It's a hostile world out there, and the increasing skill and destructive power of state-sponsored cyberattacks means that companies and other organizations need to raise their information-security game.
Yet complete immunity from cyberattacks is impossible to achieve. There will always be vulnerabilities. What matters more is cyber resilience — the ability to restore digital systems as quickly and thoroughly as possible after a disaster.
One year ago, a bad update in CrowdStrike endpoint detection and response software caused a global IT outage, especially in the transportation sector. The disruption and associated costs in lost revenue and recovery were on a scale most advanced persistent threat (APT) groups can only dream of.
The outage laid bare the stark differences in cyber resilience among companies, even within the same industries. Some organizations got back up and running within a few hours; others stayed grounded for days.
One way to build cyber resilience in an organization is to adopt and implement the emerging concept of
exposure management, a more holistic, proactive evolution of vulnerability management that goes beyond software flaws to cover misconfigurations, identity compromise and other weaknesses.
Both exposure management and cyber resilience stress preparation, planning, asset discovery and risk assessment. They insist on making cybersecurity a core organizational value, aligning it with business goals and, most importantly, being able to foresee and prepare for new threats and attack techniques.
Achieving either one, or both, will boost compliance with rules and regulations and drastically improve an organization's security posture.
The different types of nation-state attacks
State-sponsored attacks tend to have three main goals: data exfiltration, data destruction, and monetary theft. When Chinese spies break into U.S. government networks like
the Office of Personnel Management, or when Russia's Foreign Intelligence Service
plants backdoors into SolarWinds software, the end goal is to copy valuable secrets while avoiding detection and stealthily maintaining long-term access.
But when Russia's Sandworm threat group forces Ukrainian power plants offline or releases
a wiper worm targeting Ukrainian computer systems, or when North Korea's Lazarus Group erases terabytes of data belonging to a major U.S. movie studio, those are violent hit-and-run attacks intended to send a political message — as was the earlier Iranian attack on a Saudi oil company.
Chinese hackers generally refrain from outright destructiveness, but the Chinese
Volt Typhoon group has been suspected of planting "logic bombs" in U.S. energy, transport and water critical infrastructure that can be detonated in the event of war.
Of the four major nation-states — China, Iran, North Korea and Russia — that pose the greatest cyberthreats to Western organizations, only North Korea routinely practices outright theft. Its
Lazarus Group is both a state-sponsored APT and a criminal organization, having stolen at least $2 billion from banks and cryptocurrency exchanges over the past several years.
How exposure management could have stopped some famous APT attacks
Proper exposure management could have minimized the impact of many of these attacks. For example, the Lazarus Group's
WannaCry wiper worm in May 2017 and Russia's NotPetya a month later both exploited a Microsoft flaw that had been fixed in March of that year. Timely vulnerability patching would have defanged those attacks right away.
The
operational technology (OT) aspects of exposure management can help operators of critical infrastructure, especially water and power systems run by local municipalities or smaller companies, head off cyberattacks.
"This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments," notes
Mark Weatherford, former Deputy Undersecretary for Cybersecurity at the Department of Homeland Security, in a Tenable blog post discussing the Volt Typhoon attacks.
"It's critical to have holistic exposure management capabilities that concentrate on discovering and remediating publicly disclosed CVEs," Weatherford added. "Exposure management combines the people, processes and technologies needed to effectively reduce cyber risk."
Fixing misconfigurations, excessive permissions, compromised accounts, and weakly guarded accounts are all regular parts of
cyber hygiene, a vital part of exposure management.
Implementing such safeguards would have stopped both Russia's initial
Midnight Blizzard attack on Microsoft in 2023-2024, which used password spraying against test accounts that used weak passwords without multi-factor authentication (MFA), and subsequent Midnight Blizzard attacks against dozens of other organizations that abused a digitally signed Remote Desktop Protocol configuration file stolen from Microsoft.
"What stands out in this breach is the need for better preventive security efforts to reduce the risk created by poor identity hygiene," noted a
Tenable blog post discussing the Midnight Blizzard attacks. "Having MFA on [the targeted] account, despite it being non-production, could have prevented the password spray attack from reaching its ultimate goal."
The Tenable blog post noted that excessive permissions on the Microsoft account let the attack move laterally into the production environment, and that Tenable's
Identity Exposure tool could have exposed those shortcomings before the attack.
And then there was Sunburst, the very successful Russian 2020 supply-chain attack that abused updates of SolarWinds' Orion network-management software.
The initial vector into Orion's development environment is not definitely known, but SolarWinds' internal security posture was allegedly so shaky that the SEC later charged the company with fraud. The company had no acting CISO at the time of the attack and reportedly had maintained an update server with the access password "solarwinds123".
Exposure management, especially
attack path analysis might have revealed some weaknesses in SolarWinds' architecture and API access that could have helped prevent the attack.
Cyber asset attack surface management could have helped the dozens of companies and organizations affected by the Sunburst campaign to lock down their supply chains and minimize the impact of the corrupted Orion update.
Cyber resilience fills in the gaps
Yet resilience is paramount, because even the most well-fortified organization can never be completely invulnerable. Even exposure management practiced at the highest level may not be able to stop attacks that exploit zero-day flaws, such as the current wave of Chinese attacks on on-premises SharePoint servers.
It's also not clear how the best preparations might have mitigated the 2023 Chinese Storm-0558 attacks on several organizations that used a stolen Microsoft cryptographic key inadvertently revealed in a crash dump. Yet the crash dump itself was found by the attackers only after they had compromised a Microsoft engineer's company account.
The Russian hackers who breached SolarWinds as well as Microsoft and VMWare in 2020 used very specific, individual tools to evade detection, obscuring the fact that all three attacks were part of the same campaign and using brand-new malware to identify Orion software builds.
The Lazarus group often makes its initial access via social engineering or spear phishing, both of which, as the saying goes, stem from problems existing between the keyboard and the chair. You can't patch human nature.
Not all nation-state attacks will be successful against the best-prepared organizations, but some will. That's why it's more important to be resilient, which is achievable, than to be impregnable, which is not.
