We're in the dawn of the age of global cyberwarfare: Nation-state hackers are knocking out critical infrastructure. They're disrupting lines of communication. They're stealing military technology. They're sowing discord and confusion.
But they're also attacking nonpolitical "civilian" targets — businesses, schools, hospitals, and the like — to reap the rewards of low-hanging political fruit. These attacks comprise what some call "trickledown cyberwarfare," and these civilian data stores are the new battleground.
For example, about three years ago, the US Department of Defense issued a warning that foreign nation-state hackers were targeting not only government contractors with advanced persistent threats (APTs), but also academic institutions. The FBI reportedly issued a similar warning on the same day, indicating that Chinese hackers were equally interested in compromising sensitive data held by commercial enterprises in the US – specifically including companies in aerospace, entertainment/media, healthcare, and telecommunications networks.
Both warnings came on the heels of a substantial attack originating in China against the University of Virginia — specifically targeting two employees conducting work related to China. The school was noted for its numerous connections to large government contractors and intelligence agencies in the US, as well as to the DoD in general.
The Attraction of Civilian Data Targets
Unfortunately, this is par for the course for private-sector businesses and NGOs. Sometimes the breach is to get a critical piece of political or military information to be used later. Sometimes it's to steal intellectual property or research so that the hacking nation can get a competitive boost in the economic and/or military might. Sometimes it's to cull some personal information about someone with the right security clearance — which may mean orchestrating a super-breach, compromising several million other accounts along the way.
Notably, these breaches aren't about anything so pedestrian as identity theft or credit card fraud. Instead, the goal is to use the information gleaned as a jumping-off point — to allow escalated access to yet more critical information. This is especially the case with healthcare organizations, where the right juicy health-record tidbit about a well-placed employee (or family member thereof) of a government arm can be used to extort some small amount of extra information or escalated access, turning that employee into an inside-attack threat.
This may sound conspiracy-theory-esque, but enterprises have been seeing these very real threats over the past few years — and will see them in greater numbers through 2019 and beyond. Nation-state hackers aren't going after the private sector and academia in the absence of anything better to do. They're doing it because their efforts can pay off big dividends in the long run when it nets them secret and useful economic, military, and national-security information down the road.
Plus, it's often a heck of a lot easier to hack a company or academic institution than it is to hack a federal agency or military contractor because the former isn’t often paying enough attention. It may know where its data originated or is supposed to be, but it may not be able to identify all of the places where its data has migrated.
And that's assuming we're talking about data that a given organization already perceives as important. As we've seen with these types of attacks, though, one man's junk is another man's treasure.
How to Duck and Cover
Therefore, organizations need to be far more informed about their data — and not just the data they perceive as top priority. To best guard their data stores, organizations have to rely on more than their internal priorities alone because so many other perspectives and variables are at play.
The only thing they can do, then, is to watch their data. All of it.
This task is less daunting when applied as the first, foundational step of an infosec strategy. Once you've begun monitoring all data across the board, you can easily apply analytics to the activity logs generated from your data monitoring, building a model of your entire data user population. Now you can more effectively analyze all data user-data interactions — without yet having had to identify (much less prioritize) a single bit of data.
After all, whether they are common criminals or sophisticated cyberwarriors, we know that attackers will always want to break into our databases. So we need to be looking at the databases. Otherwise, we're asleep at the switch.
- 2019 Attacker Playbook
- Putting the S in SDLC: Do You Know Where Your Data Is
- Stealthy New DDoS Attacks Target Internet Service Providers
- Why Cyberattacks Are the No. 1 Risk