Share This:

When tensions between Iran and the United States threatened to spill over into an all-out war, concern immediately turned towards state-sponsored cyberattacks.

Tom Reagan, U.S. cyber practice leader at Marsh, an insurance brokerage and risk management consulting firm, told CNBC in stark terms:

“The possibility of a retaliatory attack should be viewed as an immediate and urgent challenge for businesses.”

Even though tensions between the United States and Iran have ebbed, the threat from state-sponsored terrorists from rogue regimes across the world remains high.

What can a business, or an MSP tasked with protecting a client’s network, realistically do? Smarter MSP asked Chase Cotton, director of the University of Delaware’s cybersecurity program, for his thoughts on the topic.

Nation-state attack

An attack from a state will be far more organized than a rag-tag group of criminals or college kids, states Cotton. Still, the attack itself might not be much more difficult to distinguish from a non-state actor. The techniques will be basically the same, and that is both good and bad news for MSPs and cybersecurity professionals. (A flashy attack full of cyber-pyrotechnics would be easier to spot.)

Historically, cyberattacks would focus on a narrow range of targets, including government, military, defense contractors, and research universities. But in today’s cyber theatre of war, all sorts of softer targets are now at risk. That’s because the softer targets might be connected to more critical ones.

Cotton looks at cyberwar as one tool in a broader arsenal that countries wield. If a country is attacked, countries will look to dole out a “proportional response”, whether it is cyber or traditional warfare.

“Does this mean we’ll never have a Cyber Pearl Harbor? No, but I think such an attack would not be in isolation and would only be a part of a larger engagement,” warns Cotton.

Instead, nation-state attacks will be conducted with more of a guerilla mindset: an attack here, a skirmish there.

“Remember, even today, a successful attacker often goes undiscovered for four to six months. The most effective attack would be to establish footholds in many different places in your adversary’s infrastructure and only begin a coordinated attack at some point in the future,” notes Cotton.

It is those under-the-radar footholds for future engagements that MSPs have to monitor.

Do a risk analysis

The first thing an MSP wants to do in examining their vulnerability to a state-attack is a risk analysis of all the clients in their portfolio. MSPs also need to make sure their own security is impenetrable, because some attacks potentially with state ties have been carried out on MSPs.

Do any of your clients work for a larger client that a nation-state might view as a ripe target? For instance, that food service client may seem to be about as far removed from the trenches of cyber warfare as possible, but not if they fill the vending machines at the nearby air force base. Or perhaps the laundry service that washes the uniforms for the local military hospital is one of your clients. Any business with a connection to a larger target needs to be considered a high-value target.

Traditionally state attacks have gone after enterprise perimeter defenses and technological surfaces. Today’s nation-states are savvy operators of social engineering, and a successful phishing attempt can achieve the results they are seeking. Often, these phishing attacks are carried out against soft targets.

How to defend?

The good news is that robust cybersecurity measures will ward off a state attack — and your garden variety cybercriminal.

“Attacks, whether from criminal or nation-state actors, largely use the same techniques. An organization’s continual vigilance to implement and maintain cybersecurity best practices is critical,” advises Cotton.

Cotton suggests that small or medium company or organizations, incorporate a “Red Team” exercise to identify employees who need additional protection or training, lest they become a spear-phishing target. Likewise, increased oversight of activities logs for such individuals would help.

“When targeting critical management or operations employees of either a larger nation-state target or even their sub-contractors, the use of a smaller unconnected organization might be an easier way to infect a spear-phishing target’s home computer. Then the attack would move across the corporate VPN to the actual target of the attack,” details Cotton.

He adds that some of these smaller seemingly unconnected organizations might be a local library or health-care system. Using that criteria, it’s understandable why MSPs should be concerned about state-sponsored attacks.

The connection between ransomware and states

Ransomware can often be used by nation-states not just to extract money, but as a gateway to future attacks. While some of the headline-grabbing attacks against cities like Baltimore and Pensacola might not seem connected to state actors, the full motives between the attacks may not become evident. Ransomware, notes Cotton, “leads to a very large “net” in which to capture potential targets for more focused attacks. MSPs and security personnel need to beef up defenses against ransomware.

“It is critical that an organization doubles down on the strength of their data backup and recovery design. As always, use best practices, test all recovery steps, and validate how much data (time-wise) would be lost in the worst case, what the outage and recovery time would be, and whether the organization can survive an outage of this magnitude,” offers Cotton.

Photo: Artistic Photo / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *