actors consistently innovate their TTPs,” he remarks. “Hence, CISA maintains robust collaborations with governmental bodies, commercial entities, and critical infrastructure partners to supply actionable intelligence to counter evolving malicious cyber activity, such as that from the PRC.”
Furthermore, CISA recently issued the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, offering a roadmap to enhance cybersecurity coordination for both public and private sector entities, fortifying their defense against nation-state threats.
In essence, Roebuck’s security counsel is straightforward: “To counter the escalating prevalence of malicious actors, deploy and uphold an efficient solution to detect intrusions and expel aggressors at the earliest opportunity.”