In the vast and interconnected realm of the digital landscape, an insidious storm is brewing. This storm, as revealed by the Dutch National Coordinator for Security and Counterterrorism (NCTV) in their Cyber Security Assessment Netherlands 2022, is rapidly becoming the new norm: cyber and insider attacks orchestrated by nation-state actors (The National Coordinator for Counterterrorism and Security, 2022). One well-known example that exemplifies the magnitude of nation-state cyber threats is the SolarWinds cyber-attack. This incident had far-reaching consequences, creating a wave of disruption for numerous organizations.
As these threats continue to escalate, cybersecurity experts like Marcel Van Kaam from KPMG and John Mancini from Vectra AI are stepping forward as skilled navigators, guiding us through the treacherous terrain of nation-state cyber threats. These were the topics for the KPMG-Vectra AI webinar on cyber resilience to nation state threats as broadcasted on June 14th and available on demand here. Third member of the panel was John O’Callaghan (JC), who joined Vectra AI after experiencing the SolarWinds attack firsthand while working for the company. In this blogpost, we will highlight the topics discussed and information shared by our panel from KPMG and Vectra AI.
Unveiling Nation-State Threat Actors:
To start with urgency, it is evident that in order to navigate increasingly international ways of working and counter state-sponsored cyber-attacks, organizations must understand the broader threat landscape and craft a successful security strategy. This strategy includes distinguishing genuine threats from false positives and recognizing the pivotal role of security efficacy across people, processes, and technology. AI-powered technologies can play a key role here to increase efficiency of detection and response capabilities.
To strengthen security strategy, it also essential to understand the adversarial parties you are dealing with. In the case of nation-state threat actors, we speak of groups or individuals who receive support from governments and work on behalf of intelligence agencies to carry out cyber operations aligned with their nation's strategic objectives. These adversaries deploy sophisticated techniques like Advanced Persistent Threats (APTs) and leverage substantial resources, including advanced technical capabilities, espionage operations and ample funding. To maintain plausible deniability, intelligence agencies operate in secrecy, aiming to remain anonymous and deny any involvement. Therefore, more than focusing on attribution, organizations need to equip themselves with robust defenses and effective response strategies against a broad spectrum of threats, thereby understanding the wider threat landscape instead of zeroing in on specific adversaries.
The threat landscape revolves around the objectives of nation-state attackers. Those focused on increasing political influence tend to target government departments, which remain the main mark for cyber-attacks by nation-states. To gain economic advantages, they engage in intellectual property theft, targeting a wide range of sectors such as research institutions, defense industries, emerging technologies, and even seemingly everyday items. Another sector nation-state actors pose a significant danger to is critical infrastructure, including power grids, communication systems, and railways. Cyber-attacks aimed at sabotaging these vital systems can trigger widespread social disruption and inflict severe economic damage. Marcel pointed out a concerning trend where several nations are becoming increasingly willing to take greater risks, combining physical or military retaliation actions to cyber-attacks.
To shed more light on these recent developments of nation-state threat actors and their modus operandi, our panel discussed emerging trends and insights. John emphasized the ineffectiveness of traditional prevention measures against advanced threats like phishing, zero-days, and other well-tested exploits. Instead, the importance of focusing on internal activities within organizations to detect and respond to inevitable breaches promptly was discussed. Marcel aligned with John's perspectives, discussing highly advanced cyber-attacks involving unknown software vulnerabilities and supply chain attacks. However, he also emphasized many organizations still lack adequate cybersecurity preparedness, often neglecting basic practices that become prime points of exploitation.
Beyond the digital realm, Marcel drew on his experience as an intelligence officer, highlighting the significance of recognizing non-digital tactics employed by nation-state actors. These tactics encompass a wide array of strategies, including recruiting spies, exploiting international academic collaborations, spreading false information, running political influence campaigns, and even taking over companies to gain access to sources of information. Defending against such multifaceted attacks proves to be an incredibly challenging task for organizations.
Sailing Through the Storm: Protective Measures for Organizations:
To tackle this challenging task, organizations looking to defend against nation-state threats must undertake strategic and proactive measures. Initiating conversations at the board level to create awareness and emphasize the importance of preserving the organization's competitive advantage is crucial. By acknowledging the tangible risks posed by nation-state threats, companies can instill a sense of urgency and commitment to address these challenges effectively. For the last topic of the webinar, our panel therefore enlightened us with their view on how organizations can start their journey of facing and protecting against nation-state threats.
To incorporate this threat into their cybersecurity strategy, organizations should start by understanding how the threat landscape specifically applies to their core business, explained Marcel. This involves identifying relevant threat scenarios within the spectrum of intelligence operations. Assessing potential cyber-attacks, considering the human factor in core components, understanding the implications of third-party entity ownership and foreign intelligence laws, and evaluating the risks associated with international academic collaborations are essential sides of this process.
Quantifying the gap between identified threats and existing security capabilities is another critical step. Evaluating technical capabilities, governance capabilities, and outsider capabilities helps organizations assess the maturity, coverage, and technical effectiveness of their security measures. It is vital to consider the monetary impact of potential breaches and compare it against the value of intellectual property. This analysis facilitates informed discussions with the CFO, enabling the prioritization of security initiatives based on cost-benefit considerations.
Additionally, Marcel urged, organizations must recognize that nation-state threats extend beyond cyber-attacks alone. Espionage, insider recruitment, false information dissemination, and political influence campaigns are tactics employed by these actors. Evaluating vulnerabilities in these areas and implementing proper mitigation measures is essential to shore up defenses. Marcel and his team at KPMG help clients with these steps of identifying the threat landscape, quantifying the needs and enabling the discussion on board level – both for cyber security as well as physical security, for example through the travel security course aimed at employees travelling for business.
Conducting comprehensive risk assessments, with the assistance of third-party experts, is crucial for identifying vulnerabilities throughout the organization's supply chain, confirmed JC. External professionals provide an objective assessment and offer fresh perspectives that internal staff may overlook due to biases or distractions. Something he witnessed first-hand at SolarWinds.
From the highly technical perspective, John spoke from his expertise to advise organizations to start with finding out if they have already been breached. Pinpointing where current prevention and visibility is lacking, enables targeted effort into improving coverage, effectiveness and return on investment of security investments.
Conclusion: learn how to sail in the storm
In the face of the gathering storm of nation-state cyber threats, organizations must accept that nation threat actors are out there and motivated to target them – either directly or through a supply chain attack. It is therefore crucial to proactively prepare and fortify their defenses but more importantly, focus on detection after initial access, as 100% prevention is simply impossible. It is all about learning how to sail in a storm that will come on your path inevitably.
By engaging in board-level discussions, understanding the specific threats applicable to their core business, quantifying gaps in security capabilities, and conducting comprehensive risk assessments, organizations can craft a holistic and balanced security strategy where technology, processes, and – incredibly important – people are effectively connected. Through these strategic measures, organizations can effectively mitigate the risks posed by nation-state actors, protecting their competitive advantage, and emerge from the storm stronger than before.
KPMG and Vectra AI can help as these topics, questions and adversaries depend highly on the organization at hand. Contact any of the people below to discuss any questions or schedule an appointment.
