How CISOs can best assess geopolitical risk factors

Though they make up a small percentage of the overall threat landscape, attacks by nation-state-affiliated actors are among the most damaging. Some in the cybersecurity community believe these threat actors are too determined, sophisticated and unpredictable for most organizations to defend against.

A new report from Booz Allen Hamilton, however, suggests that actions taken by threat actors associated with Russia follow a series of predictable patterns and principles. That gives at-risk organizations a chance to better prepare for an attack. The research principles outlined in the report can apply to other state-affiliated advanced persistent threat (APT) groups.

The politics behind nation-state attacks

Knowing why you might be a target is the first step in defending against a nation-state threat. Most APT groups are affiliated with governments, and most governments make their long-term strategic goals publicly available. 

“The specific significance of geopolitical developments on cyber operations is a blind spot in threat intelligence,” says Brad Stone, senior vice president in Booz Allen Hamilton’s cyber practice. “Organizations should see the value in thinking more critically about how geopolitical factors are impacting their cybersecurity and the need to integrate geopolitical intelligence into their cybersecurity capability.”

Kah-Kin Ho, senior director for EMEA Public Sector at FireEye, agrees that understanding politics is important as it informs CISOs not only of potential threat actors but helps direct strategic and operational decisions across the security function. “Both long-term aims and immediate geopolitics are equally important for CISOs to understand as they are essential components of strategic intelligence,” he says.

Ho adds that CISOs can use this information to justify investment in talent and countermeasures. It also helps them prioritize which threat detection alerts should be investigated and what threat hunting teams should look for.

CISOs often struggle to understand how geopolitical thinking determines whether they might be targeted. “Organizations often frame the question of, ‘Why would a state actor care about me?’ in terms that are far too narrow,” says Stone. “It’s rare that state adversaries have a grudge with a specific organization. Rather, they objectively see their targets as means to an end.”

“The first step is to create a holistic organizational profile by considering what you do, what information you possess, who you know, where you are located, and your services. Next, consider whether these more discrete organizational aspects are important to threat actors. Ultimately, you should build your risk modeling based on that understanding.”

Understanding the motives of Russian cyberattackers

Through its affiliated groups APT28 (Fancy Bear) and Sandworm (Quedagh/Voodoo Bear), Russia’s military intelligence agency (GRU) has launched cyberattacks against high-level targets in government, defense, media and other major organizations worldwide. Booz Allen Hamilton analyzed 200 cyber incidents associated with Russia spanning 15 years (2004 to 2019) and claims that it has found a link between the actions of these groups and the Russian Federation’s publicly announced approach to military policy. Its findings can guide organizations as they face similar geopolitical developments that impact risk profiles.

“Fundamentally, state-aligned adversaries are organizations tasked with responding to national mission requirements in a manner consistent with strategic doctrine,” said the report. “The GRU executes its mission using methods consistent with declared strategic concepts. By understanding why adversaries act, defenders can better anticipate when, where, and in what form those actions may occur and take deliberate action to mitigate their risk based on that insight.”

Booz Allen Hamilton claims that most of the actions by Russian-sponsored actions conform to a series of principles outlined in The Military Doctrine of the Russian Federation. Most recently updated in 2014, this official policy document outlines “external dangers” to the Russian Federation, actions that could be construed as “military threats,” and actions the Federation will take to “deter and prevent military conflict.”

The doctrine contains two sections that are critical to assessing GRU cyber operations and identifying the specific circumstances in which Russian Armed Forces would respond and how it will react. These sections help identify the circumstances where the Russian military is likely to conduct cyber operations. Organizations can use this information as a model to contextualize previous GRU cyber activity and predict future attacks.

Booz Allen Hamilton acknowledges that the GRU is not the only Russian government agency that conducts cyber operations, but it is the most documented and publicly implicated in cyberattacks. Governments around the world have produced evidence pointing to the GRU’s involvement in such operations.

State-sponsored cyberattacks follow military doctrine

Booz Allen Hamilton identified 23 principal actions and conditions in the doctrine that may precede an armed conflict, including:

• “External military risks,” such as unauthorized use of foreign military force adjacent to Russia or its allies or growth of ethnic, religious or cultural disagreements over territorial borders
• “Internal military risks,” such as the undermining of Russian historical, spiritual and patriotic traditions or the provocation of Russian cultural strife
• “Military threats,” such as heightened combat readiness or the use of military force during exercises adjacent to Russia or its allies.

The report describes how the military can avoid or resolve conflicts by identifying and assessing potential risks and threats and responding appropriately. The GRU identifies risks through cyber espionage, network and communication monitoring, and data collection and theft, as well as other means. It might leak the data to destabilize potential risks.

“GRU operations should be considered as part of Russia’s vision of a long-term confrontation over beliefs, understanding and emotions that impact Russia’s ability to advance its policy vision and secure its strategic interests,” the report said.

For example, the GRU attempted to prevent Montenegro joining NATO in 2016 through the use of DDoS attacks on various media websites, non-governmental organizations (NGOs), political parties, and telecom companies. It also conducted a spear-phishing campaign targeting Montenegrin government members with military- and NATO-themed lures to gain “awareness of potential military risks and threats”.

Another notable example includes Russia’s attacks against the World Anti-Doping Agency () in the wake of a  doping scandal. Banning athletes from sporting events could be interpreted as a threat to Russian culture, and so the APT groups undertook a series of military actions including the “manipulation of social or political environment” via social media disinformation and propaganda, “precise destructive attacks” via the OlympicDestroyer malware, and “widespread use of advanced weapons and technologies” to locally breach Wi-Fi networks used by WADA and US antidoping officials to steal officials’ credentials and access an anti-doping records database.

The Booz Allen Hamilton report maps other incidents — attacks on Ukraine, the Democratic National Committee (DNC) leaks, UK’s television’s Islam Channel, and the Gulf Cooperation Council alliance — to the principle conditions in the Military Doctrine that would cause Russia to act.

Where to find guidance on political motivation for APTs

CISOs don’t need to be experts in the complexities of international relations. They should, however, be aware enough create a global snapshot at regular intervals to evaluate and understand how geopolitical trends may impact their organization’s risk profile. They should also assess geopolitical risk when evaluating new acquisitions or mergers and expanding into new markets. 

Retired Air Force Brigadier General Greg Touhill, former federal CISO of the US government and faculty member of Carnegie Mellon University’s Heinz College, says that larger companies, particularly those operating in the public sector or highly regulated areas, should invest in dedicated staff to monitor the political and legislative environment. “Successful CISOs have a strong relationship with their general counsel and have regular engagements to review the legislative and regulatory landscape. Forecasting what effects changes in political sentiment or leadership [may have] should be part of those conversations.”

FireEye’s Ho adds that if companies have a chief risk officer (CRO) then CISOs should collaborate with them as CROs evaluate different risks, of which geopolitical risk should certainly factor. He also advises strong partnership with the country’s security services as they can provide strategic and tactical warnings on potential adversaries’ activities.

It can be difficult for CISOs to communicate those risks to the business and board, who might find it difficult to understand why threat actors would target their business. “Once the CISO assesses that a cyber risk exists,” says Booz Allen Hamilton’s Stone, “it’s critical to communicate the potential impacts of that risk to different stakeholders in terms relevant to them. Collaboration with those stakeholders is crucial to precisely quantify the impact and drive institutional action with their buy-in.”

Ho adds that when assessing risks, CISOs should consider the Latin phrase “Cui bono,” which translates into ‘to whom is it a benefit’. “To whom is it a benefit if we were to suffer a breach resulting in destruction in property or loss of intellectual property given the tense geopolitical environment we find ourselves in? Answering the question will help direct investment in resources and countermeasures.”

When presenting this information, Ho advises CISOs couch their messaging in terms of business impact and real-world damage. “CISOs could say, ‘Last quarter we managed to detect and block two threat actor groups attributed to State A whose main modus operandi is to perform destructive cyberattacks on industrial control system used for oil and gas production. Had the adversaries’ operation been successful, it would have resulted in injuries and/or death to our field crew members and stopped oil production for at least two weeks resulting in $100 million in lost revenue.’”

Touhill adds that organizations shouldn’t be afraid to call on subject-matter experts or their peers to them understand and contextualize the risks or get the message across to the business. “When I was the DHS deputy assistant secretary and director of the National Cybersecurity & Communications Integration Center, I had a Fortune 10 business ask me to discuss cyber threats and risks to their board of directors. My presentation supported the information that CISO had previously given the board, giving them confidence in their CISO’s recommendations. Asking for help isn’t a sign of weakness; it is a sign of wisdom.”

