According to Forrester Research, the global rising tide of cyber threats from nation-states should be a red flag for private sector security leaders across all industries to prepare for more frequent and brazen attacks in the future.

To help companies prepare for the changing nation-state attack landscape, Forrester unveiled a new model on March 2 that will defend itself and prepare for an expected attack to comply with regulations.

Ellie Mellon, Forrester senior analyst and lead author of the report, pointed out that 40% of cyber operations reported by country target the private sector. State-sponsored attacks have increased by nearly 100% between 2019 and 2022, and their nature has changed – with more being carried out for data destruction, denial of service and financial theft than in previous years.

The Forester model is built on three stages.

First, understand how nation-states attack organizations. A good starting point is the nation-state escalation ladder available in the model.

“It’s a wise approach,” said Erich Krone, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“Ultimately, for the victim, does it really matter which actor is responsible for the attack that steals money or sensitive information?” He asked.

Crone told TechNewsWorld, “Focusing on how these attacks are being carried out, especially as cybercrime groups mature, is more important for most organizations than worrying about the source. “

“Being aware that you may be a target is important, however, and planning should be a part of the threat model,” he added.

threat modeling

Second, build threat models based on organization-specific nation-state threats.

“Threat models for geopolitical actors are the living context of who, what, where, when, why and how nation-state attackers target your organization,” the report said. “They help predict future attacker activity, close visibility and detection intervals, plan for future market moves, and provide a solid context for executive discussions.”

“Proper threat modeling is absolutely critical when talking about nation-state actors,” said Alexis Dorais-Jonkas, senior manager of threat research at Proofpoint, an enterprise security company in Sunnyvale, California.

“An organization that wants to enhance its defense must determine that hundreds of state-sponsored actors are targeting them. Then it must prioritize measures to counter those threats,” Dorais-Jonkas told TechNewsWorld.

The third step is to get involved in influencing the narrative around cyber security. To do this, security leaders need to know what the security requirements of the government jurisdiction for their business are; managing its relationship with the government through means such as information sharing; be prepared for geopolitical events ahead of time; and influence legislative proposals before they become rules.

Report joining forces with others in the industry to gain some power in the legislative process and inform board members of what is being done about threats to the nation-state before asking about the situation Also recommend doing.

need a strong foundation

“I think the Forrester approach is headed in a good direction,” said James Lively, an endpoint security research specialist at Tanium, an endpoint management provider in Kirkland, Wash.

However, he added that for the model to be effective, it must be built on top of an already strong foundation. “If your company is facing challenges maintaining compliance or patch efficacy schedules, most models are already ineffective,” Lively told TechNewsWorld.

Morgan Dembowski, a cyber threat intelligence analyst with IronNet, a network security company in McLean, Va., called Forrester’s model a “smart approach” to tackling the nation-state problem.

“It’s important to take a strategic and informed approach when defending against country-state attacks,” Demboski told TechNewsWorld.

He further added, “Cyber ​​activity and strategic objectives of nation-state threat actors continue to demonstrate the interconnection between the geopolitical and cyber threat landscape, requiring governmental actions and policies to assess their potential impacts in the cyber domain.” highlights the importance of tracking international relations.”

“It is important to prepare for organization-specific activity because the threats faced by different businesses are multidimensional and differ between sectors and regions,” he added.

the attacks don’t go away

Robert Hughes, chief information security officer at RSA, a cybersecurity company in Bedford, Mass., said the Forrester model appears to be very prudent advice.

“It comes down to knowing the risk level of your business,” Hughes told TechNewsWorld. “While on some level this is like trying to protect your home from a missile attack, a solid framework to start thinking through is the questions and discussion points you need to consider as a business to consider your risks. should be aware of and begin to address them using a multi-pronged strategy.”

“The nation-state attacks are not stopping,” he continued. “They are increasing in volume and capacity, and we should expect to see more of this over the next few years.”

While Forrester’s approach is good, it’s nothing new, said Mike Parkin, a senior technical engineer at Vulkan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.

“It’s a very similar idea the cybersecurity community and businesses, in general, have been pursuing over the years, with added awareness of state-level threat actors,” Parkin told TechNewsWorld.

“It reinforces those ideas, though, and that’s a good thing,” he said.

unnecessary distraction

While agreeing that organizations need to protect themselves from all attacks and aware of how and to whom reports of attacks should be submitted, the scope of threats to the nation-state can be enormous, said Todd Carroll, senior vice president of cyber operations at SiebelAngel, a threat intelligence company in Paris.

“You’ll be going around in circles trying to think of every nation-state and organized team and method of attack,” Carroll told TechNewsWorld. “China alone has dozens of state-sponsored teams attacking verticals in various ways and for various reasons.”

“You don’t have time to figure out ‘why,’ but you need to spend your limited resources on protecting access, knowing your attack surface, and tracking your critical data,” he said.

Claude Mandy, chief evangelist for data security at Symmetry Systems in San Francisco, a provider of hybrid cloud data security solutions, however, was skeptical of the Forrester model.

Mandy told TechNewsWorld, “In an industry struggling to deal with less sophisticated attackers and basic attacks, a nation-state-specific threat model can be perceived as an unnecessary distraction for organizations most vulnerable to threats.” Would benefit from getting the basics down first.”

