The global rising tide of cyber threats from nation-states should be a red flag for private sector security leaders in all industries to prepare for more frequent and brazen attacks in the future, according to Forrester Research.
To help companies prepare for the changing nation-state attack landscape, Forrester unveiled on March 2 a new model to defend themselves and prepare for an expected onslaught of regulations to follow.
Forrester senior analyst and lead author of the report, Allie Mellen, pointed out that 40% of reported cyber operations by country target the private sector. State-sponsored attacks have increased by almost 100% between 2019 and 2022, and their nature has changed — more are carried out for data destruction, denial of service, and financial theft than in previous years.
The Forrester model is built on three steps.
First, understand how nation-states attack organizations. A good starting point is the nation-state escalation ladder available in the model.
“This is a wise approach,” maintained Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“In the end, for the victim, does it really matter which actor is responsible for an attack that steals money or sensitive information?” he asked.
“Focusing on how these attacks are being performed, especially as cybercrime groups continue to mature, is far more important for most organizations than worrying about the source,” Kron told TechNewsWorld.
“Being aware that you may be a target is important, though, and planning must be a part of the threat models,” he added.
Second, construct threat models based on organization-specific nation-state threats.
“Threat models for geopolitical actors are living references of who, what, where, when, why, and how nation-state attackers target your organization,” the report noted. “They help predict future attacker activity, close visibility, and detection gaps, plan future market moves, and provide a tangible reference for executive discussions.”
“Proper threat modeling is absolutely important when talking about nation-state actors,” said Alexis Dorais-Joncas, senior manager for threat research at Proofpoint, an enterprise security company in Sunnyvale, Calif.
“An organization that wants to heighten its defense has to determine which of the hundreds of state-sponsored actors are targeting them. Then it has to prioritize countermeasures to those threats,” Dorais-Joncas told TechNewsWorld.
The third step is to get involved in influencing the narrative around cybersecurity. To do that, security leaders need to know what government jurisdictions have security requirements for their business; manage their relationships with the government through vehicles like information sharing; prepare for geopolitical events ahead of time; and influence legislative proposals before they become regulations.
The report also recommends joining forces with others in an industry to gain some muscle in the legislative process and keeping board members informed about what’s being done about nation-state threats before they come asking about the situation.
Strong Foundation Needed
“I think the Forrester approach is headed in a good direction,” observed James Lively, an endpoint security research specialist with Tanium, an endpoint management provider in Kirkland, Wash.
He added, however, that for the model to be effective, it must be built on top of an already strong foundation. “If your company is having challenges maintaining a compliance or patch efficacy program, then most models are already rendered ineffective,” Lively told TechNewsWorld.
Morgan Demboski, a cyber threat intelligence analyst with IronNet, a network security company in McLean, Va., called Forrester’s model a “smart approach” to contending with the nation-state problem.
“The cyber activity and strategic objectives of nation-state threat actors continue to show the interrelationship between the geopolitical and cyber threat landscapes, highlighting the importance of tracking government actions and international relations to assess their potential implications in the cyber domain,” she continued.
“Preparing for organization-specific activity is important since the threats facing different businesses are multi-faceted and differ between sector and region,” she added.
Attacks Not Going Away
Robert Hughes, the chief information security officer at RSA, a cybersecurity company in Bedford, Mass., noted that the Forrester model appears to be very prudent advice.
“It comes down to knowing the risk level your business is facing,” Hughes told TechNewsWorld. “While at some level it’s like trying to protect your home from a missile attack, there is a solid framework to start thinking through the questions and discussion points you should be aware of as a business to consider your risks and start to address them using a multi-pronged strategy.”
“Nation-state attacks are not going away,” he continued. “They are increasing in volume and capability, and we should expect to see more of this, not less, in the next couple of years.”
While the Forrester approach is sound, it’s nothing new, maintained Mike Parkin, a senior technical engineer with Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.
While agreeing that organizations need to protect themselves from all attacks and have knowledge of how and to whom reports of attacks should be submitted, the scope of nation-state threats can be overwhelming, observed Todd Carroll, senior vice president of cyber operations at CybelAngel, a threat intelligence company in Paris.
“You will spin in circles trying to think about every nation-state and organized team and method of attack out there,” Carroll told TechNewsWorld. “China alone has dozens of state-sponsored teams attacking verticals via different methods and for various reasons.”
“You don’t have time to know the ‘why,’ but you need to spend your limited resources on protecting access, knowing your attack surface, and tracking your critical data,” he said.
Claude Mandy, chief evangelist for data security at Symmetry Systems in San Francisco, a provider of hybrid cloud data security solutions, however, was skeptical of the Forrester model.
“In an industry struggling to handle less sophisticated attackers and basic attacks, a nation-state-specific threat model could be perceived as an unnecessary distraction to organizations who would benefit most from getting the basics right first,” Mandy told TechNewsWorld.
“Rather than investing in cybersecurity controls to attempt to thwart a sophisticated attacker like a nation-state, we like to encourage organizations to prioritize their cybersecurity on what matters most to them — their data — rather than starting from threats and trying to guess what attackers will do,” he said.