By Leo Taddeo, CISO at Cyxtera Technologies
Nation-state hackers are increasingly targeting government agencies, critical infrastructure facilities, and businesses with powerful, sophisticated techniques that interrupt business operations, leak confidential information resulting in massive data and revenue loss.
Today, public and private organizations unwittingly leave sensitive, monetizable data, such as intellectual property (IP), unprotected, making cyberattacks high stakes, low-risk game for nation-states.
These groups can apply seemingly limitless time, money, and hacker talent to achieve their objectives, while cybersecurity professionals on the other side are challenged to deploy limited resources most efficiently.
Many mature cybersecurity programs use a risk-based approach to maximize security value for dollars spent. This requires an understanding of the adversaries targeting your networks and the data they seek. And if the last year provides any lessons, the top takeaway is that almost all executive communications have value for hackers.
For example, last year much of the news was dominated by reports of Russian agencies using cyber attacks to extract information to influence the U.S. presidential election. In June, the Washington Post reported that Russian government hackers penetrated the Democratic National Committee’s network and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump.
In December it was reported that Russian hackers tried to penetrate the computer networks of the Republican National Committee, using the same techniques. And just this month, we learned the Russians were again suspected of trying to influence the presidential election in France by leaking hacked emails.
As state-sponsored cyberattacks grow in scale, frequency, and sophistication, understanding hacker motivations and capabilities are the first steps towards a risk-based approach to mitigating threats.
‘State-backed’ cyber attacks rise
The fact that nation-states are actively deploying cyberweapons against commercial interest in the West has been well-known over the last decade in the law enforcement and intelligence communities.
In the last few years, state-sponsored cyber attacks have come out from the shadows. Companies of all sizes have found themselves face-to-face with military and intelligence agencies, without much protection from the government.
This has left them essentially alone to contend with the significant challenge of ensuring that they can detect and protect against such serious threats.
Russia and China are two of the most sophisticated players in this high stakes game. They deploy both custom, sophisticated malware as well as simpler, off-the-shelf tools to achieve their objectives. In many cases, the common element of the attack is the exploitation of the human element within an organization, which is increasingly growing more sophisticated and targeted.
Motivations
Let’s look at the top two players. First, the Russians. While they remain committed to hacking business information that will assist their competitive standing in the world, their first priority is collecting military and diplomatic information. They have put significant talent and resources into targeting U.S. government networks to collect the kind of diplomatic information that gives them an advantage in negotiations or strategic decisions, to predict U.S. strategic positions and decisions.
For cybersecurity professionals, it is important to know what type of information is stored on or passing through your network. Media companies, academics, law firms, and companies that deal in strategic commodities are all potential targets. A risk-based approach will account for the threat and layer more advanced (and expensive) defenses around sensitive information.
In comparison, the primary objective of Chinese cyber collection capability is to enable State-Owned Enterprises (SOEs) to compete and dominate in the global economy.
Cybersecurity professionals have noted an increasing number of network intrusions that result in the exfiltration of business information, including IP and executive communications. That’s a hallmark of Chinese hacking groups, particularly Group 61398, known for stealing trade secrets from companies such as Westinghouse and US Steel.
Group 61398’s efforts to target technologies and information that advance China’s strategic industrial sectors are emblematic of the Chinese hacking initiative. Cybersecurity analysts have directly correlated key industries China seeks to grow with the sectors they target with attacks.
It pays to understand what the Chinese are after and develop a risk-based approach to protecting the information in your network that may be of value to a sophisticated economic adversary.
Are you ready for a “State-Sponsored Attack”?
One of the main challenges for organizations is moving from a perimeter-based strategy to a risk-based approach is a rapidly expanding, amorphous infrastructure.
Deploying a software-defined perimeter (SDP) model to protect highly sensitive information, such as IP, contracts, business processes, and communications can help meet these challenges by effectively making the infrastructure invisible.
For years many have argued that you can’t secure what you can’t see, however, the reverse is also true – you can’t hack what you can’t see!
The approach is simple – provide access to the least amount of network-based resources for the least number of individuals, who are then granted the lowest level of privileges required to perform their job. Access privileges are set, defined and updated by user-centric policies, which leverage multiple aspects of server and user context, including device integrity as part of the authentication process.
About the Author
Leo Taddeo, Chief Information Security Officer, Cyxtera Technologies
Leo Taddeo is responsible for oversight of Cyxtera’s global security operations, investigations and intelligence programs, crisis management, and business continuity processes. He provides deep domain insight into the techniques, tactics, and procedures used by cybercriminals, to help Cyxtera continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.
Taddeo is the former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office. In this role, he directed over 400 special agents and professional support personnel conducting cyber investigations, surveillance operations, information technology support, and crisis management. Previous responsibilities focused on FBI international operations, including service as a Section Chief in the International Operations Division, where he managed operations in Africa, Asia, and the Middle East.
Taddeo received a B.S. in applied physics in 1987 from Rensselaer Polytechnic Institute. After completing his studies, Taddeo served as a tank officer in the US Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for his service in the Gulf War. Following his service, Taddeo earned a J.D. from St. John’s University. Upon graduation, he joined the law firm of Mound, Cotton & Wollan in New York, where he practiced in the field of civil litigation until entering duty with the FBI.
Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.
