In a world full of geopolitical tensions, acts of cyber warfare between nation-states are becoming more commonplace.
According to MI5, “the UK is a high priority espionage target. Many countries actively seek UK information and material to advance their own military, technological, political and economic programmes.”
Historically, espionage activity has been carried out to gain political and military intelligence. But, in today’s technology-driven world, the private sector is finding itself increasingly in the crossfire, either as direct targets or as collateral damage.
So, how can organisations prepare for the new status quo and the very real possibility they may become a victim to this advanced-level threat?
What is cyber espionage?
Cyber espionage is a specific, advanced type of threat. Attackers are generally looking to dig deep into a network to steal information that advances their capabilities.
It can take place over a long timeframe, often without an organisation realising the threat actor is there, infiltrating deep into a system and rendering it untrustworthy, even after remediation has been carried out.
As a term, cyber espionage alludes a clear definition. Factors like the extent and nature of the damage caused by the attack, the identity of the attacker(s), and how the stolen information is used can all influence how it’s defined.
A guideline taken from The Tallinn Manual, explains cyber espionage as “an act undertaken clandestinely or under false pretences that uses cyber capabilities to gather (or attempt to gather) information with the intention of communicating it to the opposing party”.
It can be used alongside traditional warfare or as a singular event. For example, in 2014, Russia was accused of disabling Ukraine’s mobile phone communications before employing traditional battlefield methods.
Whereas, in other cases, privately-owned US food giant Mondelez was denied a £76m insurance pay-out after suffering a Russian ATP cyber-attack deemed to be “an act of war” and not covered under the firm’s cyber-security insurance policy.
However you define cyber espionage, the fact remains that it’s becoming more advanced, effective and professional.
How to plan for and defend against cyber espionage
No matter the size of your business or your market, every organisation needs to be aware of the developing threat landscape and put measures in place to defend itself.
The key is to understand what the threat and your organisation’s threat landscape looks like. Understanding the threat allows you to put the right technologies, the right people, the right processes in place to have your best foot forward.
It’s clear attackers are moving away from malware techniques in favour of masquerading as the administrator, living off the land and using everyday tools to gain access and move laterally across a network. It could take years and years to be detected, or not at all.
This can be difficult to spot as organisations can be extremely multifaceted, not only from the network level, the applications they’re running, and their supply chain but what they’re providing as an output to customers.
It could be an ATP attack uses traditional techniques such as botnets to launch distributed denial of service (DDoS) attacks as a diverting smokescreen for other malicious activity. Social engineering and spear phishing techniques can also be weaponised to introduce an attacker into a system. The insider threat is also sizeable in cyber warfare, with a mole able to introduce a threat directly to the network or exfiltrate highly sensitive or secret material.
Bringing security into the centre of an organisation can help you understand your threat landscape and put in place the right defences.
If a security team can get into the mindset of a hacker, it can actively seek out its own vulnerabilities, understand what tactics might be used to gain entry, and what data can be accessed using those methods.
Threat exposure and vulnerability must also be analysed as part of every core business decision, such as procurement, international expansion, new product lines, pricing structures and M&A activity which tend not to have security professionals present.
What seems like a low risk and profitable business decision can suddenly become the opposite when you factor in its knock-on effect on cybersecurity.
Drawing up a cyber incident action plan
Any organisation, no matter how small or large, should have a cyber incident action plan drawn up to contain a breach. Acting quickly can help to limit the damage – commercially and reputationally.
It’s recommended an incident response team is set up, with selected senior staff members across technical, legal, the C-suite and PR/Communications, who can respond to combat the threat and manage the organisation’s messaging around the breach.
Secure IT systems to minimise and assess the damage is also a priority. It could be web platforms need to be taken offline or the network in the short term to avoid having to rebuild the system if the breach is too deep and widespread.
Rapid internal and external communication is key, alerting all staff to the issue and any steps they need to take to help mitigate the effects, as well as informing regulators such as the Information Commissioner’s Office, and customers and other stakeholders.
Once the breach is contained, organisations must review the event and put in place measures to prevent a reoccurrence. This could involve bringing in an outside team and government-level organisations like GCHQ and NCSC to understand if you can trust your network to be secure again.
The future of cyber espionage and defence strategies
Cyber espionage is something that directly impacts the UK economy and our ability to operate at a worldwide level. And slowly but surely, the issue is being drawn out of the shadows and into the public eye.
But as the intricate details of targeted attacks are discussed and shared in public, the playbook is being dropped down to the average malware authors or criminal threat actor groups. As a result, ATPs are no longer advanced, they’re just persistent.
In response, organisations need to move away from a rule-based approach, where you have to be declarative about what you want and what you don’t want, into much more of a risk-based approach whereby you have a sliding scale from zero to 100. Organisations will need to choose something on there that is a reasonable set.
As more organisations wake up to this growing threat, we’ll see the maturation of the incident response process which accepts an attack could take down a whole segment, or indeed, an entire business.
Automated mechanisms like machine learning will help more organisations monitor behaviours across their network, look for anomalies and identify how an attacker infiltrated the system.
Information can be shared across thousands of businesses too to improve cybersecurity strategies across the board. No longer will defence be reliant on finding a needle in a haystack.
Adam Louca is Chief Technologist for Security at Softcat and is responsible for ensuring that Softcat's solutions are deployed with the correct security models and to help customers develop their cybersecurity posture. Adam also engages with Softcat's partner community to develop closer working relationships and help promote partners' solution messaging within Softcat and its customers.