A question I’m sometimes asked is “Lance, defending against cyber criminals is one thing, but what should we focus on teaching our workforce when defending against nation state threat actors, when actual countries are coming after us?”.
Nation state threats can be a legitimate concern for many organizations and the profile for the threat actors behind them differ from the typical cyber criminal for several reasons. These can include, but are not limited to:
- They tend to be highly trained, motivated and resourced – far more than most of their cyber-criminal counterparts.
- Nation state threat actors are very much mission focused, they don’t care how long they have to research, scan and probe their target. It may take weeks, months or even in some cases years to achieve their objective. They are very persistent.
- They are working within the legal guidelines of their own country. In other words, they don’t have to worry about going to jail for their actions.
- They tend to be very stealthy, they don’t want to be caught or identified. This can make nation state threat actors MUCH harder to detect (as opposed to Ransomware which informs you that your organization has been compromised).
With all these differences you would think that if you are targeted by a nation state threat actor, your organization is at greater risk. And in many cases you would be correct. You might also think what you teach your workforce would also be different, but in most cases that is not the case. Nation state, cyber criminals, hactivists and other threat actors share one thing in common, they are all human. And as humans, in most cases they will want to achieve their goal the simplest way possible. So, while there are many differences between cyber criminals and nation state threat actors, they often share many of the same TTPs (Tactics, Techniques and Procedures), which means in most cases the behaviors we teach our workforce are the same.
If you look at the recent joint Cybersecurity Advisory AA22-011A) authored by the US CISA (Cybersecurity and Infrastructure Security Agency) concerning Russian State-Sponsored Cyber Threats, you will find similarities between cyber criminals and nation state. Table 1 of the report lists the most common TTPs leveraged by Russian Nation State actors.
The two most common techniques that are workforce related and should be a focus of your awareness program?
Targeting people via phishing attacks or exploiting their weak or compromised passwords.
What were the two most common human risks identified by the 2021 Verizon DBIR (Data Breach Incident Report)?
Phishing and passwords.
What are the two most common Ransomware infection vectors?
Phishing and passwords.
While the identities and motivations of nation state threat actors may differ from their corporate cyber criminal counterparts, their TTPs are often very similar because they share a desire to follow the path of least resistance.
So, what should we be teaching from an awareness perspective? Focus on
- Learner can explain what phishing is and what makes the attack so dangerous.
- Learner can explain and identify the most common indicators of a phishing attack.
- Any message that creates a tremendous sense of urgency
- Any message that pressures you to bypass or ignore our policies and procedures
- Any message that generates a tremendous sense of curiosity or seems too good to be true
- Any message that appears to come from a legitimate organization, vendor or co-worker, but is using a personal email address like @gmail.com or @hotmail.com
- Any message from someone you know or work with, but the wording or tone in the email does not sound like them or the signature is odd.
- Learner can explain and demonstrate how to report a suspected phishing email
- Learner can explain the importance of and demonstrate how to create a strong password using passphrases (note: length, not complexity is key here)
- Learner can explain the importance of using a unique password for each account
- Learner can explain and demonstrate how to use a password manager
- Learner can explain the importance of and demonstrate how to use MFA
The key to managing Human Risk is making security simple for people. And the key to making it simple is focus on the fewest risks and behaviors that will have the greatest impact. Learn more on how to build, maintain and measure a mature awareness program at the SANS Security Awareness Summit held 3 / 4 August, 2022 in Austin, Tx.