It’s time to take state-sponsored cyber attackers seriously

Creative Commons attribution information

Man studying computer screen

©Laurence Dutton via iStock

All rights reserved

There is much to be done. It’s clearly important that university executive leaders understand that their institutions are very much the target of nation state actors - especially those with high-grade intellectual property connected to research, and, of course, personal data that can be used to generate income for the state actors and the organised crime gangs with which they are often affiliated.

Beware the dark web

These nefarious actors are often in parts of the world tucked safely away from law enforcement, but part of the nexus of nation state and organised cyber crime. In Russia for example, the state will pretty much turn a blind eye to organised cyber crime gangs – so long as they do not touch the state apparatus.

What’s more, some nation states allow their cyber actors to generate income by stealing data and selling it on the dark web to self-fund their own criminal machinery. It really is an industry out there – an industry that allows people on the dark web to connect with cyber-brokers who will offer anything from a simple hack, to a denial of service operation, to targeted brute force attacks. All for payment, of course.

Researchers are targets

Over the past couple of years, the National Cyber Security Centre (NCSC) has publicly warned of several such incidents involving Russia, North Korea and most recently Iran, which targeted university researchers, but we can expect more.

In September, the NCSC’s first report on the cyber threat to UK universities specifically mentioned state-sponsored attacks where espionage is likely to cause greater long-term harm. This could lead to damage to the value of research, notably in STEM subjects, a fall in investment by public or private sector in affected universities, and damage to the UK’s knowledge advantage.

What this shows us is that the threats are global and highly capable. It’s not been widely reported, but Iran has come under considerable attack over the last six months and the US has seen attacks on infrastructure to the extent where a state of emergency was called in New Orleans in December 2019. Also, Britain has seen multiple probing attempts on its critical infrastructure from nation states.

Criminals are watching and waiting

Before I joined Brunel University as chief security information officer, I worked in counter-intelligence. One of my roles in defence intelligence was what was known as Intelligence Preparation of the Battlefield (IPB).

Nowadays, I’m more interested in what other adversaries are doing in the intelligence preparation of cyberspace – IPCS. This is where the adversary is plumbing into our networks and routers, persistently gathering intelligence, waiting for the point in time when they can trigger a specific action to achieve an effect, conduct an exfiltration, or worse, a complete denial of service through ransomware or similar. So, we have to be familiar with their tactics, techniques and procedures (TTPs).

Most of my counter-terrorist and bomb disposal work operated with the same doctrine as we use today to counter cyber crime.

The 'kill chain’ is a term used within cyber defence to explain the varying phases of attack, from reconnaissance, deploying the payload, right through to executing the bomb or ‘cyber bomb’. Defenders seek to exploit the phases to predict, detect, mitigate, and contain attacks.

Intelligence is key

Successful defence is heavily reliant upon up-to-date cyber intelligence. This allows cyber analysts to recognise what TTPs might be in play and counter the range of attacks and indicators of compromise (IOC) in an effective manner to initially contain the threat, mitigate it and then exploit the intelligence from the threat once forensic analysis has taken place.

It’s a game of cat and mouse. The adversary continues to develop new TTPs, and the defender has to play catch-up, or learn from similar attacks or IOCs across other sectors. 

This is an area Brunel’s cyber security operations centre (CSOC) is moving into.  

All universities need to care that they are a target, that they are being probed and infiltrated. Universities must also care about protecting intellectual property, commercial interests, the privacy of people and the personal data they all hold. 

Certainly, the adversary cares. A lot.

They want to steal our data, disrupt our services when it suits them, use us as a piggyback to infiltrate other sectors and they want to embed hidden and quiet command and control nodes that wake up and collect intelligence or execute an action.

It’s here, it’s real, and they’re probably already doing this in your organisations.  

Know how to build defences

Organisations need to invest and future-proof their defensive and detection capabilities – to identify threats, to collect attack and actionable intelligence, and to contain threats.  

It’s quite a tricky game to navigate in terms of using smart investment that is intelligence led, risk-based and therefore quite balanced against the business posture of the organisation. It most certainly requires smart and agile thinking, a strategic roadmap to optimise defences and executive-level thought leadership.  

Secure support from the board

One of the most crucial elements is to warn and inform the executive on the enduring threats their business and institution faces.

Regular threat bulletins for the executive board, risk dashboards, and vulnerability notes tailored to your institutional risk appetite can have a remarkable effect. 

Often, it’s hard for the cyber practitioners to influence the top-level of leadership, but it’s crucial to break through the divide and secure the executives’ buy-in. Try to be the critical friend of the board, which helps to develop trust and ensure they listen to advice that fits with and best defends the business.  

Once you’ve got senior leader buy-in, it’s much easier to secure investment for the kind of activity required to build good defences.

One of the most valuable activities is to conduct a professional simulated attack exercise. This is best achieved using a well-regarded and competent third party which can accurately simulate the current attack trends and methods.  

Learn the value of simulated attacks

The value of this approach is astonishing as it will highlight all weaknesses across the kill chain. 

Conducted regularly, such exercises will identify the defensive gaps that need to be closed and inform the strategy for capability building in the infrastructure and instrumentation needed to maximise cyber-resilience.   

You also get great bang for your buck through what we call blue and red team exercises - simulated cyber attacks that divide your staff into defenders (blues), and attackers (reds) in scenarios which could include an attack on a research data receptacle.   

Beyond that, it’s back to sound risk management and IT hygiene. Establishing cyber controls is vital, along with regular auditing, maintaining patching and penetration testing regimes and implementing a governance regime such as BS 31111 or ISO 27001.

Importantly, we need to develop close relationships with researchers to help and support them in understanding the threat and the ways that their data could be stolen.  

I can only really finish with an old adage that was driven into me as a counter IED2 and intelligence specialist; know your enemy, prepare your defences, rehearse your responses, and train hard, fight easy. Meaning exercise, exercise, and exercise some more so you are confident you can resolve the incident and can conduct consequence management effectively.  

Want to know more? Read more useful information on cyber security.