Technology
Active Defence: Beating Nation-State actors at their own game
Global Banking & Finance Review®
Company
By Timothy Nursall, active defence advocate at Illusive
According to a recent study conducted by HP and researchers at the University of Surrey, the years between 2017 and 2020 saw a 100% increase in ‘significant’ nation-state incidents. According to experts, this trend was somewhat accelerated by the pandemic, which forced businesses to shift to remote working and left many unprepared to secure such an expanded attack surface. With malicious threat actors constantly developing new ways to bypass security defences and becoming increasingly creative in their approach, security vendors are being left in the dust, struggling to cope. The exponential rise in nation-state attacks, however, is shining a light on the reality of the current approach to cyber-security and is driving a shift toward a more active defence against threat actors.
Albert Einstein once described insanity as “doing the same thing over and over again and expecting different results.” Why then, is this wisdom not being applied to our approach to security, if it is failing to deliver the right results?
Solely looking at the SolarWinds espionage hack as an example, we know for a fact that cyber adversaries do not have any regard for anyone but themselves. This is especially true in relation to nation-state attackers. The SolarWinds hack extended beyond just the infiltration of SolarWinds and, as a matter of fact, as many as 30% of the private-sector and government institutions that were breached reported having no links to SolarWinds. By exploiting software vulnerabilities, weak spots within the cloud-based software, and guessing passwords, attackers were able to gain access. This has resulted in an attack the extent of which remains unclear to this day. Adversaries likely obtained a foothold in several organisations stealthily and waited in silence for the right moment to strike.
The key here is to identify what it would be more cost-effective for organisations to focus on: defending endpoints from multiple entry vectors, scattered across increasingly long supply chains, or making it harder for attackers to move through the network and reaching sensitive assets. Once inside the network, the type of attack that these groups carry out tends to remain consistent and in almost all instances requires moving laterally through the network.
In fact, the many recent large-scale cyber-incidents have demonstrated that endpoint detection and response (EDR), as a defence tactic, is no longer sufficient to stop nation-state actors from carrying out harmful attacks. The attention is now shifting to the security vendors, and all signs point to switching from a defensive tactic to an active one. In other words, the asymmetrical paradigm must be flipped to push the cost and burden onto the attackers. To achieve this, companies must always assume than an attacker has already breached their security defences and is roaming through their systems. Thus, time, resources and money can be focused more toward protecting critical assets as opposed to on attempting to keep attackers out.
A recent proof-of-concept exercise conducted with white-hat hacker Alissa Knight, stopping lateral movement is the most effective way forward when it comes to stopping attackers in their tracks. Without the ability to freely roam in the network, Alissa was stopped on her tracks, unable to gain access to anything valuable.
Best Practices:
It is clear that the sophistication of attackers is constantly evolving, which is why it is best to actively protect against attackers. By focusing on preventing lateral movement within a network, as opposed to wasting time on trying to protect borders that will inevitably get breached, companies can finally take a stand and beat nation-state actors at their own game.
By Timothy Nursall, active defence advocate at Illusive
According to a recent study conducted by HP and researchers at the University of Surrey, the years between 2017 and 2020 saw a 100% increase in ‘significant’ nation-state incidents. According to experts, this trend was somewhat accelerated by the pandemic, which forced businesses to shift to remote working and left many unprepared to secure such an expanded attack surface. With malicious threat actors constantly developing new ways to bypass security defences and becoming increasingly creative in their approach, security vendors are being left in the dust, struggling to cope. The exponential rise in nation-state attacks, however, is shining a light on the reality of the current approach to cyber-security and is driving a shift toward a more active defence against threat actors.
Albert Einstein once described insanity as “doing the same thing over and over again and expecting different results.” Why then, is this wisdom not being applied to our approach to security, if it is failing to deliver the right results?
Solely looking at the SolarWinds espionage hack as an example, we know for a fact that cyber adversaries do not have any regard for anyone but themselves. This is especially true in relation to nation-state attackers. The SolarWinds hack extended beyond just the infiltration of SolarWinds and, as a matter of fact, as many as 30% of the private-sector and government institutions that were breached reported having no links to SolarWinds. By exploiting software vulnerabilities, weak spots within the cloud-based software, and guessing passwords, attackers were able to gain access. This has resulted in an attack the extent of which remains unclear to this day. Adversaries likely obtained a foothold in several organisations stealthily and waited in silence for the right moment to strike.
The key here is to identify what it would be more cost-effective for organisations to focus on: defending endpoints from multiple entry vectors, scattered across increasingly long supply chains, or making it harder for attackers to move through the network and reaching sensitive assets. Once inside the network, the type of attack that these groups carry out tends to remain consistent and in almost all instances requires moving laterally through the network.
In fact, the many recent large-scale cyber-incidents have demonstrated that endpoint detection and response (EDR), as a defence tactic, is no longer sufficient to stop nation-state actors from carrying out harmful attacks. The attention is now shifting to the security vendors, and all signs point to switching from a defensive tactic to an active one. In other words, the asymmetrical paradigm must be flipped to push the cost and burden onto the attackers. To achieve this, companies must always assume than an attacker has already breached their security defences and is roaming through their systems. Thus, time, resources and money can be focused more toward protecting critical assets as opposed to on attempting to keep attackers out.
A recent proof-of-concept exercise conducted with white-hat hacker Alissa Knight, stopping lateral movement is the most effective way forward when it comes to stopping attackers in their tracks. Without the ability to freely roam in the network, Alissa was stopped on her tracks, unable to gain access to anything valuable.
Best Practices:
It is clear that the sophistication of attackers is constantly evolving, which is why it is best to actively protect against attackers. By focusing on preventing lateral movement within a network, as opposed to wasting time on trying to protect borders that will inevitably get breached, companies can finally take a stand and beat nation-state actors at their own game.
Explore more articles in the Technology category
