Ivanti: preparing for state-sponsored cyber threats

Should businesses be worried about state-sponsored cyber threats?  

Over the past few years, cyberattacks led or sponsored by states have become more common and pose a significant risk to businesses. The pandemic has expanded the attack surface and this problem is only expected to get worse in the years ahead. The main aims for state sponsored cyber attacks are usually to exploit national infrastructures, gather intelligence or benefit from financial gain.  

Many organisations are not prepared to prevent state attacks, as they may not consider themselves targets. Not all businesses will be targeted, but their lack of security defences make them easily penetrable. Considering the current climate, businesses have been warned by the National Cybersecurity Centre to stay vigilant against state sponsored cyber-attacks. 

Does it affect all sizes of business or just large organisations? 

Larger businesses will be the primary targets for financial gain. However, over the past 10 years, cyber-attacks have been used for espionage or are politically motivated. As a result, banks or services that are important to public life or companies that hold sensitive data will be most at risk.  

Attackers look to inflict as much damage as possible with as little effort as possible and cyber-attacks can easily spread beyond the primary victims and have knock on effects. Depending on the motivation, it is likely that there will be ramifications on partners, customers, clients, and associated businesses. In the modern data driven economy, big corporations house valuable data on behalf of other businesses. If a big corporation is the victim of an attack, all the data they own is potentially put at risk.  

What types of threats are out there?     

When it comes to state sponsored attacks, hackers rely on the same sorts of attacks with the most common being ransomware and spear phishing. 

Currently, known but unpatched vulnerabilities are the biggest risk to UK businesses that could be targeted by cybercriminals. Ivanti found that a shocking 56% of the vulnerabilities identified prior to 2021 continue to be actively exploited by ransomware groups. Cybercriminals are able to capitalise on vulnerabilities within days of identifying them. It is one of the easiest ways to into an organisation’s environment. 

They then move laterally up the cyber kill chain to evolve into an advanced persistent threat (ATP). These APTs are often undetected and living off the land within a victim company’s network. They can then easily conduct ransomware attacks, and severely impact the day to day running of businesses. According to Coveware, organiations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack.  

Spear phishing is an attack that is tailored towards an individual or a set of individuals. They are designed to convince users to click on links and expose themselves to malicious software. These messages or emails will usually include information that is of specific interest to the target. As this type of attack is more personalised, the success rate for the attacker is higher. According to FireEye, spear phishing emails have an open rate of 70%, with 50% of recipients opening enclosed links.  

What are the steps needed to prepare for such attacks? 

In this new era of remote work, the threat surface has expanded, so implementing Zero-trust has never been more important. There are three simple principles for Zero-trust: secure the user, secure the device, and secure access.  

Having visibility over all devices including corporate owned and BYO devices is essential. As a company you need to know who is using what device, what for and what they have access to. When looking to establish device hygiene, companies must look to all vulnerabilities including networks and applications.  

As environments get more complicated, there is an increasing need to automate cyber hygiene. This includes using risk-based vulnerability prioritisation and automated patch intelligence to identify vulnerabilities and fast-track solutions.  

Passwords are the biggest point of weakness for organisations that still use them prolifically. They are easily forgettable, and it is difficult to authenticate users through them as they are quite commonly shared amongst colleagues, and easy to give away through phishing. Passwordless authentication such as the use of biometrics is much more secure and will alleviate the password rest burden on already short-staffed IT teams.  

If you're already compromised, what are the next steps in handling this crisis? 

First and foremost, establish where the attack has come from. Use data analytics and hyperautomation to help determine the root cause of the attack. Once you determine what business functions have been affected it is then easier to identify the vulnerabilities that led to the attack. Following from that, it will be possible to provide solutions to affected users/areas. Preventative measures must also be taken to stop the threat from spreading and affecting the wider business.  

While all the above is important as initial reactive measures, the next steps following an attack is vital. All the errors or lack of security that led to a breach must be documented to assess how to avoid them in the future. Planning is key. Plan and map your cybersecurity strategy so you understand your attack surface and can remain more prepared. There will never be enough capacity in your business to cover all vulnerabilities. Using hyperautomation to detect and prioritise those risks needs to be a crucial part of the strategy.  

Once threats are neutralised, are they gone completely or just dormant? 

Given that state sponsored attacks are carefully planned and carried out in multiple stages there is a possibility that actors can maintain long-term access to compromised environments. Vulnerabilities in systems will always be present and new ones are being discovered daily