Nation state threats now complex: US law enforcement
Nation states are the most complex threat actors to deal with in the cyber security space.
So said US law enforcement agencies during the NetEvents Global Press and Analyst Summit in San Jose, California.
Speaking during the intelligence services talk at the summit were MK Palmore, information security risk management executive for FBI San Francisco's cyber branch; Dr Ronald Layton, deputy assistant director at the US security service; and Michael Levin, former deputy director for the US Department of Homeland Security. Levin is now CEO and co-founder of the Centre of Information Security Awareness.
Palmore noted there are four main groups of cyber criminals: those motivated by financial gain, nation states, hacktivists and insider threats.
"From those four, we find out that naturally, the most prolific and most prominent throughout the globe are those motivated by financial gain."
He explained that the barrier to entry by those motivated by financial gain has become extremely low. "With access to platforms like the Dark Web, they have limitless access to exploits and information that they then use to carry out fraudulent activities. Some are as young as 14 years old.
"They do it with near 100% anonymity; and because anonymity is such a huge factor in cyber criminal activity these days, it presents huge problems for some of us in the law enforcement sector."
On nation state threat actors, Palmore said they are typically the most complex to deal with in terms of their capabilities.
"We have seen, through the course of our investigations, a combination of criminal activity with nation states - basically creating a super team of cyber threat activity. So consumers and businesses should be worried about all this because we are talking about limitless capabilities, as a nation state can even use its treasury to support these activities. So the landscape has become a scary one."
Levin said since he joined the private sector, he has noticed businesses don't usually care if they have been attacked by a nation state or a general hacker.
"They [businesses] don't care who it is - they just want to fix the problem because their business is being attacked, or they are experiencing a failure, or they are losing data."
However, he said, in law enforcement, the difference is they try to catch the perpetrators.
"What businesses need to know is that most of these attacks are like a car break-in. When a thief wants to break into a car, they try the handle first before breaking the window and that's what we see with a lot of these hackers. It doesn't matter is it's a nation state or a script kiddie."
According to Layton, the secret service works exclusively with the financial services sector. "There was a famous bank robber in the United States called Willie Sutton who was asked why he robbed banks and his answer was: 'because that's where the money is'. Those are the people that we deal with."
He noted the US Secret Service has a 25-year history of electronic crimes. "We have been doing this; we know what we are doing."
Layton chronicled that the first US Secret Service task force was established in New York City 25 years ago.
"So for us, what has changed in the last five or 10 years, these different groups, particularly the ones that we deal with in the financial services sector, is that we used to have crews that work in isolation. Now the significant change is that they all know each other, they all are collaborative, they all use Russian to talk in an encrypted fashion and that presents a challenge for all of us."
To mitigate the risks, the three concurred that organisations must do more to educate people about basic things like digital hygiene, as most breaches are a result of human error.
"Organisations should not be lazy in regards to implementing general security practices," Levin said. "You find that most organisations hire new people, give them computers and don't bother telling them what they can and cannot do. They don't want to take time to educate the people."
Layton also urged organisations to deploy two-factor authentication, which he said is an impediment to threat actors as it wastes their time.
"If organisations were diligently following digital hygiene, we will be having a different situation in the fight against cyber crime," he concluded.