In the incident response world, we used to draw a clear line between the capabilities of attackers affiliated with nation-states and those not affiliated with any nation-state. Nation-state attackers always seemed to be the most well equipped and the most sophisticated attackers. Then, over the last few years, that line began to blur.
The sophistication of attackers with criminal or financial, rather than nation-state motives began to increase significantly. We now find ourselves in a completely different threat landscape. As the 2017 M-Trends report notes, “Today, the line between the level of sophistication of certain financial attackers and advanced state sponsored attackers is not just blurred – it no longer exists.”
Of course, there is no shortage of pundits running around talking about pandas, tigers, and bears (oh my!). But as someone who has spent most of his career as a defender, criminal attack groups have captured my attention for quite some time now. Am I saying that we no longer need to worry about nation-state attackers? No, of course not. Rather, what I am saying is that most organizations should probably be paying far more attention to criminal attack groups than they currently do.
Let’s take a look at a few of the reasons why:
A Numbers Game
While nation-state sponsored attacks often grab headlines, they are not something most security teams spend a majority of their time on. Of course, when a nation-state attack hits, it can be quite ugly and can consume the entirety of a security team for an extended period of time. But day-to-day, there is plenty of other activity to keep a security team busy.
There are many reasons why this is the case, but part of it is a simple numbers game. While the capabilities and resources of various nation-states vary widely, the number of attack groups is relatively finite in number. There aren’t millions of countries in the world, but around 200 (give or take). Each of these countries can have anywhere from 0 to N state-sponsored attack groups (where N can be a fairly large number for a small number of nation-states).
On the other hand, when we expand our criteria to look at attack groups organized around criminal or financial motives, there are literally tens of thousands of such groups, or perhaps even more. It is difficult to pinpoint the exact number, and of course, the sophistication of these groups will vary widely. But fundamentally, what we have here is a numbers game. With so many attack groups, the chance that one or more of them is interested in some data or information that you are entrusted with safeguarding is fairly high.
Flexibility and Spontaneity
For those of you who have worked in large organizations for any amount of time, you understand that large organizations cannot move as quickly and nimbly as smaller organizations. Smaller, less formal, more loosely organized attack groups can form flexibly and spontaneously around specific objectives and missions. These attack groups can recruit talent and adopt tools, techniques, and procedures as necessary for their day-to-day work without prolonged and protracted bureaucratic processes. For us on the defensive side, that often means a significant number of adversaries that are both more sophisticated and more agile than we are.
All About the Information
As you are likely aware, the motives of each attack group vary widely. As a result of this, so does the data or information they target. As we expand the list of attack groups, not surprisingly, the array of targeted information expands as well. And of course, this has the ultimate effect of greatly expanding the list of potential victim organizations. Not surprisingly, this is essentially what we’ve seen happen over the last few years. Targeted attacks are no longer the exclusive “privilege” of governments, militaries, defense contractors, and other traditional targets.
What we see in practice is that size, geography, and industry vertical are less important to this expanded group of attackers than information. It is the information they covet, regardless of where it resides. As an example, consider a law firm that may have around 100 employees and that specializes in mergers and acquisitions (M&A). Although the law firm is a relatively small business, it may possess some extremely sensitive, and thus valuable, data. Not surprisingly, attackers are well aware of this. In fact, if this scenario sounds familiar, it would be because it isn’t a hypothetical example. This particular victim profile was one of several different victim profiles highlighted in FireEye’s FIN4 report in 2014.
The news is not all bad, however. While the risk of grave damage to an organization from criminal attack groups is one that is rising, it is one that can be mitigated. While there are no silver bullets, taking a holistic approach to risk mitigation has proven to be effective time and time again. This strategic approach to security is based first and foremost on a deep understanding of the threat landscape facing a given organization.
One of the key takeaways I hope the reader will take from this piece is that organizations should not be lured into a false sense of security if they deal in information or data that are not typically sought after by nation-state attackers.
There is a whole other world out there once we look beyond nation-states. It pays to be prepared.