Organisations are relying on luck rather than security skill when it comes to stopping a state-backed cyberattack, a Deutsche Bank security chief has said.
Carsten Fischer, Deutsche Bank’s deputy chief security officer, added that organisations are also finding it harder to draw on data from previous attacks to boost their defences as some state-backed hackers are using ransomware after an attack to obliterate any evidence they leave behind.
Catching a state-sponsored cyberattack: more luck than skill
The threat posed by nation-stated-backed hackers is growing all the time, particularly in the wake of Russia’s war in Ukraine, which has seen criminal gangs based in Russia often acting in support of Vladimir Putin’s regime. Microsoft’s ‘Cyber Defence report’, released last week, details the growth of this activity. “Nation-state groups’ cyber targeting spanned the globe this past year,” it says, “with a particularly heavy focus on US and British enterprises. Organisations in Israel, the UAE, Canada, Germany, India, Switzerland, and Japan were also among some of the most frequently targeted, according to NSN (Nation State Notification) data.”
Nation-state backed cybercriminals are highly skilled at infiltrating networks noiselessly and moving through them undetected for as long as they need to. Tactics, techniques and procedures used by these hackers are increasingly sophisticated and are becoming more aggressive, according to the Microsoft report. “Nation-state actors are launching increasingly sophisticated cyberattacks designed to evade detection and further their strategic priorities,” it says. “As geopolitical relationships have broken down and hawkish elements have acquired more control in some nations, cyber actors have become more brazen and aggressive.”
Because of this, evidence of state-sponsored cybercriminals is incredibly hard to spot. When CISOs have managed, it has been more through luck than skill, Deutsche Bank’s Fischer told delegates at technology analysis company KuppingerCole’s Cyber Leadership Summit in Berlin this week. “Unfortunately, we need to talk about luck,” he said. “If you talk to CISOs who work with regular attacks from a nation-state and you ask them how they have detected them, you will figure out that it wasn’t the regular detection methods they were using. It was a bit of luck.”
The indicators of compromise are subtle and very often overlooked, he explained, meaning alerts aren’t automatically raised. This means swift action to stop a breach can hinge on human intervention, and often attacks are thwarted because “somebody saw something that looked a bit strange and they reacted to it,” Fischer said.
He believes this reality needs to be reflected in cybersecurity training. “You probably need to train your people to look for something that doesn’t really look malicious,” he suggested. In fact, training exercises should be planned with this issue in mind. “Having routines or writing exercises can develop threat hunting to look for something that doesn’t look malicious, which could be something really bad,” he added
Content from our partners
Nation-state backed hackers are covering their tracks with ransomware
These nation-state backed hackers are also becoming adept at covering their tracks, which makes it difficult to gather information about breaches and how future problems can be avoided, Fischer told the conference. “One of the biggest nation-state attackers has now started to use ransomware as a method to hide what they have done, so we will learn less about what they have done,” he said.
“In the past, we always learned from others who got hacked, figuring out what they did and how better to detect them. They’re now using ransomware to really wipe it out. That’s becoming more sophisticated and more difficult for us.”
However, Marc Hofmann, chief security officer at Finnish bank Nordea, said information from past attacks remains one of the best ways to tackle future problems. “Take all the intelligence you have,” he advised delegates at the conference. “All threat detection software we have can’t replace threat intelligence gathered by information sharing.”