“Rather than investing in cyber security controls to attempt to thwart a sophisticated attacker like a nation-state, we prefer to encourage organizations to prioritize their cyber security on what matters most to them – their data – rather than starting with the threats and trying to guess the attackers,” he said.

The next generation of the Web – Web 3 – has been touted as more secure than the current incarnation of cyberspace, but a report released Tuesday warned that may not be the case.

According to a report by Forrester, a national technology research company, Web3 can be difficult to break into at the infrastructure level, but there are other points of attack that could provide threat actors with more opportunities for mischief than those found in legacy Web. can go.

Web3 applications, including NFTs, are not only vulnerable to attack; Forrester explained that they often offer a wider attack surface than traditional applications due to the distributed nature of blockchains.

Furthermore, it said, Web3 apps are desirable targets as tokens can be worth substantial amounts of money.

The openness of Web3, which is considered one of its main advantages, can also be a disadvantage. Martha Bennett, Vice President and Principal Analyst, Forrester, said, “The code that runs on a public blockchain is easily accessible by anyone with the necessary technical skills, from anywhere in the world – no need to enter corporate security to achieve this. Not there.” He is also a co-author of the report.

“Source code is generally readily available, because the focus is not on running closed source ‘smart contracts’. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.

unwanted complication

David Ricard, CTO of North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on distributed control of data and identity by its users.

“This broadens the attack surface for individuals who may be unwilling or simply unable to handle the management of their own data and identities, bringing technical complexity to an area that is ‘above anything’ in use.” ‘easy’,” he told TechNewsWorld.

“Scrolling through personal, text messaging, email and social media and shopping apps is a real challenge for them,” he said.

He said the idea of ​​making Web3 code transparent and publicly available is unlikely to gain real traction. “There is a lot of money at stake between capital investors and users of blockchain financial systems and NFTs,” he said.

He further added that making the code transparent and public can also broaden the attack surface in a clear way. “Safe coding practices that predict how someone might abuse a system for nefarious gains are generally not practiced,” he explained. “It is not easy to predict how people might use the system for purposes other than those intended.”

“Most of the financial losses associated with blockchain and NFTs do not exploit immutable objects themselves, but rather manipulate them by exploiting applications that can affect them,” he said.

Furthermore, while legacy systems may be outdated, they may also be robust. “What’s new is also the most vulnerable,” said Matt Chiodi, chief trust officer at Cerby, creator of a platform to manage Shadow IT in San Francisco.

“While time is not always a friend of security, it allows an application to become battle tested,” he told TechNewsWorld. “Web 3 is no different. It’s new and not much tested. Legacy applications have a time advantage. Web3 doesn’t.”

NFT becoming popular target

Even if the code is visible and accessible, the report said, attackers will find weak points. This makes it clear that while attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favorite target.

“Why go for more difficult hacks if there are easier ways to get what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] Markets and communication tools attract people who want to steal or otherwise break the rules.”

“For anything to do with Web3, speed is of the essence, and many of the people involved do not have the necessary expertise to assess a potential security issue,” she said. “Sometimes, startups don’t even advertise for a security chief until something bad happens.”

One of the biggest breaches of the NFT marketplace occurred in June at OpenC, which exposed nearly 1.8 million email addresses. “There was an inside threat involved in that particular case, but the applications that handle the transactions can be quite vulnerable,” Ricard said.

“There may be hundreds of thousands of ways this can be abused, which coders have to try to account for, yet a hacker only needs to discover a vector, once for a breach to occur. ,” They said.

Hangout for Scammers

Forrester also pointed out that social media network Discord has become a major weak point in NFTs and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.

It clarified that attacks are usually targeted at community managers and administrators. Once an administrator account is successfully taken over, attackers have the opportunity to steal extensively, as users rely on messages from community administrators.

Bennett noted that Discord was primarily designed as a communication platform for gamers, not for holding and exchanging value, and that it has mechanisms to mitigate risk. “But these mechanisms can only help if they are implemented, and it is clear that often, they are not,” she said.

“Furthermore,” she said, “Discord attracts a similar share of phishing attacks and scam messages, being the preferred communication mechanism for token projects.”

Ricard said the Discord communities provide a rich source of information for scammers, as well as investors. “The harvesting of participants’ contact information leads to phishing,” he said. “Hacks in digital wallets are not uncommon.”

“The Discord bot has been hacked, so threatening actors can post fake mining offers, resulting in the theft of cryptocurrencies,” he said.

Better security than legacy web?

Forrester’s report notes that in a fast-moving Web 3 world, it’s tempting to ignore security in favor of innovating quickly, but public safety issues can easily derail a major launch or product team. to analyze and mitigate critical security flaws.

Firms can identify risks and protect both the decentralized and centralized components of their Web3 applications by engaging their security teams not only in the software development lifecycle but throughout the product lifecycle.

“Web3 needs to shift its focus to the left, which means getting as much security as possible for developers and making prevention the ultimate goal,” Chiodi said. “Without this focus, Web3 would be indistinguishable from Web2. It would be a shame given its tremendous potential, especially around decentralized identity.”

“Web3’s distributed approach provides a variety of security capabilities, but the fundamental problems remain the same,” said Mark Bower, vice president of product at Anjuna, a confidential computing company in Palo Alto, Calif.

“If an attacker gains credentials, root-level privileges or access to keys — especially private keys that run throughout the ecosystem,” he told TechNewsWorld, “then it’s game over, as if this one in a centralized platform.”