Comment by bitexploder
4 years ago
Most organizations should not really be factoring state level actors into their risk assessment. It just doesn't make sense. If you are an actual target for state level actors you likely will know about it. You will also likely have the funding to protect yourself against them. And if you can't, that isn't a failing of your risk assessment decision making.
An illustrative counterexample of "if you are an actual target for state level actors you likely will know about it" is the case of Intellect Services, a small company (essentially, father and daughter) developing a custom accounting product (M.E.Doc) that assists preparation of Ukrainian tax documents.
It turned out that they were a target for state level actors, as their software update distribution mechanism was used in a "watering hole attack" to infect many companies worldwide (major examples are Maersk and Merck) in the NotPetya data destruction (not ransomware, as it's often wrongly described) attack, causing billions of dollars in damage. Here's an article about them https://www.bleepingcomputer.com/news/security/m-e-doc-softw...
In essence, you may be an actual target for state level actors not because they care about you personally, but because you just supply some service to someone whom they're targeting.
I did say “likely know”. The point was not so much who the targets of state level actors are, but if you are a target there is not much you can do about it. The resources they can invest, especially against a smaller but more critical company, is orders of magnitude more than that organization can afford to defend against. There just isn’t a lot you can do practically to defend yourself from those kind of threat actors at smaller business. I think medium to large business have way more tools at their disposal.
Are you a semi-large American company?
Then you are an actual target for state level actors.
as a security engineer at a semi large American company, we factor in state actors. we do tool for, and routinely hunt for nation state actors.
most people I know, even those in mid size businesses tool for and hunt for nation state TAs as well. it's just something you have to do. the line between ecrime and nation state is sooooo thin, you might as well. especially when your talking about NK, were you have nation state level ecrime.
Said state level actors probably have agents in your company anyways.
Heck, are you in the supply chain of a semi-large American company?
What counts as a state-level actor? The NSA, obviously. But a lot of other groups seem to be in more of a grey area.
The corresponding agencies in China and Russia, obviously. But usually a state-level actor wants deniability, which is where the "grey area" hacker teams come in (groups that appear to be state actors but this can be difficult to prove).
It’s really just about the resources an organization has. Can be lots of different government and NGO type entities.
Meanwhile, the biggest state-level actors are developing offensive capabilities at the scale of "we can wipe out everything on the enemy's entire domestic network" which includes thousands of businesses of unknown value. The same way strategic nuclear weapons atomize plenty of civilian infrastructure.
Sure, in that kind of event, an org might be more concerned with flat out survival. But you never know if you'll be roadkill. And once that capability is developed, there is no telling how some state-level actors are connected to black markets and hackers who are happy to have more ransomware targets. Some states are hurting for cash.