Endpoint

11/27/2018
10:30 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Tips for Preventing Credential Theft Attacks on Critical Infrastructure

Stolen credentials for industrial control system workstations are fast becoming the modus operandi for ICS attacks by cybercriminals.

It's no secret that hacked critical infrastructure can have a detrimental safety impact, shut businesses down, and cost millions of dollars in lost revenue and brand damage. Unfortunately, attacks on critical infrastructure are showing no signs of abating. Think WannaCry, NotPetya, Black Energy, and now its malware successor, GreyEnergy.

The GreyEnergy malware family, reported last month by ESET researchers, is utilizing stolen credentials to target ICS workstations running supervisory control and data acquisition (SCADA) systems. To infect the systems, GreyEnergy is using traditional spearphishing attacks and compromising public-facing web servers. This allows the attackers to move laterally on the network, plant backdoors, and communicate with command and control servers. These attack behaviors are becoming more commonplace when examining critical infrastructure attacks.

On top of that, ICS systems are an easy target because it's widely known that most of them run on legacy, older infrastructure, so you cannot easily update the system or put an agent on the device. There's no room for system downtime when it comes to the power grid or a water plant, so patching vulnerabilities becomes extremely difficult. Also, with Internet of Things adoption on the rise, IT and OT (operational technology) networks are rapidly converging, making those once isolated systems even easier to threaten with damaging cyberattacks.

According to a new report by CyberX Labs, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for nation-state attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.

One easy attack vector for nation-states looking to target critical infrastructure is credential theft. After all, it worked well for some of the largest and most costly data breaches to date, including the Equifax, Office of Personnel Management, and Yahoo hacks. Stolen usernames and passwords guarantee an attacker can get in and wreak havoc on these systems. The more access those administrator credentials offer, the more detrimental it is to the organization.

What can protectors of critical infrastructure and other companies do to minimize cyberattacks and, more specifically, credential theft, when this seems to be the attack vector of choice for cybercriminals? Here are eight tips:

  1. Make sure all of your employees leverage multifactor authentication (MFA) across their networks — including their personal social media accounts.
  2. Understand who has privileged and administrative access within your organization. Place MFA in front of every administrator account for every system.
  3. Password vaults are great but use caution as these are often difficult to roll out broadly. Also, as a point of caution, be aware that well-meaning and ill-intentioned system administrators can find ways around these, negating their intended security value.
  4. Train your employees on how to avoid phishing and spearphishing scams and ensure they know how to create strong passwords that are not being recycled. Increasingly, phishing scams are often used to compromise privileged users of ICS.
  5. Know who has remote access to your external workstations. Most attackers target administrators who are granted remote access from these workstations.
  6. Use agentless solutions that won't affect performance and availability for legacy SCADA systems.
  7. Ensure both IT and OT systems, industrial IoT devices, and networks are hardened from cyberattacks — regularly updating operating systems and utilizing strong encryption, endpoint security tools, vulnerability assessments, patch management, network, and behavioral traffic monitoring tools.
  8. If a device is compromised, isolate it immediately before undergoing incident response.
  9. Ensure regular compliance with NERC, FERC, ISA, and other ISO standards.

By utilizing these tips, security teams can slow down credential theft attacks on critical infrastructure and keep these important systems on lock down. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

JD Sherry is Chief Revenue Officer for Remediant, Inc. He has spent the last decade in executive senior leadership roles at Optiv Security, Cavirin and Trend Micro, and has successfully implemented large-scale public, private and hybrid clouds emphasizing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.