Keeping your organization safe in the age of cyber warfare

By Nick Hayes, Director, Cyber Solutions at SureCloud

The past decade has seen more than 500 large-scale, state-sponsored cyberattacks, and those are just the ones that have been publicly documented. Geopolitical friction isn’t new, but the means through which nation-states target one another has changed dramatically in recent years.

Between 2009 and 2018 there was a 440% increase in global cyber warfare attacks, with around a third suspected to have originated in China or Russia. These attacks often have the overall objective of destabilizing governments, but as evidenced by the SolarWinds supply-chain attack, the fallout can impact civilian organizations too.

Cyber warfare tends to be a case of one nation targeting another, usually with the purpose of disrupting infrastructure or exfiltrating sensitive data. But with software supply-chain attacks on the rise and the inherent “connected” nature of our modern economies, what are the implications of such attacks for private organizations, and what can they do to stay safe?

Hybrid warfare in a hybrid world

We’ve all become very well acquainted with the idea of hybrid working in the past couple of years, and for many businesses it looks like hybrid working is here to stay in one form or another. It’s lower cost, has fewer overheads and can even increase productivity when implemented in the right way. Hybrid warfare works on the same principle. Instead of orchestrating an expensive and resource-heavy “boots on the ground” operation, a nation can launch cyberattacks to destabilize and disrupt targets from within. This has turned cyberspace into a battleground at a time when businesses are more reliant on the cloud than ever before. But if civilian corporate businesses aren’t targets, why should they be concerned?

If a nation-state actor’s objective is to disrupt a country, they are going to target critical infrastructure such as power stations, energy pipelines, water treatment facilities, financial markets and health services, all of which can have a knock-on impact on businesses and communities. Quite often, these infrastructures are targeted with supply chain attacks that can filter through to other businesses, deploying ransomware on any number of corporate networks.

The point is that a business doesn’t have to be a target itself to be impacted by a cyberattack. Looking at some of the methods nation-state actors tend to use when targeting critical infrastructure, many of them are advanced persistent threat (APT) groups that will spend months or even years infiltrating a target network, only to stay dormant and gather what data they can until the opportune moment arises to strike. It’s likely the cyberattack on Colonial Pipeline in the US, which supplies around half of the East Coast’s fuel, was breached up to 12 months prior to the attack. This resulted in it shutting down operations for almost an entire week.

Looking for the warning signs

Nation-state attacks tend to be more sophisticated and strategic than your average ransomware attack, often breaching networks unnoticed to exfiltrate sensitive data. These attacks are, of course, more difficult to guard against because even businesses with moderately good protection might not see them coming. One of the best things an organization like Colonial Pipeline can do to mitigate against threats like this is to monitor network traffic on a regular basis.

If a certain network segment, such as a DMZ (demilitarized zone) or a perimeter segment, starts pushing more outbound traffic than usual, that should raise red flags for the organization. If any internal hosts are now assigned to initiate outbound communications where they weren’t previously, that’s something businesses should be able to instantly pick up on and investigate.

What should regular businesses do?

The same kind of proactive approach outlined above applies to regular businesses too. In order to do this successfully, however, they need to establish a baseline to work from. That’s why it’s so important they start monitoring their network even before they suspect foul play.  All of this contributes to a form of security intelligence that can help businesses diagnose problems, identify threats, and triage their response. Known safe applications can be whitelisted, logins from unusual IP addresses can be investigated, and lateral movements can be easier to identify.

Here are four simple steps toward better cybersecurity hygiene that businesses can take today to minimize the impact of cyber warfare:

1. Create a baseline of activity

Businesses should have enough visibility over their network to know what normal looks like in terms of data flows and traffic patterns. Forming this baseline will be critical when it comes to spotting any anomalies that might warrant investigation.

2. Log, log, log

Businesses should start logging endpoints of ingress and egress, generating information that can be pulled at a moment’s notice to uncover any unusual activity. Logging isn’t as thorough as it could be in the vast majority of businesses, and for those businesses that don’t log at all, there’s no time like the present.

3. Don’t just look out over the fence

If a business is impacted by a nation-state attack, the overwhelming likelihood is that the threat will have been lying dormant on the network for a while before it lands the final blow. Instead of looking outward for incoming attacks, businesses should keep one eye on their own network, looking for anything out of the ordinary so that any breach can be dealt with before it becomes serious.

4. Keep a playbook in place

Prevention is better than the cure, but it’s almost inevitable these days that your business will, at some point, become the victim of an attack or experience a breach. Once that happens it’s done, and there’s no point in dwelling on it for too long. What matters is howyou deal with it. Having a coordinated organization-wide response is critical when it comes to mitigating the potential damage that a breach can cause.

##

ABOUT THE AUTHOR

As part of the SureCloud cyber services division’s leadership team, Nick is responsible for developing and executing the strategy for the cyber testing team. Along with the responsibility for developing tech-led consulting service propositions that combine our expertise, the SureCloud platform and technology. Additionally, Nick oversees and drives several commercial relationships with key clients. Previously, Nick has held technical delivery and leadership positions within a number of global consulting services organisations.