In the vast and interconnected realm of the digital landscape, an insidious storm is brewing. This storm, as revealed by the Dutch National Coordinator for Security and Counterterrorism (NCTV) in their Cyber Security Assessment Netherlands 2022, is rapidly becoming the new norm: cyber and insider attacks orchestrated by nation-state actors1. A notable example that illustrates the magnitude of nation-state cyber threats is the SolarWinds cyber-attack. This incident had far-reaching consequences, creating a wave of disruption for numerous organizations.  

As these threats continue to escalate, cybersecurity experts like Marcel van Kaam from KPMG and John Mancini from Vectra AI are stepping up to the plate as skilled navigators, guiding us through the treacherous terrain of nation-state cyber threats. Which is exactly what they did during the KPMG-Vectra AI webinar on cyber resilience to nation-state threats, as broadcasted on 14 June and available on demand here. The third member of the webinar panel was John O’Callaghan (JC), who joined Vectra AI after experiencing the SolarWinds attack firsthand while working for the company. In this blogpost, we will highlight the topics discussed and information shared by our panel. 

Unveiling Nation-State Threat Actors

Above all, it is evident that in order to navigate the increasingly international ways of working and to counter state-sponsored cyber-attacks, organizations must understand the broader threat landscape and craft a successful security strategy. This strategy includes distinguishing genuine threats from false positives and recognizing the pivotal role of security efficacy across people, processes, and technology. AI-powered technologies can play a key role here to increase efficiency of detection and response capabilities. 

To strengthen your security strategy, it is also essential to understand the adversarial parties you are dealing with. In the case of nation-state threat actors, we refer to groups or individuals who receive support from governments and work on behalf of intelligence agencies to carry out cyber operations aligned with their nation's strategic objectives. These adversaries deploy sophisticated techniques like Advanced Persistent Threats (APTs) and leverage substantial resources, including advanced technical capabilities, espionage operations and ample funding. To maintain plausible deniability, their intelligence agencies operate in secrecy, aiming to remain anonymous and deny any involvement. Therefore, rather than focusing on the ‘who’, organizations need to focus on the ‘how’ and equip themselves with robust defenses and effective response strategies against a broad spectrum of threats, thereby understanding the wider threat landscape instead of zeroing in on specific adversaries. 

The threat landscape revolves around the objectives of nation-state attackers. Those focused on increasing political influence tend to target government departments, which remain the main mark for cyber-attacks by nation-states. To gain economic advantages, they engage in intellectual property theft, targeting a wide range of sectors such as research institutions, defense industries, emerging technologies, and even seemingly everyday items. Another sector to which nation-state actors pose a significant danger is critical infrastructure, including power grids, communication systems, and railways. Cyber-attacks aimed at sabotaging these vital systems can trigger widespread social disruption and inflict severe economic damage. In this context, Marcel pointed out a concerning trend where several nations are becoming increasingly willing to take greater risks, ranging from physical or military retaliation actions to cyber-attacks.

To shed further light on these recent developments of nation-state threat actors and their modus operandi, our panel discussed emerging trends and insights. John emphasized the ineffectiveness of traditional prevention measures against advanced threats like phishing, zero-days, and other well-tested exploits. Instead, the importance of focusing on internal activities within organizations to detect and respond to inevitable breaches was discussed. In line with John's perspectives, Marcel discussed highly advanced cyber-attacks involving unknown software vulnerabilities and supply chain attacks. However, he also emphasized many organizations still lack adequate cybersecurity preparedness, often neglecting basic practices that become prime points of exploitation. 

Beyond the digital realm, Marcel drew on his experience as an intelligence officer, highlighting the significance of recognizing non-digital tactics employed by nation-state actors. These tactics encompass a wide array of strategies, including recruiting spies, exploiting international academic collaborations, spreading false information, running political influence campaigns, and even taking over companies to gain access to sources of information. Defending against such multifaceted attacks proves to be an incredibly challenging task for organizations.

Sailing Through the Storm – Protective Measures for Organizations

To tackle this challenging task, organizations looking to defend against nation-state threats must undertake strategic and proactive measures. It is crucial that discussions be opened at board level to create awareness and emphasize the importance of preserving the organization's competitive advantage. By acknowledging the tangible risks posed by nation-state threats, companies can instill a sense of urgency and commitment to address these challenges effectively. For the last topic of the webinar, our panel therefore enlightened us with their view on how organizations can start their journey of facing and protecting against nation-state threats.

To incorporate this threat into their cybersecurity strategy, organizations should start by understanding how the threat landscape specifically applies to their core business, as Marcel explained. This involves identifying relevant threat scenarios within the spectrum of intelligence operations. Assessing potential cyber-attacks, considering the human factor in core components, understanding the implications of third-party entity ownership and foreign intelligence laws, and evaluating the risks associated with international academic collaborations are essential elements in this process. 

Quantifying the gap between identified threats and existing security capabilities is another critical step. Evaluating technical capabilities, governance capabilities, and outsider capabilities helps organizations assess the maturity, coverage, and technical effectiveness of their security measures. It is vital to consider the monetary impact of potential breaches and compare it against the value of intellectual property. This analysis facilitates informed discussions with the CFO, enabling the prioritization of security initiatives based on cost-benefit considerations.

Marcel, however, emphasized that – in addition – organizations must recognize that nation-state threats extend beyond cyber-attacks alone. As briefly touched upon above, espionage, insider recruitment, false information dissemination, and political influence campaigns are tactics employed by these actors. Evaluating vulnerabilities in these areas and implementing proper mitigation measures are essential to shoring up your defenses. Marcel and his team at KPMG help clients with these steps by identifying the threat landscape, quantifying the needs and enabling the discussion at board level – both for cybersecurity as well as physical security, for example through a travel security course aimed at employees travelling for business. 

Conducting comprehensive risk assessments, with the assistance of third-party experts, is crucial for identifying vulnerabilities throughout the organization's supply chain – as was confirmed by JC. He witnessed first-hand at SolarWinds that external professionals provide an objective assessment and offer fresh perspectives that internal staff may overlook due to biases or distractions. 

From a highly technical perspective and based on his expertise, John recommended organizations to start with finding out whether they have already been breached. Pinpointing where current prevention and visibility is lacking, enables targeted efforts into improving coverage, effectiveness and return on investment of security investments. 

Conclusion – Learn how to sail in the storm

In the face of the gathering storm of nation-state cyber threats, organizations must accept that nation-state threat actors are indeed out there and motivated to target them – either directly or through a supply chain attack. It is therefore crucial to proactively prepare and fortify their defenses but, even more importantly, focus on detection & response after initial access, as a 100% prevention is simply impossible. It is all about learning how to sail through a storm that will come on your path inevitably.

By engaging in board-level discussions, understanding the specific threats applicable to their core business, quantifying gaps in security capabilities, and conducting comprehensive risk assessments, organizations can craft a holistic and balanced security strategy where technology, processes, and – incredibly important – people are effectively connected. Through these strategic measures, organizations can effectively mitigate the risks posed by nation-state actors, protecting their competitive advantage, and emerge from the storm stronger than before. 

KPMG and Vectra AI can help, as these topics, questions and adversaries depend highly on the organization at hand. Contact any of the people below to discuss any questions or to schedule an appointment.