informa
Commentary

Infrastructure, Security, and the Need for Visibility

Government authorities are increasingly trying to bolster critical infrastructure security. But investments in next-generation solutions won't go far enough without also addressing security and operational fundamentals.

The United States and other government entities seek to bolster the security of critical infrastructure networks due to a combination of high-profile, likely state-directed intrusions and increasingly disruptive criminally driven ransomware incidents. Events such as the SolarWinds and Microsoft attacks discovered in 2020 and the recent Colonial Pipeline ransomware incident show latent, pervasive vulnerabilities and weaknesses in the security posture of economically vital entities. In response to these and other events, the US government alone issued the following statements, executive orders, and legislative actions:

While generating most attention, US actions are mirrored elsewhere as entities ranging from the European Union to Australia similarly work to strengthen network defense in critical infrastructure sectors. That a problem has been identified by multiple parties is obvious, but precisely how to deal with these security issues remains an open question in most instances.

Calls for modernization and improvement emphasize commercial buzzwords and marketing terminology ranging from "hybrid cloud adoption" to implementing "zero trust" security architecture. While these ideas have merit, and are cornerstones of the May 2021 Executive Order, they presuppose that organizations can rapidly adopt and implement complex, advanced security solutions. Unfortunately, the reality for many industries, including many of the sectors identified as "critical infrastructure" by entities such as the US Department of Homeland Security, reflects a distinct lack of maturity necessary to succeed.

First and foremost, organizations and critical infrastructure entities must ensure at least minimum levels of visibility — across both endpoint and network space — to have any hope of succeeding in security tasks. Put bluntly, organizations that lack inherent understanding of and visibility into networks and processes will be hard-pressed to ensure the security of the same. Yet, in leapfrogging these security "basics" toward more complex and exotic possibilities, well-intentioned and necessary efforts to modernize the security posture of critical infrastructure networks will almost certainly fail.

While certain intrusion scenarios, such as the SolarWinds/Microsoft incident, appear on their face to represent highly complex, near-insurmountable problems, closer examination indicates that a combination of visibility into network activity and examination of identified events can uncover even the most "complex" intrusions. As previously documented by multiple entities, post-intrusion operations after the supply chain portion of the incident, while still retaining relatively high degrees of operational security, nonetheless produced artifacts for identification and detection, including:

  • Abnormal DNS queries containing encoded information
  • Unusual traffic activity to network infrastructure not associated with any other, legitimate service
  • Cobalt Strike Beacon command and control (C2) activity

While the entity behind this event — known as Nobelium, UNC2452, and Dark Halo, among other names — went to great lengths to both obscure and hide their activity, the above provides relatively simple items for observation in well-documented, well-architected network environments. Sufficient visibility into environments, combined with an ability to analyze and understand resulting observations, may not offer a perfect, impregnable defense, but it would give network defenders and system operators multiple possibilities for detecting unusual network activity relating to this campaign.

Reviewing other critical infrastructure incidents over the past decade, there are similar examples where basic visibility and investigation could enable early-stage detection and intrusion identification:

  • In the 2015 and 2016 Ukraine power incidents, relatively common intrusion methodologies were deployed during ICS-specific intrusion phases of operations. Visibility into network traffic activity, even at just the network flow level, could identify initial access, lateral movement, and command-and-control behaviors prior to the execution of the disruptive events.
  • For the 2017 Triton or Trisis incident, subsequent analysis revealed lateral movement and credential reuse activity, among other tradecraft, for migrating through the victim network en route to attempting execution of a likely destructive attack.
  • Multiple intrusions into water and wastewater utilities in Israel and the US from 2019 through 2021 largely relied on insecure remote access mechanisms to authenticate to the victim environments. Monitoring for and tracking remote authentication and access activity could quickly identify such attempts when performed without significant obfuscation of traffic source.
  • Recent ransomware events, from the Colonial Pipeline incident to JBS Foods, among others, appear to all utilize standard intrusion tradecraft for initial access and lateral movement prior to ransomware deployment. Yet lack of visibility in victim networks let these events progress from access to eventual operational disruption.
Based on the above, we can see multiple government authorities across many countries are increasingly serious about bolstering critical infrastructure security, which is good. But present emphasis on next-generation technologies and advanced architecture practices shows a lack of understanding of what most critical infrastructure operators need: greater visibility into and understanding of network and host operations within their environment. Thus, while increasing investment in cybersecurity within these sectors is desirable, if such actions occur without addressing security and operational fundamentals, these efforts will return far less value than desired.
Recommended Reading:

MODULE B: Latest content for DR

High-Profile Breaches Are Shifting Enterprise Security Strategy

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.

Increased media attention is driving changes in enterprise security strategy -- some positive, some negative.


7 Smart Ways a Security Team Can Win Stakeholder Trust

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.

By demonstrating the following behaviors, security teams can more effectively move their initiatives forward.



What Are Some Red Flags in a Vendor Security Assessment?

The last thing you want is a vendor that lies to you about its security practices.

The last thing you want is a vendor that lies to you about its security practices.


MacOS Security: What Security Teams Should Know

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.


Loss of Intellectual Property, Customer Data Pose Greatest Business Risks

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.

The slightly "good" news? Security professionals are a little less concerned about certain threats than last year, according to Dark Reading's "State of Incident Response 2021" report.


Name That Edge Toon: Mobile Monoliths

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Feeling creative? Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Oct 04, 2021


Why Windows Print Spooler Remains a Big Attack Target

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.

Despite countless vulnerabilities and exploits, the legacy Windows printing process service continues to be an attack surface in constant need of repair and maintenance, security experts say.


10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations

Theft of intellectual property, sabotage, exposure of sensitive data and more were caused by malicious behavior and negligence at these organizations


Editors' Choice
Jack Naglieri, CEO and Founder, Panther Labs