Several high-profile cyber attacks in recent months have been linked to China, such as the Register.com hack that was revealed earlier this month. Even after cyber forensics reports have traced numerous cyber attacks in recent years directly to nation-state groups within their borders, the Chinese government has consistently maintained innocence when it comes to any covert information warfare.
But a leaked document written by the People’s Liberation Army of China, called The Science of Military Strategy, revealed that the Chinese government has military, civilian, and mercenary 'cyber' red teams. The leaked document sheds a disturbing new light on the scale and frequency of nation-state attacks coming from that country.
If you think that nation-state cyber warfare originating from China, Russia or even the United States has no influence over your company’s IT security, think again. The average IT department within a business should be paying very close attention to the attack vectors used in government-sponsored cyber espionage and responding with appropriate defense strategies, because sooner or later, these methods will inevitably be used to penetrate enterprise defense systems.
The 'trickle-down' effect
Many of the decisions governments are making about information security today have far-reaching consequences for the private sector tomorrow. One of these consequences is that private citizens and businesses are much more vulnerable.
The sophisticated attack vectors used in ongoing nation-state hacks are indeed making their way downstream into the civilian hacker community, which translates to very bad news for businesses who are trying to keep their intellectual property and customer data safe.
In fact, nation-state hacking is already impacting the private sector, including businesses and civilians. A prime example of this is the Stuxnet attack, sponsored by the U.S. Government as a way to spy on Iran. Once Stuxnet leaked to the security community, researchers studied it and shared their results.
This kind of reverse-engineering research is necessary for defense, but it also tipped off cybercriminals to all of Stuxnet’s most insidious deceptions. What we have now as a result of Stuxnet are criminal bot herders that are successfully copying these state-spawned techniques for their own gain.
Pandora’s box and beyond
In some situations, nation-state cyber warfare is required to carry out espionage, or to protect their countries from terrorism. However, some of the steps governments have taken under the guise of improving their cyber arsenal will do more harm than good in the long run. Stuxnet opened the Pandora’s box, but many more are coming our way.
As Stuxnet proved, government-sanctioned malware accelerates the evolution of criminal malware. If criminals see a neat new trick from a nation-state attack, they will copy it and use it in their private attacks. Malware-based attacks will soon start using similar workarounds to get past host based antivirus, as seen in suspected nation-state threats like Regin.
Once techniques used by nation-state malware go public, it accelerates the evolution in criminal malware, making it even more difficult to defend against for private businesses. As we’ve seen time and again, businesses are being bombarded with more targeted and advanced attacks then ever before, and they’re not well prepared to defend their assets.
The shady side to zero-day research
Perhaps even worse, nation-state attacks have essentially fueled the zero-day vulnerability black market trade. While most IT professionals are glad to have access to zero-day threat reports compiled by security forensics researchers, one serious downside is the new zero-day black market that has cropped up.
There are organisations that buy zero-day exploits with the goal of disclosing them to the software vendors to fix. But we are also seeing a more shady market that auctions zero-day exploit data to the highest bidder, with no plans to disclose the flaws to anyone else.
Unfortunately, governments are one of the primary customers supporting these zero-day vulnerability markets. This means the flaw, which is typically in commercial software everyone uses, does not get fixed, making private businesses more vulnerable.
When a government buys zero-day intelligence and then doesn’t disclose it, not only do they make their own citizens less secure, but they are likely also putting their own resources at risk. Instead of hoarding zero-day vulnerabilities, governments should be helping to fix them.
Less privacy means less encryption
Everyone in a free society has the right protect their privacy. Even if we have nothing to hide, we still have a right to keep some things protected, such as passwords or banking communications. Yet, governments -even so-called democratic and free ones- are trying to limit or weaken encryption.
Recently, the director of the FBI argued that Apple and Google should limit the strength of smartphone encryption to support law enforcement and Homeland Security initiatives. Similarly, the British Prime Minister wants to decrypt instant messages and other Internet communication.
While bad guys use encryption to communicate, it doesn’t mean law enforcement should have unfettered access to blanket surveillance. Furthermore, if we are forced to include backdoors or weaknesses in everyone’s encryption, hackers will find them – it’s only a matter of time. Weakening private encryption to satisfy the government does more to expose citizens than it does to help find criminals.
Defence, not offence
Governments should focus more on defending themselves and their citizens from cyber attacks from other countries than they do on offensive campaigns. If we remain committed to reinforcing areas of weak security and bad user practices, then we leave nothing for enemies to attack.
Our governments’ current cyber espionage policies have put all businesses at risk, while also increasing the sophistication of attacks by the hacking community at large. Organisations who have put off updating defense strategies must be more proactive and invest in new solutions such as advanced threat protection. One thing’s for sure: the government certainly won’t do it for you.
Sourced from Corey Nachreiner, CISSP and Director of Security Strategy at WatchGuard