Last week, Lloyd’s of London Ltd. announced that it will require its underwriters, globally, “to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies” starting in March 2023. This elimination of cyber policies involving nation-state adversaries is not surprising. Based on “worrisome trends” in our post-pandemic world, cybersecurity insurance at large “has a big problem,” as PCS Insurance Group’s Tom Johansmeyer notes in Harvard Business Review.
What’s the problem? In short, in 2020, “the world seemingly entered a new era of cyberattacks” in which the “severity of financial consequences has been profound.” Take ransomware, for instance. Last year, ransomware hit 66% of organizations among mid-sized organizations surveyed across 31 countries. That’s a 78% increase in just one year. While there often is a very fine line between a nation-state threat actor and highly-organized criminal gangs-for-hire based in adversarial nations, organizations across sectors must be well secured against any sophisticated offensive cyber attacks used as “an element of national power,” as IronNet’s Founder and Co-CEO General (Ret.) Keith Alexander has mentioned.
No sector is immune from cyber threats by state-sponsored adversaries. Last month, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a warning against North Korean cyber actors targeting the healthcare and public health sectors with Maui ransomware. In May, the United States and Five Eyes intelligence partners published an alert for managed service providers stating that more cyber attacks by nation-state threat actors are possibly on the horizon.
It’s no surprise, then, that 86% of organizations believe they have been targeted by nation-state cyber attacks following Russia’s invasion of Ukraine, with Forrester suggesting that the incident has “permanently altered the cyberthreat landscape” and that every organization must prepare for a new era of increased cyber attacks and ruthless persistence. At the same time, an organization’s cybersecurity team must also manage volumes of rather unsophisticated threats, such as phishing, that still pack a serious punch.
The particular challenge with nation-state cyber threats is that companies often cannot detect them until it’s too late. Adversaries of this magnitude love to hide in networks to plan and scope their attack — whether dropping debilitating ransomware payload, exfiltrating data, or taking control of the network for physically destructive purposes. Only 27% of organizations recently surveyed “are completely confident in their organization’s ability to recognize such an attack in contrast to other cyber attacks.”
So how can today’s cybersecurity teams prepare for worst-case scenarios, including destructive attacks on critical infrastructure? The answer is advanced network detection and response (NDR). Using artificial intelligence and machine learning, advanced NDR provides early detection capabilities during the crucial dwell time when the bad guys are hiding in enterprise networks to scope their plan of attack. Spotting threats before they have known signatures associated with them is critical for mitigating the impact of a nation-state attack at the early stages — well before there is business impact or compromised public safety.
Time is of the essence, as the global median dwell time of an attacker has fallen to only 24 days in 2021, less than half the observed dwell time reported in 2020 at 56 days.
The good news is that, even though the most egregious ransomware (and other malware) attacks have shorter dwell times, the process for unfolding these attacks does not happen instantaneously. The golden opportunity for stronger defense is detecting anomalous activity at the reconnaissance and access steps of the intrusion cycle.
In the case of ransomware, the ransom demand itself is the very last step an attacker takes after fully compromising a network to monetize their efforts. Therefore, early detection of the initial network intrusion is imperative before the attacker has the chance to advance the campaign.
Advanced NDR works by focusing on anomalous behaviors on the network. While endpoint detection and response (EDR) and firewalls are capable of detecting signature-based threats, nation-state adversaries rely on tactics, techniques, and procedures (TTP) — or behaviors — to compromise networks. IronNet’s behavioral analytics detect these indicators of behaviors “left of boom” by staying a couple steps ahead of the threat actors. Attackers can change known signatures such as hash values, IPs, and domains pretty readily, but it’s significantly harder for them to change their TTP. That’s why NDR can be a powerful tool for staving off potentially catastrophic and expensive nation-state cyber attacks — ones for which many companies across sectors, come next year, may not have cyber insurance as a safety net.