By Timothy Nursall, active defence advocate at Illusive

According to a recent study conducted by HP and researchers at the University of Surrey, the years between 2017 and 2020 saw a 100% increase in ‘significant’ nation-state incidents. According to experts, this trend was somewhat accelerated by the pandemic, which forced businesses to shift to remote working and left many unprepared to secure such an expanded attack surface. With malicious threat actors constantly developing new ways to bypass security defences and becoming increasingly creative in their approach, security vendors are being left in the dust, struggling to cope. The exponential rise in nation-state attacks, however, is shining a light on the reality of the current approach to cyber-security and is driving a shift toward a more active defence against threat actors.

Albert Einstein once described insanity as “doing the same thing over and over again and expecting different results.” Why then, is this wisdom not being applied to our approach to security, if it is failing to deliver the right results?

Solely looking at the SolarWinds espionage hack as an example, we know for a fact that cyber adversaries do not have any regard for anyone but themselves. This is especially true in relation to nation-state attackers. The SolarWinds hack extended beyond just the infiltration of SolarWinds and, as a matter of fact, as many as 30% of the private-sector and government institutions that were breached reported having no links to SolarWinds. By exploiting software vulnerabilities, weak spots within the cloud-based software, and guessing passwords, attackers were able to gain access. This has resulted in an attack the extent of which remains unclear to this day. Adversaries likely obtained a foothold in several organisations stealthily and waited in silence for the right moment to strike.

The key here is to identify what it would be more cost-effective for organisations to focus on: defending endpoints from multiple entry vectors, scattered across increasingly long supply chains, or making it harder for attackers to move through the network and reaching sensitive assets. Once inside the network, the type of attack that these groups carry out tends to remain consistent and in almost all instances requires moving laterally through the network.

In fact, the many recent large-scale cyber-incidents have demonstrated that endpoint detection and response (EDR), as a defence tactic, is no longer sufficient to stop nation-state actors from carrying out harmful attacks. The attention is now shifting to the security vendors, and all signs point to switching from a defensive tactic to an active one. In other words, the asymmetrical paradigm must be flipped to push the cost and burden onto the attackers. To achieve this, companies must always assume than an attacker has already breached their security defences and is roaming through their systems. Thus, time, resources and money can be focused more toward protecting critical assets as opposed to on attempting to keep attackers out.

A recent proof-of-concept exercise conducted with white-hat hacker Alissa Knight, stopping lateral movement is the most effective way forward when it comes to stopping attackers in their tracks. Without the ability to freely roam in the network, Alissa was stopped on her tracks, unable to gain access to anything valuable.

Best Practices:

•       Know your critical assets:It is vital to understand and identify your most important assets. How can you protect something that you don’t know exists? Even if the knowledge is only partial, it is best to start somewhere and build onto it, than to get caught out and lose critical assets.
•       Minimise the points of access to assets: Find out who is accessing your important assets and from where. Make sure only those who need to be accessing these are able to do so, and cut off anyone else. Gaining full visibility into this will make it easier to catch out unauthorised persons or bots.
•       Expand protection: While the critical assets are the most important things to secure, it is important to expand this protection to cover all points. If an attacker is free to roam your network without your knowledge, they will always find a way to gain access to your important assets. You need to be able to fully monitor the network, at all times to recognise suspicious behaviour before it’s too late.
•       Cybercrime is inevitable: Nation-state actors along with other malicious attackers will always test the boundaries of a company’s security defences, therefore it is best to always have your guard up, always assume breach rather and take a proactive stance.

It is clear that the sophistication of attackers is constantly evolving, which is why it is best to actively protect against attackers. By focusing on preventing lateral movement within a network, as opposed to wasting time on trying to protect borders that will inevitably get breached, companies can finally take a stand and beat nation-state actors at their own game.