The Real Cyber Threat: Why State Sponsored Hackers is Your Last Concern

Neehar Pathare, VP-IT, Financial Technologies (India)

There has been an increase in state based attacks globally for the last few years; it came to light when the New York Times announced on Jan 31st 2013 that it was a victim of a Chinese hacking operation in which the intruders had been on the news organisations network for at least four months. A day later, the Wall Street Journal made a similar announcement. Less than a month later the cyber security company Mandiant released a report identifying a Chinese military unit responsible for the hacks in U.S. business networks.

In the last year alone, hackers have wreaked havoc on:

eBay (2014): eBay asked 145m users to change their passwords after hackers stole customers' names, addresses, numbers and dates of birth

Heartbleed (2014): A serious vulnerability was discovered in encryption technology used to protect many of the world's major websites, leaving them vulnerable to data theft

Sony (2014): A cyber attack on Sony Pictures Entertainment resulted in a huge data leak, including private details of 47,000 employees and famous actors

US Central Command (2015): Hackers claiming links to Isil managed to take control of CentCom's Twitter and YouTube accounts, changing the logo to an image of a hooded fighter

The latest for 2016 being ‘Thousands of FBI and Homeland Security details stolen by hackers’

These types of attacks are referred as Advanced Persistent Threats “APT’s”. Most of the APT’s use zero day exploits which are not known to antivirus companies making it’s tracking challenging. Globally, at least a hundred APT groups are currently operational as criminal operations, mercenary groups, or nation‐state sponsored divisions. Criminal operations typically target organizations or individuals for financial data or personally identifiable information for identity theft. Mercenary groups steal financial information or specific information from specific targets, as requested by their client. State sponsored groups may target organizations or governments to steal financial information, defence information, information that would grant a geopolitical economic or technological advantage, or any information that would be of use in intelligence or counterintelligence operations.

Listed below is some of the state wise known APTs:

China: People’s Liberation Army (PLA) Unit 61398 / PLA Unit 61486 / Blue Termite

America: Butterfly Group/ Morpho / Regin / Flame / Equation group /TAO 

Global: Anonymous

Unknown Nationality: Hellsing / MOKER / Shrouded crossbow / Santa APT

So are these listed organisations the greatest threat to your organisation?
The answer is NO.

Although the above groups largely cover the cyber landscape, they are cover only one third risk, two third risks comes in from your company’s insiders. Various reasons usually are greed, desire for revenge, disgruntled employee, opportunity or all of them together. These insiders are mostly moles, ex‐IT employees, contractors, disgruntles employees, careless employees, BYOD and they pose a greater risk to the intellectual property that state sponsored attacks.

Such types of internal attacks are not only costly but also tarnish the companies imagine and reputation, usually the outside world is not aware of the number of insider events or level of damage because 70 percent of the incidents are handled internally without any legal action. Many CIO’s fear such internal attacks would Compromise of clients’ personal information, Compromise of HR / employees’ information, Exposure of confidential information, Exposure of IP, Loss of competitive advantage and reputation damage.

Research reveals that although enterprises are more aware of the internal network threat, they continue to fall victim to a growing number of attacks, so what can be really done by your company IT teams to reduce this risk of internal attacks. There is no direct plug and play solution for being 100 percent attack proof but the risk can be minimised by the following processes:

  1. Internal controls and audits
  2. Administrative policies and procedure DLP
  3. User monitoring
  4. Security information and event management (SIEM)
  5. Informing in exit interview legal implications of hacking your network Publicising security policy
  6. Monitoring your databases‐ to be on the lookout for any activity that seems suspicious or out of the ordinary
  7. Go for IT security certifications‐ each certification prepares you for an event that might cost you a lot if you are not ready.
  8. Follow forums.
  9. Perform attack and penetration tests.
  10. Identifying vulnerable points in the network.
  11. Delete comments in website source code.
  12. Remove unnecessary services from devices, remove default, test and example pages and applications that usually come with web server software,
  13. Ensure physical security.

The risk of insider attacks is inherent to any business but can be adequately reduced given the proper preparation and forethought. As we know security and convenience is inversely proportional to each other, finally it’s a call for the executive management to what level controls are implemented which would not hamper the daily working of the organisation.