You’ve been hacked. It was by a nation-state.
The latest example of this type of cyber attack involved U.S. federal agencies and high-profile companies that were breached via a compromised and weaponized version of a software update from a connected third party. Publicly reported information indicates that a vendor was infiltrated by a sophisticated nation-state cyber attack, which allowed for malware to be embedded and hidden in software updates that were legitimate, creating an entry point to any machine that installed the updates.
The case on software company SolarWinds is especially devastating and concerning. The malicious actors in this case compromised SolarWinds’ infrastructure via a method that puts the broader online environment at risk. As FireEye discovered and SolarWinds reports, the attackers incorporated their malware into an upgrade of the company’s Orion product that may have been installed by more than 18,000 customers, including government agencies.
Cyberwarfare and in general cyber offensive capabilities are reshaping the conception we have about IT Security and geopolitical power, enabling a different subset of impacts in economical and social arrays we haven't seen before.
To be concise and clear, nation-state attacks are extremely powerful and sophisticated cyberthreats from adversaries working directly or indirectly for their own government. Of course, this kind of serious cyber attacks are unlikely to be motiveless; the nations may strategize cyberattacks with the intention to damage or destroy another’s IT critical infrastructure: the nation’s economy, state infrastructure, trade, business, communication, transportation, and so on are primarily based on IT and IT-enabled services and attacking these services can disrupt the entire country and weaken their power, and finally this is achieved by using advanced cybercriminal tools, tactics, and procedures (TTPs) which evolve so quickly that cyber defense, legislation, and law enforcement remain behind the attacker’s curve.
Here we must address the following concepts for clarifying the concerns about nation-state attacks:
Cyberwarfare is a form of series of related campaigns that are similar to prolonged cyber campaigns. It utilizes methodologies of attack and defense that inhabit cyberspace. With the help of technical instruments, a nation attacks the opponent’s critical IT systems.
A cyber campaign is not harmful or meant to disrupt another nation’s technical infrastructure. It is mere propaganda or promotional act to influence the perception of the targeted country’s citizens about the policies or actions of the former.
Cyberterrorism stands for initiating a cyberattack to shut down prominent national infrastructure, such as transportation, energy, government websites, and so on. It involves using computer network tools to intimidate a civilian population. Cyberwarfare and cyberterrorism are similar as they both aim the disruption of infrastructure linked within the confines of cyberspace.
Why this matters to you
But how can we defend against this type of super-advanced attacks? Is it possible with the current security postures and programs we develop with our organizations and vendors?
To summarize and keep this in the "context of cybersecurity", a nation-state attack is still catalogued by many as a threat (this is true in fact, but...), which at the same time it is an event that has the potential to adversely impact an organization. Is this what our security operations are defending against? Perhaps, but consider also including the term threat-actor when defining this kind of threat. A threat-actor is the person or group of people behind an attack. A solid defensive strategy must defend against the intelligent threat-actor bent on causing damage to an organization, and not just a potential event. People are behind cyber-attacks. When the defense considers the tactics, techniques, and procedures (TTPs) of intelligent threat-actors, they begin to truly understand the real threat, no matter if it's a nation-state attack.
Defenders can then implement security defenses that directly impact the ability a threat-actor has to perform negative actions. Shifting security operations from the mindset of "vulnerable" or "not vulnerable" and adopting an approach that focuses on threat actions will significantly improve the ability an organization has to not only prevent but also detect and respond to real complex threats. This is the beginning of understanding security through the eyes of a nation-state attack. Organizations who use threat actions to drive their defensive TTPs can make life very difficult for threat-actors and even protect themselves against nation*state attacks or zero days.
But SolarWinds was compromised via an exploit in their Orion system, isn‘t the identification and mitigation of vulnerabilities good enough? Isn‘t a good SDLC enough for this at the end for example?
In order to have an answer, you must understand how a threat-actor thinks and acts. Remember, a threat is really an intelligent person bent on causing harm. It is not an exploit of a vulnerability, not a piece of malware, or not a phishing attack. These are mere means a threat-actor may choose to use to achieve their end goal. The threat-actor knows the target has a comprehensive security program. A suite of security tools (firewalls, intrusion detection systems, anti-virus, EDR, etc) is deployed with the intent of stopping cyber-attacks. A good threat-actor knows this and will most likely assume patches are deployed and vulnerability assessments, penetration tests, even adversarial engagements are performed. This understanding can significantly change the actions taken by a threat-actor compared to the actions taken by a traditional security tester. Does the threat-actor fire up a port scanner and enumerate an entire network? Does a threat-actor fire up a vulnerability scanning tool to find and exploit?
Attacks by threat-actors do not follow the models adopted by traditional security testing. An attack (while many vendors tend to believe) is not scan -> exploit -> profit. An intelligent threat-actor evaluates what a target presents and uses weakness not always discovered through the day to day security tests. The threat-actor will take a number of controlled steps to gain access to a target, establish command and control, establish persistence, and ultimately achieve their desired goal. The people charged with defending an organization often ignore or misunderstand the steps taken by a threat-actor. This often leads to focusing on prevention, not detection. Defenders who do focus on detection may drown themselves in un-actionable default or vendor generate logs and alerts. Have you ever heard from the defending team “We have too many logs and alerts to respond!??" Why do organizations log what they log? Compliance? In case they are needed? Does the vendor advise? Organizations are still missing a key piece to all threats; understanding their actions and TTPs.
Do not allow your assets to enter a battlefield relying on the wrong (and highly proliferated) security mindset. Give them complete protection/training against an adversary, not only a security flaw.