SAN FRANCISCO — Nation-state threats are becoming so prevalent that incident response vendors are finding signs of actors from multiple countries lurking in the same victim’s network.
Three of the industry’s largest incident response vendors — IBM X-Force, FireEye and CrowdStrike — shared troubling developments about nation-state threats during a panel discussion at RSA Conference 2019 here this week. Wendi Whitmore, global lead of IBM X-Force Incident Response and Intelligence Services, said there’s been a convergence with nation-state advanced persistent threat (APT) groups, both with the tools they use and the targets they select.
“It’s pretty common these days to go through an organization and we’ll see three to four nation-state actors in the same organization, many of them with the different objectives, but [operating] in the same location and targeting similar types of data,” she said.
Thomas Etheridge, vice president of services at CrowdStrike, based in Sunnyvale, Calif., said his company has also seen a convergence with nation-state threat groups within specific industry verticals. He also noted an increase in ransomware attacks in the last six months, which was an example of the “big game hunting” trend of APTs targeting specific organizations that were likely to pay hefty ransoms.
“They’re really looking to focus on monetizing aggressively across the industry verticals they know will have the pocketbooks to pay,” Etheridge said.
Nation-state threat groups adopt new tools, techniques and procedures, and change their approaches, said Stuart McKenzie, vice president of Mandiant Consulting, EMEA, at FireEye, based in Milpitas, Calif.
“We’re beginning to have to think about how we spot nation-state actors doing different things,” he said. “And we have to think more about what they could do [instead of what they’ve done in the past].”
IBM X-Force saw a “rise in sophistication” last year with Iranian nation-state hackers, according to Whitmore. “They’ve come a tremendously long way from website defacements over the past decade into the actual theft of intellectual property and highly targeted thefts.”
McKenzie agreed and cited the Iranian domain name system hijacking campaign as an example of the sophistication. That campaign, which McKenzie called “quite cunning,” involves several stages and techniques, as well as a high level of coordination and planning.
North Korean APTs have also risen in prominence and sophistication, and they have used those skills to, for example, attack financial institutions for monetary gains, Whitmore said.
Etheridge also said North Korea’s capabilities have increased, and he cited data from CrowdStrike’s 2019 Global Threat Report as evidence of that trend. The report measured breakout time, which is the window of time from when an adversary first compromises a device to when they begin moving laterally through an environment. CrowdStrike reported Russian adversaries had the shortest breakout time, with just under 20 minutes, while the average breakout time was four hours and 37 minutes. North Korean actors were second, with approximately two hours.
“That was surprising to us, because we thought it would be China [in second place],” he said. “Their investment over the last 10 years in advancing their capabilities on the cyber front really is starting to pay dividends for them, especially when it comes to monetization.”
Wendi Whitmoreglobal lead of IBM X-Force Incident Response and Intelligence Services
McKenzie said another indicator of nation-state cyberattack capabilities is dwell time, or the amount of time a threat actor has remained on a network after first compromising it. FireEye’s Mandiant M-Trends 2019 report showed the average dwell time in incidents it observed last year was 50.5 days, which was a decrease from the average of 57.5 days in 2017.
While the overall dwell-time drop was good news, McKenzie said attacks in the EMEA region have seen dwell times increase over the last year. But, as the M-Trends 2019 report showed, some nation-state threats are getting better at hiding inside victims’ networks for longer periods of time. That not only puts more data and critical assets at risk, he said, but it also makes incident response and investigations more expensive and difficult to conduct.
“The longer it goes, the harder it becomes,” McKenzie said. “And if it goes on for a significant amount of time, then you begin to no longer trust your infrastructure, because you don’t know what the attackers have done.”
Security information sharing must improve
The RSA Conference panelists said improvements in sharing security information could help cut down breakout times and dwell times. Etheridge said information sharing does occur between competing vendors, but he also said it could be improved.
McKenzie agreed, but said one of the challenges FireEye faced was reluctance from customers to share any security information, even indicators of compromise, from an incident they experienced.
“We want to share. We want to help more people,” he said. “But [customers] say, ‘Even if the data tangentially ties to us, we don’t want anyone to discuss it.'”
Jason Brvenik, CTO of NSS Labs, a technology testing firm in Austin, Texas, that provides cybersecurity guidance, said many security vendors do indeed share information, whether informally or through channels such VirusTotal or other public resources and exchanges. However, there are limits that are often imposed by the vendors, because identifying new threats is a competitive advantage, and sharing the information about the threats can negate it.
“It’s all about the amount of time to go play with [new samples] and inject new things to test scenario,” Brvenik said. “The vendors know that dynamic is there, so they’ll hold back letting that information go out long enough for them to have that advantage.”