Cb Connect 2018 | Power of You | Register Now

Carbon Black Report: 35% of IR Pros See Espionage as Primary Motive for Attackers

Rick McElroy
July 25, 2018 / Tom Kellermann , Rick McElroy

Fraught Geopolitical Tensions Play Out in Cyberspace

In an effort to gauge the current attack landscape and to quantify the latest attack trends seen by leading IR firms, Carbon Black has introduced its Quarterly Incident Response Threat Report (QIRTR). This report aggregates both qualitative and quantitative input from leading Carbon Black IR partners, who on average participated in one incident response engagement per day over the course of 2017. Data from this report represents insight from active breach investigations where, in most instances, some combination of people, process and legacy security technology has failed. This blog series will tackle a theme from the report each week.

Nation State Actors

Geopolitical tension is a historical constant, but today’s conflicts are increasingly playing out in cyberspace, where subversive acts can be devastating and nearly impossible to prosecute. The result is an evolution in cyberattacks across all verticals, with the financial industry the most frequent target (78% of respondents say as much) followed by healthcare (73%) and government (43%).

Some foreign actors, such as China, are continuing to seek competitive economic advantage, calculating, for instance, that it might be easier to steal IP from an American defense contractor than develop it themselves. Others have political motives, as seen in Russia’s hack of the Democratic National Committee during the 2016 U.S. election and the recent cyber campaign against the U.S. energy sector. As economic pressures and political tensions grow, more and more nation-states are finding it politically and financially advantageous to leverage cyber militias in sophisticated attacks.

These attackers have served as a harbinger for the rise of long-term campaigns depicted in this report. Seeking to avoid detection, nation-state actors might embed themselves on foreign networks and lay low for years before taking overt action. According to one IR professional interviewed for this report, attackers also linger simply because “they want to learn — learn the network, where the data is and how they can get it without setting off alarms.”

The vast majority of cyberattacks originate from two nation-states: 81% of IR professionals say the majority of attacks come from Russia; 76% say the majority come from China. And these foreign actors are seeking more than just financial gain or theft — 35% of IR professionals say attackers’ end goal is espionage. They also frequently cited business disruption and blackmail, at 19% and 14% respectively.

Moreover, nation-state actors introduce techniques and tools that enable more prosaic attackers to take increasingly high-level actions. For example, speaking about the series of powerful Petya cyberattacks waged against Ukraine in 2017, one IR professional says, “A year ago it was top-shelf Russian malware, and now some joker doing cryptocurrency mining is using the same thing…mechanisms out there are tough to contain and malware spreads fast.”

Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2,  Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.

TAGS: Carbon Black / incident response / Quarterly Incident Response Threat Report