Is my business too small to be hacked by a nation-state (or should I worry)?
Small businesses have their hands full these days in light of a down economy, tightening budgets and the steepening pace of business, but with nation-state hacks front and center in the threatscape, should you worry about those too, or are you (and your customers) safe?
Nation-state hacks bring to mind images of large defense contractors, big government offices, and/or high profile financial institutions. After all, if a bad actor overseas stole the cutting edge design of a new nuclear reactor, it would be quite a haul for that government and its cronies – and worth their time, money and effort to go after. But you’re a small business, too small to garner that kind of attention, right?
Architect firms in Peru no doubt thought along those same lines, up until the time that critical design documents started “magically” exfiltrating out over the Internet. The malicious software called ACAD/Medre.A, which we wrote about here, and which was doing that exfiltration, taught us that even if you’re small, you still might posses critical data, and losing that data can have a real impact on your viability as a business. Suppose your bid to build a skyscraper includes highly detailed designs reflecting much hard work and due diligence, which are then stolen by a competitor with close ties to government and significantly undercuts you because they don't need to spend and recoup the cost of preparing the bid. You could see an eerily-familiar-looking building when the contractor is finished, just like the one you designed.
What if you had some dealings with a government entity on small contracts? Georbot, which we wrote about here, taught us that remote spy software was searching for key government terms on users’ computers, and then silently attempting to exfiltrate them to far-flung regions to be data mined for nuggets.
What if you’re a small systems integrator that works on electrical plants? With the recent rash of SCADA angled attacks, your small business might be worth scouring around for access credentials to critical infrastructure controls, as a platform for ransom schemes or other nastiness.
The sad reality is that the typical small business doesn’t have in place adequate defenses against this type of threat. We're talking well-financed, well-orchestrated attacks, that specifically target you (or similar targets in your market segment). That means the attackers have the time to do it right. And if they’re after information that could be worth a lot, they can spend to get it.
So how do you protect yourself? The first part of a nation state attack is likely to be intelligence gathering. They want to know and understand your network. Think of it like getting a blueprint of the bank prior to a bank robbery, you’re not primarily interested in the blueprint, but what information it provides to facilitate your endeavor.
In a cyber-assault on your company the first stage of a nation state attack might be to try to pierce your perimeter network defenses and look around. So here’s the part that’s critical: rogue processes that suddenly appear and start scouring your internal networks are a red flag that someone’s trying to gather intelligence. Stop them here and you’ll go a long ways toward fending off successive stages. Without a map of what they’re looking for, it’s much tougher for them to find it.
Second, watch outbound attempts to transfer data to strange places, especially at strange times, and more especially in large spikes of traffic. Those are several key indicators that bad things are happening, and your network sensors should alert you quickly.
Third, the endpoint tends to be the weak point and most frequently exploited. Someone lets in the bad guys accidentally or they get in because someone is not using adequate endpoint security. This breach of defenses may come in the form of a rogue attachment on an email, or in a social network message. If a user doesn’t know better and clicks on the wrong thing, and they are not running anti-malware, then your troubles may just be starting.
The good news? With a few pieces of network hardware and time spent educating users (and good endpoint security), you can go a long way toward stopping nastiness. Many modern business routers have intrusion detection defenses built in. These can be enabled by simply checking boxes on the router control panel. They also support notifications via email if bad things appear to be happening. This hardware is well within the reach of most small businesses, budget-wise.
Yes, there are better (and more complex/expensive) defenses, but that’s a good start and males you more secure that many businesses that don’t even have the basics in place yet. These steps can go a long ways toward keeping you safe, particularly if your users also know how to spot a malicious scam attachment in their email and not click on it.