The Middle East has seen a recent uptick in the number of nation state attacks, in line with geopolitical tensions in the region. We caught up with Alister Shepherd – Director, Middle East and Africa, for Mandiant, the consulting arm of FireEye, to find out about the regional threat landscape and what it’s really like to be on the frontline of incident response.
Can you give an overview of the threat landscape within this region?
I think in this region, more than any other, we see nation state actors as the primary threat. The geopolitical situation here leads to increased threat and we see a correspondingly high volume of nation state attributed attacks.
Within that, we see Iran is probably the most prolific threat actor but we also see Russia active in the region as well as China, which is active globally.
And then we see criminal threat actors and other nation states to a much lower degree.
Has there been any change to the number of nation state attacks in the region?
Over the last few months, we’ve seen an uptick in attacks that we attribute to Iran. And again, I think that would be expected with the increase in tensions in the region. What is encouraging though, is that while we’ve seen an uptick in things like espionage attacks or attacks aimed at gaining access, we’ve not seen any successful disruptive attacks for some time.
I think the regional maturity and defensive posture is getting better.
What is the primary motivation for these types of attacks?
We track a number of different Iranian threat groups. We call them APT 34, APT 35, APT39 and APT33. We have a number of other groups that we haven’t given an APT name to, but which we attribute to Iran and the Iranian government.
And they seem to subdivide their specialisms. So APT 34 is long-term espionage focused and they’re probably the group that we’ve been tracking in this region for the longest. APT 33 is a group that we associate with disruptive attacks, such as the Shamoon attacks against Aramco.
The objectives are different depending on the overarching political goal but we see long term espionage, data theft and intelligence gathering.
APT 39 is interesting because they target telecoms and travel, and they look to be gathering Big Data sets about people, both for processing as a Big Data set, but also burrowing down into individuals through their telecoms and travel records.
How are organisations and enterprises responding to these attacks?
We’ve definitely seen an increase in maturity and investment. I think the biggest thing we’ve seen is an investment in technology aimed at defending against these attacks.
In this region, maybe more than anywhere else, we see a lot of organisations, particularly bigger ones such as petrochemical, financial services and government, investing heavily in technology. But I think there’s definitely more work to be done around the kind of strategy and approach, and people and process behind the technology.
What best practice advice would you offer those looking to improve their approach?
I always say getting the basics right is key. And that might be multi factor authentication, particularly for remote services, password complexity and segmenting your network, making sure that your critical data is separated from your non-critical data.
I think some organisations probably haven’t even gone through that process of saying, ‘what is our critical data?’. And if you look at our research, but also pretty much all research in this space, most attacks still start with a phishing email. If you get these basics right, you educate your users, you have multi factor authentication, suddenly that initial hurdle to get into the environment through phishing becomes so much harder.
How much of a role does education and ongoing training have to play?
I think it’s key for a couple of reasons. You can always debate whether end users have responsibility, and we would say they do, but of course they’re not experts, so they can always be tricked and you can’t blame the end user sometimes for falling for what’s quite a sophisticated attack.
Educating end users will increase the bar but I think educating executives is really important – they’re not technical specialists, but they are responsible for the business impact.
If you look at public attacks like WannaCry or NotPetya, there were organisations caught up in that where the total bill was over one billion dollars so we’re talking huge business impact.
At the time it hit, executives might not have even been aware what ransomware is or how it works.
So education is key, not just for end users but for executives, who have to invest in and take responsibility for the security of an organisation.
Are there any particular threats to Kuwait organisations or any difference in cybersecurity approach?
We’ve seen a lot of targeting of government entities in Kuwait. And that’s with both the known APT groups I’ve mentioned, but some of those that we believe are Iranian but we haven’t named.
I think Kuwait, within that GCC and Middle East context, is lagging behind the Kingdom of Saudi Arabia (KSA) and the UAE in terms of investment and approach to cybersecurity.
It’s definitely being targeted. We’re seeing quite a lot of what look to be successful attacks from Iran, in particular, against Kuwait. And I think at some point we’ll expect to see the same realisation and change in approach within Kuwait that we are seeing elsewhere in the GCC.
If you look at the UAE and KSA in terms of government investment and support these are way ahead.
Can you offer insight into what it’s like to be working on the frontline of incident response?
We always have the issue that no one’s ever pleased to see us – we’re always there because they have a problem.
It tends to be that we’ll get a call, often on a Thursday or Friday night, from someone in a panic, who has a significant problem. So that’s the start point.
I think we then always have our own education piece because often we’re dealing with, let’s say the technical team or a CISO, who understands what a cyberattack is but not how it’s going to play out.
They’ve got one system that’s behaving oddly and they want us to focus on that system. Quite often when we see APT 34, for example, they will have either tens or sometimes hundreds of systems that they’ve compromised.
I think the most difficult part of being on the front lines is you’re constantly giving more bad news to the victim, until they get this full realisation that it’s not likely to be just one system or few systems, it’s likely to be network wide, multiple systems and multiple accounts. In the worst cases, we’ve seen attackers have been in an environment for up to five years.
Are there any emerging threats that CISOs should be preparing for?
One would be around a DNS hijacking campaign. I think one of the issues we’ve had getting entities to take this seriously is that it sounds very technical but really, in summary, we’ve got attackers who are managing to divert all traffic for a given organisation, or in some instances a given country.
And then they have access to all of that traffic including the encrypted portions of it. I think one of the reasons that it hasn’t come to the fore previously is because it also can happen outside of the victim network so the victim is investing in technology and they think they’re secure but someone’s managed to compromise their DNS admin panel and they’re diverting traffic outside of the network.
The reason it becomes really important is that, if one of those servers is an email server or VPN server, or remote access, the attacker gets to collect all of the passwords and even the second factor authentication of everyone that’s logging in to that server while they re-direct the traffic.
There’s some really simple steps that you can take to mitigate that in terms of multifactor on your DNS admin panel. So, we’re urging people to look at that as a key theme from the year.
There are also information operations where we’re seeing multiple nation states, but also other politically motivated groups, pushing out misinformation.
And sometimes that can also be used to target individuals, so you will see inauthentic social media accounts used to make contact with people. That’s a new methodology of phishing as well. So, broadly, inauthentic media and information operations are areas which haven’t featured prominently to date but I think people need to be aware of.