Nation-State threat actors or as they are commonly referred to, advanced persistent threat (APT) groups, continually target public and private sector networks to steal, leverage, or destroy information for their own strategic benefit and objectives. As the threats from these adversaries continue to evolve and become more complex, it’s critical for security leaders to stay attuned to a wide array of threat intelligence streams as well as information and research being shared by allies.
Still, there are gaps in how organizations are identifying and defining their threat intelligence requirements. For instance, just 30 percent of organizations are documenting their threat intelligence requirements, according to the 2019 SANS CTI Survey, based on responses from 585 information security professionals across a range of industries.
HMG Strategy recently spoke with MK Palmore, Field Chief Security Officer at Palo Alto Networks and retired FBI Executive, to discuss the trends he’s seeing with nation-state threat actors and advanced persistent threat groups. Palmore, who is an Advisory Board member and a speaker for HMG Strategy’s upcoming 2020 Silicon Valley CISO Executive Leadership Summit on March 19 in Menlo Park, also offers his recommendations for staying attuned to threat intelligence streams.
HMG Strategy: What are the current trends you’re seeing with nation-state threat actors?
MK Palmore: The activity of nation-state threat actors has been fairly consistent for the past few years. Almost annually you will see the FBI complete a large-scale APT-based cyber investigation attributing malicious activity to nation-state adversaries. A fair observation would outline an increase in probing activities aimed at successful breaches of the enterprises they target. These successes are catalogued for future use or exploitation in a variety of ways. They also serve as a training ground for the adversarial teams to further develop their expertise and skills.
It’s important for us to understand that the APT adversary is constantly engaged in activities that have a benefit to their parent nation-states and it’s not always apparent to us why a nation would be interested in a particular industry or its data. It’s important to remember that as security practitioners our actions should be guided continually by information security and industry best practices.
Based on what you’re seeing, what should CISOs be focused on now in terms of immediate threats?
MKP: Anything related to national infrastructure and utility profiles such as energy, oil and gas. There’s probing going on and activity that’s occurring with IoT and OT environments.
From a business standpoint, anything related to intellectual property (IP) or IP Theft is always of value to nation-states and practitioners should consistently be paying attention to the cybersecurity fundamentals to thwart these attempts at gaining access. These actors tend to be as quiet and stealthy as possible when they reside in an organization’s network.
What are some recommendations for CISOs and security leaders to stay attuned to threat intelligence streams both in the public and private sectors?
MKP: There are lots of options here. The challenge for CISOs is to separate signal from noise. The Cyber Threat Alliance is now close to 30 member organizations with daily updates and feeds that are rich in context and data.
Industry ISACs and ISAOs are extremely useful because they can always be relied upon for industry relevant threat intelligence. Meanwhile, federal law enforcement agencies such as the FBI, USSS and the Department of Homeland Security also provide valuable threat streams and intelligence bulletins.
Additionally, there are a number of resources consistently producing intelligence information related to the Tactics, Techniques & Procedures (TTPs) of the most prolific adversaries. Some of these sources include MITRE ATT&CK and UNIT42, a cybersecurity intelligence research apparatus within Palo Alto Networks.
HMG Strategy has become increasingly active in trying to bring together security leaders from the public and private sectors to share threat information as well as best practices with one another. Are you seeing inroads being made by the two groups in this regard?
MKP: I’m a big proponent of public and private sector collaboration. There isn’t any entity that has a complete global picture of the cybersecurity landscape. Collaboration between the public and private sectors helps to build a more complete picture.
Enterprises and infrastructure industries should have strong ties to the FBI and DHS specifically CISA (The Cybersecurity and Infrastructure Security Agency). The biggest challenge I see is sharing threat intelligence without attribution. There’s reluctance by one-side or the other to apply threat information they receive from different sources that can be ingested immediately and shared with other enterprises.
It’s about building that foundation of trust and working with one another to build up to larger opportunities to share and collaborate.
Based on the APT trends you’re seeing, what are some recommendations for effective response and mitigation tactics to help defend the enterprise?
MKP: The challenge with APT is visibility, to the extent you can apply tactics and tools to increase visibility within your networks it will increase your chances of success. It’s also helpful to adopt and utilize tools that provide insights into behavior to better identify what “normal” looks like and what an anomaly looks like. In this regard, effective use of User Behavior Analytics can help to build a richer picture of potential adversarial activity within your networks.
To learn more about the top leadership and security issues that CISOs and other security leaders will be discussing at the 2020 Silicon Valley CISO Executive Leadership Summit on March 19 and to register for the event, click here.