Nation-state attackers all have a few things in common: they have effectively unlimited time and resources; little recourse if they do happen to be found out; and the added advantage that businesses aren’t solely dedicated to making themselves impenetrable, giving attackers a slight upper hand.
Companies must start accepting that doing business means dealing with nation-state actors who will penetrate their networks by depositing malware through the likes of spear-phishing and targeting specific, underused machines. After accepting that they will be a target, companies then need to change their mind-set when it comes to dealing with nation-state attacks. It is crucial that companies are able to learn what these attacks are really telling them.
Attackers and malware are generally discovered at the point when they attempt to make outside communications or when persistent behavior is recognized. At this point, for many businesses the question of attribution rears its head. And this is usually based on misconceptions of how attackers operate.
For example, there is still an element of naivety whereby it is believed that the host country of the IP addresses that are seen to be conducting the attack must be that of the attackers. The truth is that the IP addresses carrying out the attack may just be the last in a long chain of connections. It’s also likely that the country hosting the IP will not be friendly with the country of the victim machine, because then attempts to trace it further will likely fail.
In short, every attempt at attribution comes with an element of uncertainty and thus is, on the whole, futile for anyone other than a government power.
Aside from the question of ‘who is attacking me?’ the next decision made is normally a knee-jerk emotional reaction. Organizations immediately take the stance that there is someone on their systems trying to do something bad to them, and therefore they want it stopped and gone as soon as possible.
This is irrational for several reasons. Firstly, the malware has likely been present for over a year; anything it was going to do it has already done. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many examples that the attacker had deployed as backup methods of entry to the organization.
“Detect the threat actor and contain it. Monitor it. Know it is there without the attackers having any idea they’ve been spotted”
A more fruitful approach would be to detect the threat actor and contain it. Monitor it. Know it is there without the attackers having any idea they’ve been spotted. That way, they are fooled into thinking they still have a foothold in the organization, but in reality – you have the upper hand. At the same time, if you are also watching their traffic and able to read that traffic, you know exactly what impact they are having.
Your advantage immediately disappears as soon as you broadcast that you’ve spotted them by removing their malware. They also disappear from sight, leaving you with the challenge of finding them again when they inevitably return.
By assessing the experience of prior victims of nation-state attacks, it’s clear that there needs to be a change in mind-set in how businesses use and protect IT. Instead of seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, these attacks should be viewed as part and parcel of doing business.
If this leap is made, then responding to these attacks with calm, measured actions driven by strategic thinking will be entirely possible. By accepting that the people who are intent on breaking into large and complex IT systems will achieve it if they really want to, we can design architectures and networks to ensure that the things of most value to our business are those that are most protected. This will make organizations more resilient to an attack and put them in a position to accept the minor losses.
They will then find that incursions will be of less consequence in the board room, leaving time to grow the business rather than a mounting sense of paranoia and despair.
About the Author
Mike Auty is a senior security researcher at MWR InfoSecurity. He has spent time in both industrial and academic settings where he has gained experience working with technologies as varied and diverse as VoIP, Bluetooth, RFID, sat-nav devices and firewire. His firewire research has led him into the world of volatile memory forensics, where he has become a developer on the open source Volatility project.