Different threat actors P.1
Advanced persistent threat (APT)
An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.
When sensitive information is stored on the hard drive of a machine that is to be surplussed or transferred to another individual or department, it is therefore imperative that extra measures be taken to wipe clean the hard drive before the computer leaves your area of responsibility. This document describes some common methods and software to assist you with the sanitization process. It also includes links to articles that provide detailed technical descriptions of what occurs during this process.
Data destruction software, however, truly does erase the data. Each data destruction program utilizes one or more data sanitization methods that can permanently overwrite the information on the drive.
If you need to remove all traces of a virus or you’re planning on recycling or disposing of your hard drive or computer, wiping your hard drive using data destruction software is the best way to protect yourself.
7 Recommendations for Defending against APTs:
Based on the findings, here are some recommendations:
- 1) Focus on solutions that address the malware risk. Ninety-three percent of respondents say malware was the source of the attack.
- 2) Pay more attention to targeted attacks. They require more attention than opportunistic attacks. Respondents report that opportunistic attacks are less frequent and easier to prevent than targeted attacks. In contrast, 48 percent say the frequency of targeted attacks has rapidly increased or increased in the past 12 months.
- 3) More expertise is needed to handle the risk posed by Java and Adobe Readers. Respondents were asked to consider a list of well-known commercial applications that have been the source of zero-day exploits over the past year. According to 80 percent of respondents, Java is the most difficult application for which to ensure all security patches have been fully implemented in a timely fashion; 72 percent say it is Adobe Reader. Other challenging applications include Windows (65 percent of respondents) and Flash (60 percent of respondents). However, companies are slow to patch vulnerabilities; this is mainly because the companies could not afford the cost of downtime while waiting for the patch to be implemented (65 percent of respondents). Forty-two percent of respondents report that they did not have the professional staff available to implement the patch, and only 13 percent say the vulnerability risk is low.
- 4) Make the business case for investing in technologies that address advanced persistent threats. Despite the threat, the majority of respondents believe their organizations do not currently have the necessary security technologies to effectively address the threat of APTs. Only 31 percent of respondents say adequate resources are available to prevent, detect and contain APTs, and only 13 percent of respondents say non-IT executives in their organization fully understand the risk posed by APTs, a major hurdle to overcome in order to secure the necessary resources to defend the organization.
- 5) The financial consequences of APTs can help make the business case. Reputation damage is the most costly consequence of APT attacks. When asked how much an APT-related incident could cost an organization in terms of diminished brand or reputation, the average estimate is $9.4 million — this is more than the estimated cost of technical support ($2.5 million), lost user productivity ($3.1 million) and revenue loss and business disruption ($3 million) combined.
- 6) Adopt new approaches to fight advanced persistent threats. Current technology controls against APTs are not working. Seventy-two percent of respondents say exploits and malware have evaded their IDS, and 76 percent say they have evaded their AV solutions.
- 7) Endpoint security is considered an important part of an APT security strategy. Seventy-three percent say that if they had an acceptable way to do so, they would like to prevent malware threats from infecting their organizations’ endpoints. In addition, effective endpoint protection would prevent the vast majority of APT attacks against an organization.
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.
Examples of an insider may include:
- • A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.
- • A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
- • A person to whom the organization has supplied a computer and/or network access.
- • A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
- • A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.
- • A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.
- • In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.
How Does an Insider Threat Occur?
Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. Expressions of insider threat are defined in detail below.
Expressions of Insider Threat
- Violence – This action includes the threat of violence, as well as other threatening behaviors that create an intimidating, hostile, or abusive environment.
– Workplace/organizational violence is any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying, offensive jokes, or other threatening behavior by a co-worker or associate that occurs in a person’s place of employment or while a person is working.
- – Terrorism as an insider threat is an unlawful use of or threat of violence by employees, members, or others closely associated with an organization, against that organization. Terrorism’s goal is to promote a political or social objective.
- Espionage – Espionage is the covert or illicit practice of spying on a foreign government, organization, entity, or person to obtain confidential information for military, political, strategic, or financial advantage.
– Economic Espionage is the covert practice of obtaining trade secrets from a foreign nation (e.g., all forms and types of financial, business, scientific, technical, economic, or engineering information and methods, techniques, processes, procedures, programs, or codes for manufacturing).
– Government Espionage is covert intelligence-gathering activities by one government against another to obtain political or military advantage. It can also include government(s) spying on corporate entities such as aeronautics firms, consulting firms, think tanks, or munition companies. Government espionage is also referred to as intelligence gathering.
– Criminal Espionage involves a U.S. citizen betraying U.S. government secrets to foreign nations.
- Sabotage – Sabotage describes deliberate actions to harm an organization’s physical or virtual infrastructure, including noncompliance with maintenance or IT procedures, contamination of clean spaces, physically damaging facilities, or deleting code to prevent regular operations.
– Physical Sabotage is taking deliberate actions aimed at harming an organization’s physical infrastructure (e.g., facilities or equipment).
– Virtual Sabotage is taking malicious actions through technical means to disrupt or stop an organization’s normal business operations.
- Theft – Theft is the simple act of stealing, whether money or intellectual property.
– Financial Crime is the unauthorized taking or illicit use of a person’s, business’, or organization’s money or property with the intent to benefit from it.
– Intellectual Property Theft is the theft or robbery of an individual’s or organization’s ideas, inventions, or creative expressions, including trade secrets and proprietary products, even if the concepts or items being stolen originated from the thief.
- Cyber – Digital threat includes theft, espionage, violence, and sabotage of anything related to technology, virtual reality, computers, devices, or the internet.
– Unintentional Threats are the non-malicious (frequently accidental or inadvertent) exposure of an organization’s IT infrastructure, systems, and data that causes unintended harm to an organization. Examples include phishing emails, rogue software, and “malvertising” (embedding malicious content into legitimate online advertising).
– Intentional Threats are malicious actions performed by hostile insiders who use technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. This action can involve changing data or inserting malware or other pieces of offensive software to disrupt systems and networks.
Effective prevention capabilities encompass several major focus areas:
- • Train your personnel to recognize behaviors that indicate a person of concern is progressing toward a malicious incident—every person in your organization can provide helpful information.
- • Instill a positive culture for reporting, and make sure people know the program is designed to help them and the potential person of concern.
- • Establish a threat management team that has the multi-disciplinary capabilities needed to assess all the facts related to a potential insider threat.
- • Develop intervention capabilities and management actions that are respectful, and consider the dignity and privacy of every employee.
Cyber threat actors
Cyber threat actors are states, groups, or individuals who, with malicious intent, aim to take advantage of vulnerabilities, low cyber security awareness, or technological developments to gain unauthorized access to information systems in order to access or otherwise affect victims’ data, devices, systems, and networks.
Cyber threat actors can be categorized by their motivations and, to a degree, by their sophistication. Threat actors value access to devices, processing power, computing resources, and information for different reasons. In general, each type of cyber threat actor has a primary motivation.
Cyber threat actors conduct malicious cyber threat activity by exploiting technical vulnerabilities, employing social engineering techniques, or by manipulating social media. A determined and capable adversary will often carefully select the technique most likely to result in successful exploitation after conducting reconnaissance against their target and may use a range of techniques to achieve their goal. The majority of threat actors, however, simply cast a wide net in hopes of exploiting any unsecure network or database.
Technical vulnerabilities are weaknesses or flaws in the design, implementation, operation, or management of an information technology system, device, or service that provides access to cyber threat actors. For example, a threat actor may attempt to install malicious software, called malware, or take advantage of existing flaws to exploit the targeted system. In addition to installing malware, threat actors also use tools that directly exploit specific technical vulnerabilities.
Exploitation methods that target human qualities, such as carelessness and trust, are collectively known as social engineering. Threat actors use social engineering to trick an individual into inadvertently allowing access to a system, network, or device. Phishing and spear-phishing are common social engineering techniques. (Please see Annex A: The cyber threat toolbox for more information).
Foreign cyber threat actors can also manipulate social media and legitimate advertising and information-sharing tools to conduct online foreign influence campaigns that seek to impact domestic events like an election, census, or public health campaign, as well as public discourse more broadly. With a thorough understanding of how traditional media and social media work – and how individuals consume information – cyber threat actors can promote their message to broader target audiences at a relatively low cost. They can do this by masquerading as legitimate information providers, hijacking social media accounts, or creating websites and new accounts.
How to defend against state actors?
Security threats from states and state-sponsored actors have been around since before the field of cybersecurity was defined. They have now evolved to cyberspace, and present unique challenges for defenders.
While there are fundamental differences between activist and criminal activity, and those who operate directly for (or with the tacit approval of) sovereign powers, there can often be a significant overlap in their agendas and techniques. But there are also significant difference — the most important of which is resourcing.
Where activists and small criminal gangs may have limited technical resources, states and state-sponsored actors have no such limitations. State actors can draw upon the skills and resources of their national intelligence communities, while state-sponsored actors, while not actually part of a state organization, can still draw upon the financial and technical assets of their sponsors.
Another fundamental difference between “civilian” and “state” actors is that law-enforcement agencies are better equipped to address threat actors who don’t have state backing. Even in cases where threats are acting across international borders, mechanisms exist where legal teams from different nations can work together to bring attackers to justice. However, when those attackers are working with the approval of their host countries, the situation becomes more difficult. It becomes nearly impossible for conventional law enforcement to address the issue when the attackers are working for a foreign power directly. In that case, the only recourse is diplomacy, or an escalation into what amounts to outright cyberwarfare.
We Can’t Return Fire
Cybersecurity professionals in the civilian space, and in most government agencies outside the intelligence and military communities, are restricted to an almost entirely defensive position. For legal and ethical reasons, we’re not allowed to “return fire” no matter how obvious, or egregious, the attack. While some individuals have been known to play the game on the attacker’s terms, it puts them firmly into a gray area where they are operating outside the law even if they have the moral high ground.
This all serves to put defense in the hands of mostly civilian cybersecurity professionals who develop the tools, techniques, training and processes needed to provide some level of defense. Fortunately, deploying defenses built to resist a well-funded state actor should be enough to defend against the average criminal gang. This means that it is more than worth the effort to raise our game to handle the worst-case scenario.
On the technical side, the usual advice of keeping systems patched and properly configured is an obvious early step and one we have been talking about for years. But the NSA and CISA reports have shown that even sophisticated high-level attackers will leverage known exploits. That means staying on top of your patches isn’t just a best practice; it is a vital technique to keep the organization safe.
Making sure the security operations team (SecOps) is trained, adequate and prepared is another vital step. Budgets may be tight and qualified talent may be hard to attract and retain, but these are the people who run the last line of defense. This holds true when an organization’s security is a managed service. Your managed security service provider (MSSP) needs to be trained and prepared to confront threats at every level, from script kiddies to foreign-intelligence agencies.
There are other technical steps as well. Every organization needs to evolve their security stack to keep up with potential and active threats, making sure their tools and processes are up to the task. As new threats emerge, old technologies evolve and new ones emerge to fill the gaps. However, the stack needs to be looked at as a holistic whole. Perimeter devices and endpoint protections need to work in concert with some mechanism to consolidate the whole range of security telemetry into a coherent whole. And that whole needs to be processed, analyzed and presented in a way that SecOps personnel can use and understand, and can be leveraged to orchestrate and automate the organization’s defenses.
State and state-sponsored threat actors are the apex predators of the cybersecurity world. They have time, skills, effectively unlimited resources and can be very specific in their agenda. But if we keep our defenses up to date with the appropriate tools, training and best practices, we can reduce the risk to our organizations even from the most challenging adversaries.
Are you looking to break into the exciting field of cybersecurity? Join our 5-day CompTIA Security+ Bootcamp Training and build your cybersecurity knowledge and skills.
Become a certified ethical hacker! Our 5-day CEH Bootcamp is unlike other strictly theoretical training, you will be immersed in interactive sessions with hands-on labs after each topic. You can explore your newly gained knowledge right away in your classroom by pentesting, hacking and securing your own systems. Learn more