Belt & Road Initiative – target of increased snooping activities

At a recent FireEye event in Malaysia, the cybersecurity company had a press release that stated FireEye analysts have observed a pattern of targeting by China-based groups and others against organisations with links to the Belt & Road initiative (BRI).

Needless to say, this piqued Enterprise IT News’ interest and we send a list of questions to the cybersecurity solutions provider.

The first question was answered by a spokesperson, but the others are responses by its Asia Technical Director, Steve Ledzian.

EITN: Do you believe these threat groups to be state or private (if possible for China) actors?

Spokesperson: We believe BRI will be a driver of regional cyber threat activity from a variety of actors—including Chinese advanced persistent threats groups which are linked to the state—to gain information advantage and collect business intelligence on individual projects and agreements.

EITN: What is FireEye’s stance when it comes to prevention vs detect and respond methods? Do you emphasise one over the other?

Ledzian: When it comes to cyber threat defense, there are prevention technologies and then there are detection & response technologies. Prevention technologies are built to try an prevent a breach from occurring in the first place.  Detection & response technologies are built to notice when prevention fails and do something about it before the intruder can impact the business. Detection & response technologies are needed because eventually prevention WILL fail.  One does not replace the other rather, prevention and detection & response are complementary efforts. Today you need both strong prevention and strong detection & response technologies.

Historically, many organizations have invested heavily in prevention and under invested in detection & response. While they’re both important, there’s some low hanging fruit organizations can reap by taking a look at their gaps around detection & response as those areas are often under addressed.

EITN: Has FireEye tried to obtain comments from national-level cyberdefense agencies of countries like China and/or Malaysia, to try to shed more light on these patterns of activity that FireEye has observed? If yes, what are these agencies, and how they corroborating your findings?

Ledzian: We regularly engage with the Malaysian government and with other governments around the region. Many government agencies in the region rely on FireEye to provide threat intelligence. I’m not in a position to delve further into the details of those discussions.

EITN: The fact that FireEye is able to identify the attacking parties and their motivations as well – do you also offer attribution services?

Ledzian: We work to protect our customers and attribute attacks where we can. Attribution helps inform business decisions. You still find some contrarians who will dismiss the value of attribution, but they’re missing the point. The value in getting attribution is to understand your adversary, determine their motives, and use the information to help inform your risk management and ultimately drive your decision making. For example, if a state is stealing your negotiation position while you are engaged in negotiations involving that state, leaders may want to take further action

[Here’s an overview of attribution we have made publicly.]

EITN: Is FireEye involved in any regional-level cooperation in Asia, to protect member countries from these kinds of cyberespionage? Are these China-based activities using an particular method that organisations should be especially aware of in order to protect themselves?

Ledzian: We believe states should come together to establish accepted rules of engagement. These are critical for establishing deterrence, and they are lacking in cyber security today. Without attribution it’s hard to imagine how threat actors will face consequences and without consequences cyber crime and cyber espionage will continue to escalate.

EITN: What are the top 3 best practices for organisations in APAC to protect themselves from attacks of this nature? DO you foresee public-private partnerships increasing as a result of these kinds of attacks?

Ledzian: For organisations who want to improve their security posture here are 3 best practices:

1) Invest in best of breed email security.  The vast majority of attacks start as a spear phishing email.  Add to that other email borne threats such as Business Email Compromise (BEC), Ransomware, Credential Theft, and others, and it’s absolutely critical that you have very strong email security

2) Recognize that technology by itself is not sufficient to solve the cyber security problem.  Look at expertise and services such as Compromise Assessments, which tell you if you are breached without realizing it, and Red Team assessments which test your security posture systemically across people, processes and technology.

3) Get the business owners to realize that cyber risk is a business problem, and not a technology issue.  Cyber impacts the business itself, not just the IT infrastructure.  Get the board of directors educated and bought in and established as an ally in addressing cyber risk.  If you can’t accomplish that in house, get help externally from consultancy firms.  Avoid the situation where the board of directors is surprised by a successful breach, surprised by the impact, and pointing the finger at you.

Regarding public-private partnerships we will see these increase and here one such example is when FireEye was selected to train Singapore’s Cyber Security Agency (CSA), in 2017.