Endpoint

11/27/2018
10:30 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Tips for Preventing Credential Theft Attacks on Critical Infrastructure

Stolen credentials for industrial control system workstations are fast becoming the modus operandi for ICS attacks by cybercriminals.

It's no secret that hacked critical infrastructure can have a detrimental safety impact, shut businesses down, and cost millions of dollars in lost revenue and brand damage. Unfortunately, attacks on critical infrastructure are showing no signs of abating. Think WannaCry, NotPetya, Black Energy, and now its malware successor, GreyEnergy.

The GreyEnergy malware family, reported last month by ESET researchers, is utilizing stolen credentials to target ICS workstations running supervisory control and data acquisition (SCADA) systems. To infect the systems, GreyEnergy is using traditional spearphishing attacks and compromising public-facing web servers. This allows the attackers to move laterally on the network, plant backdoors, and communicate with command and control servers. These attack behaviors are becoming more commonplace when examining critical infrastructure attacks.

On top of that, ICS systems are an easy target because it's widely known that most of them run on legacy, older infrastructure, so you cannot easily update the system or put an agent on the device. There's no room for system downtime when it comes to the power grid or a water plant, so patching vulnerabilities becomes extremely difficult. Also, with Internet of Things adoption on the rise, IT and OT (operational technology) networks are rapidly converging, making those once isolated systems even easier to threaten with damaging cyberattacks.

According to a new report by CyberX Labs, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for nation-state attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.

One easy attack vector for nation-states looking to target critical infrastructure is credential theft. After all, it worked well for some of the largest and most costly data breaches to date, including the Equifax, Office of Personnel Management, and Yahoo hacks. Stolen usernames and passwords guarantee an attacker can get in and wreak havoc on these systems. The more access those administrator credentials offer, the more detrimental it is to the organization.

What can protectors of critical infrastructure and other companies do to minimize cyberattacks and, more specifically, credential theft, when this seems to be the attack vector of choice for cybercriminals? Here are eight tips:

  1. Make sure all of your employees leverage multifactor authentication (MFA) across their networks — including their personal social media accounts.
  2. Understand who has privileged and administrative access within your organization. Place MFA in front of every administrator account for every system.
  3. Password vaults are great but use caution as these are often difficult to roll out broadly. Also, as a point of caution, be aware that well-meaning and ill-intentioned system administrators can find ways around these, negating their intended security value.
  4. Train your employees on how to avoid phishing and spearphishing scams and ensure they know how to create strong passwords that are not being recycled. Increasingly, phishing scams are often used to compromise privileged users of ICS.
  5. Know who has remote access to your external workstations. Most attackers target administrators who are granted remote access from these workstations.
  6. Use agentless solutions that won't affect performance and availability for legacy SCADA systems.
  7. Ensure both IT and OT systems, industrial IoT devices, and networks are hardened from cyberattacks — regularly updating operating systems and utilizing strong encryption, endpoint security tools, vulnerability assessments, patch management, network, and behavioral traffic monitoring tools.
  8. If a device is compromised, isolate it immediately before undergoing incident response.
  9. Ensure regular compliance with NERC, FERC, ISA, and other ISO standards.

By utilizing these tips, security teams can slow down credential theft attacks on critical infrastructure and keep these important systems on lock down. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

JD Sherry is Chief Revenue Officer for Remediant, Inc. He has spent the last decade in executive senior leadership roles at Optiv Security, Cavirin and Trend Micro, and has successfully implemented large-scale public, private and hybrid clouds emphasizing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.