Sophisticated threat actors are persistent threat actors.
Nation-states have earned their reputation as the most sophisticated and dangerous threat actors in cyberspace, but they're most distinguished not by their technology, but by their focus, determination, and persistence.
That was the consensus among panelist discussing the latest global and emerging threats in cybersecurity at the second annual Billington International Cybersecurity Summit. Chaired by Tony Cole (Vice President and Global Governance CTO, FireEye), the panel included Rear Admiral Timothy White (Commander, Cyber National Mission Force, US Cyber Command), Neal Ziring (Technical Director, Capabilities Directorate, US National Security Agency), James Trainor (Senior Vice President, Cyber Solutions Group, Aon, and former Assistant Director, Cyber Division, US Federal Bureau of Investigation), and Thomas Donahue (Research Director, Cyber Threat Intelligence Center (CTIIC)).
Simple approach, complex effect.
NSA's Ziring opened the discussion by drawing attention to the increasing number of multi-part attacks (which he said would require new defensive tradecraft to counter) and a concomitant growth in exploitation of trust relationships.
Most attacks start with simple approaches, and this is as true of advanced nation-states as it is of script kiddies. Sophisticated actors, according to Donahue, are distinguished by their persistence, and not necessarily by the complexity or elegance of their attack code. And things aren't getting better, in his view—we aren't keeping up with the threat, and in some respects have become less aware than we might once have been, certainly less aware of the threat than its severity would warrant. Donahue offered the familiar (rather repellent but nonetheless evocative) parable of the boiling frog, slowly being cooked to death, yet unaware of the rising temperature of the water in which he finds himself. He proposed a cyber analogue of Moore's Law: things get twice as bad every year. The scale of disruption we're now seeing and the interdependence of the systems being affected are such that the frog is well on its way to being well-done.
Trainor took up ransomware as an example of how the threat evolves. It began by targeting individuals; now it targets organizations. Ransomware transactions have also changed. Where ransom was formerly paid by credit card or PayPal, it's now being paid in cryptocurrency, with negotiation and transactions enabled by TOR.
White agreed with Donahue's point that persistence is the mark of sophistication. He's seeing more signs of threat actors conducting operational planning, and he's also seeing clear evidence of purposeful national mobilization.
With twenty billion attack vectors being opened up by the growth of the Internet-of-things, the IoT will obviously be attractive to attackers, Cole noted. He then asked the panelists where they see the adversary going (Ziring predicted a trend toward subtle modification of data by hostile actors) and then opened the floor to questions.
Compliance as a starting point.
To a question about whether they viewed compliance as a good starting point, the panel thought it was a starting point, but not more than that. White argued that defenses have to "take it deeper, to mission assurance." This will be particularly important as data become a locus of attack. Donahue noted that we're constantly surprised by what's at risk in our own assets. ("We've followed the Pied Piper, and he's now come for our children.") We are insufficiently attentive to concentration of risk—there are ancient lessons here that we continue to overlook. Ziring agreed that compliance may be a starting point, but it falls short because it's not dynamic, and also because organizations measure compliance too infrequently. While most companies will start with compliance, Trainor observed, effective security comes down to leadership: does the C-suite view security as an expense, or as a business?
A question followed up on Ziring's point about rising exploitation of trust relationships—what would be the appropriate defensive response? Ziring thought blockchain and smart contracts would become a medium for doing business without exposing an enterprise's attack surface.
Nation-states with criminal connections.
An audience member asked about how state actor's—specifically the FSB—use both criminals and big data tools. Donahue took the second part of the question—intelligence agencies have always had a large and insatiable appetite for information, and so their concentration on big data tools is unsurprising. Trainor took the first part: he didn't think the Yahoo! indictments, in which FSB officers were indicted along with professional criminals, were an anomaly. And his his experience there have long been connections among the big-four threat actors (Russia, China, Iran, North Korea) and criminal gangs. What those connections are varies by country. For example, Russia tends to make direct use of criminals whereas in China's case one tends to see more moonlighting of officers as criminals. Iran's relationships are too complex for easy characterization, and North Korea's government directly engages in criminal activity.
Suggestions for defenders.
In their closing summations, Admiral White said he believed the US hasn't yet, as a nation, arrived at a realistic appreciation of the threat. Trainor has been surprised by the sheer scale of the financial costs cyberattacks impose. He believes that the insurance industry will help mature cyber security, and that it will serve to drive good behavior. Donahue said that, while espionage is old story, it's become newly coercive in cyberspace. We don't understand this, yet, and we're both too slow to react, and we lack a strategic response. Ziring took the last word. He saw cooperation for security as having the potential to reduce both cooperation and amortization among the bad actors.