Must-reads for informing your security posture

Russia’s Military Doctrine is not the only political document CISOs should read to inform defenses. “States’ strategic priorities are often public, captured in strategic doctrine, and reaffirmed regularly through statements and overt noncyber policy,” said the report. “By understanding those priorities, we may anticipate the targets and focus areas of state-sponsored operations, as well as contextualize active and completed operations.”

The People’s Republic of China publishes its 5 Year Plans (5YP) that outline the economic development goals and the main drivers to achieve them. When China released the thirteenth 5YP in 2015, it also published its “Made in China 2025” policy, which laid out the key industries in which the Chinese government is focused on becoming a world leader. Crowdstrike has previously described these plans as “veritable shopping lists for Chinese intrusion groups” as they indicate which industries government-affiliated APT groups are likely to target and the kind of high-value intellectual property (IP) they want to take to further China’s political and economic goals.

In addition to policy documents that signal long-term national priorities, countries have diplomatic corps as well as state-owned or -funded media that routinely communicates policies or positions. These are excellent primary sources that can help inform organizations. Think tanks such as Carnegie Endowment for International Peace and the European Council on Foreign Relations also track and distill strategic foreign policy objectives.

CISOs should also be aware of more short-term political events that could affect their risk posture. For example, an agreement in 2015 between US President Obama and Chinese President Xi Jinping reduced the scale of attacks from China into the US. Groups affiliated with Iran often increase their activity during times of sanctions or tension with the US. Likewise, North Korea has upped its use of cryptomining malware to raise funds amid strict sanctions.

“A well-read CISO is a well-prepared CISO,” says Touhill. “I recommend that CISOs add Unrestricted Warfare to their reading list. It is a book on military strategy written in 1999 by two colonels in the People’s Liberation Army. It reads like a primer for Chinese-based cyberwarfare and remains relevant today. I’m currently reading Guardians of the Revolution by Ray Takeyh, a fascinating book discussing Iranian society and foreign policy. Another one is The Iranian Labyrinth by Dilip Hiro.”

In the near term, work on the fourteenth Chinese 5YP is underway and likely to be published this year. It could provide a strong indicator of which industries might be at risk from Chinese cyber threat actors over the next five years. Meanwhile, the next update to the Russian Military Doctrine is expected to be published in 2020. Previous updates have iterated on the pre-existing doctrine, meaning any defenses created to defend specifically against the 2014 iteration will still be valid (though may need updating).

Booz Allen Hamilton predicts that we will see attempted intrusions against critical sectors such as energy, utilities and transportation across western countries as well as more attacks against non-NATO countries as they are less likely to be involved in any broader allied response. Countries looking to join NATO or work more closely with the alliance may also face increased attacks. Russia’s ambitions around claiming territory in the Arctic may also inform future targets.

How to defend against nation-state threat actors

To improve cyber-defenses against government-affiliated threat actors, Booz Allen Hamilton recommends that organizations:

• Evaluate relevant adversaries’ motives, methods and intentions related to your organization to increase your awareness of your attack surface and to inform your own defenses.
• Identify your most critical assets and determine whether they are similar to assets those adversaries have previously targeted at other organizations.
• Perform risk modelling and simulation to determine how your adversaries’ capabilities and intentions might perform against your current defenses in an attack scenario.
• Monitor and log as much as possible to increase visibility and spot potential threats before their actions become critical.
• Use threat intelligence and sharing to identify, contextualize and track campaigns and threats to inform your security posture. Sharing the intel will increase community awareness of adversary activity and improve visibility of your threat landscape.
• Have a threat hunting program to identify areas of weakness in the organization that could be exploited to proactively improve defenses.
• Conduct wargames and exercises to test defenses and the capabilities of your security teams, help create playbooks, and identify areas of weakness.

“Start by figuring out what resources your organization already has in place to track geopolitical trends,” advises Stone. “Many large companies have existing methods for tracking these movements, from generating insights like market forecasting to physical security reporting. Get plugged into those capabilities.”

“Capable threat actors like the GRU demand a more focused and agile approach,” Stone adds. “It’s essential to continually consider adversaries’ motivations, how this can potentially pose a risk, and develop a plan to respond deliberately. Constant preparation will make you more resilient in the long run.”