Defeat Targeted Cyber Attacks

Unidirectional security gateways can protect against these tightly focused threats

By Andrew Ginter, Waterfall Security

1 of 2 < 1 | 2 View on one page

A truism of cyber security is that cyber attacks only get more sophisticated over time, and so best-practice cyber defenses must continue to evolve, as well. In the last half decade, professional-class, targeted cyber attacks have become the new “normal” — the pervasive cyber threat that best-practice cyber-security programs must all address, in addition to myriad older, well-understood threats. Widespread understanding of targeted attacks has been slow to develop among security practitioners and the general public, in large part because attackers take great pains to remain invisible. Despite this, best practices have developed and are being applied routinely to address the risks posed by targeted attacks, both on corporate information technology (IT) networks and on operations technology (OT) control system or supervisory control and data acquisition (SCADA) networks. However, OT best practices differ sharply from IT best practices.

Most of us have experienced a malware-infected computer. High-volume malware, by definition, seeks to compromise millions of machines. These attacks generally harvest personal credit-card and banking credentials, and may use compromised equipment as part of for-hire distributed denial of service (DDoS) attacks or spam-sending botnets. Targeted attacks are the very opposite of high-volume malware in many ways; they are low volume and slow, operated manually by professionals with a specific target in mind (see sidebar).

HOW DO THEY WORK?
Targeted attacks entered popular awareness as so-called advanced persistent threat (APT) attacks but have evolved into remote administration tool (RAT) attacks with a wide range of attack features, including the ability to execute commands remotely, download new versions of themselves, and operate compromised machines with a user interface very similar to the popular Remote Desktop tool. Once established on a corporate network, powerful RAT malware is controlled by a professional team in an environment very much like that of a typical 9-to-5 job.


Targeted attacks traditionally begin by compromising the corporate network of a specific organization. This often starts with reconnaissance on employees’ social networks to create very convincing e-mails that trick victims into running malware attachments, or with more traditional attacks on Web servers exposed through Internet-facing firewalls. Attackers selectively deploy implanted malware to evade anti-virus systems, because vendors of such systems generally produce a signature for a new piece of malware only when they see thousands of copies of it on decoy honeypot servers. There typically are no anti-virus signatures for malware that exists on only a few machines in the world.

Professional attackers also harvest passwords and password hashes (i.e., Microsoft Windows data structures used to identify logged-in users between machines in a domain). Having obtained domain administrator credentials, they create their own accounts and passwords, and so no longer need to attack software vulnerabilities or guess weak passwords. The attackers simply log into and operate their targets remotely using their new credentials.

Targeted RAT attacks have proven extremely effective at defeating long-standing IT security practices, including firewalls, encryption, anti-virus systems and security update programs. Worse, RAT techniques are well known. Every intermediate- or advanced-level security training program teaches them. And all legitimate penetration testers use these tools and techniques when examining the security of a client site.

DIFFERENCES IN BEST PRACTICES
IT network best practices for protecting against targeted attacks are well documented but ineffective at protecting control system networks. This primarily is due to IT network administrators being concerned with protecting valuable data by deploying intrusion detection systems, data-exfiltration detection and prevention systems, and advanced forensics technologies in hopes of identifying compromised computers and stopping attacks before serious data loss occurs.

On the other hand, OT network administrators are concerned with the possibility of cyber sabotage, including facility shutdowns, equipment damage, ransomware attacks (i.e., ones that require payment to regain proper functionality)and, most importantly, risks to workers, the public and environmental safety. However, targeted RAT attacks focused on cyber sabotage leave very different footprints than data-exfiltration attacks. Cyber-sabotage attacks involve comparatively small amounts of data, little of which can be flagged as “sensitive” by data-exfiltration prevention systems.

Additionally, the focus on safety and reliability means that OT networks are managed very differently than IT networks. The IT approach of constant change to “stay ahead of the bad guys” is a poor fit for control system networks in which every software change is a potential threat to worker and public safety. That risk prevents aggressive anti-virus signature and security update programs from being deployed. This certainly doesn’t mean the security vulnerabilities of OT networks are less concerning. Rather, because the vulnerabilities are so difficult to correct promptly, OT network best practices put more emphasis on physical and cyber perimeter protections than do IT networks.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments