Arraya Insights | October 30, 2017
With National Cyber Security Awareness Month coming to a close, the U.S. Government seized the opportunity to put a select group of businesses on notice, so to speak. In a recent joint statement, the Department of Homeland Security and the Federal Bureau of Investigation warned of “advanced persistent threats” targeting the nation’s critical infrastructure, including companies in the energy, manufacturing, nuclear, aviation, and water industries. The warning also included a look at the tactics employed by attackers as well as a rundown of what those in the crosshairs can do to stay safe.
The earliest signs of this activity can be traced back to May and it’s escalated ever since. According to the statement, in some cases, the attacks have succeeded. However, the Feds were mum as to the identity of the victims.
What do these attacks look like? Typically they are multi-stage, originating in a low-level system before spreading into something far more lucrative – and critical. The companies targeted are either the primary objective, or, they are a stepping stone to a much larger victim. The methods attackers use to conduct these campaigns vary, but some of the more common instances involve:
- open-source reconnaissance
- spear-phishing emails launched from compromised legitimate accounts
- watering-hole domains
- host-based exploitation
- industrial control system infrastructure targeting
- ongoing credential gathering
What comes after awareness?
Awareness only goes so far, which is why the Feds also included some steps organizations who fit the target profile can take to spot malicious activity and protect themselves. At their core, however, these are best practices that can be leveraged by all businesses, regardless of industry. Here are some of the recommendations put together by the DHS and FBI:
- Update network blacklists. The DHS and FBI includes information on domain names, IP addresses and more known to be compromised. IT should be deployed to update network blacklists with this information to prevent access from locations known to be up to no good.
- Implement network segmentation. As mentioned above, attackers have no problem starting small and working their way up. As such, mission critical networks – in this case, something like the industrial control system – should be segmented from lower priority items – also in this case, business-facing systems. This way, if attackers are able to gain low-level access, their efforts will be thwarted at the ground floor.
- Audit credential usage. Attackers love to get their hands on legit credentials and then exploit them for their own gain. IT should audit the access logs of remote systems and make note of anything that looks out of sorts, for example, an inexplicable middle-of-the-night log in attempt. These audits should be extended to include remote desktop and VPN sessions if doubts are raised about activity attributed to a set of credentials.
- Ensure regular review of deleted system logs. Unusual or unexpected deletions may be a sign of attackers attempting to cover up their tracks on a corporate network. IT personnel should regularly peruse these logs for any signs of suspicious activity.
- Conduct end user training sessions. Whether they are on the front lines or the C-suite, users are often the easiest way in for attackers. Users must be kept up to date on the latest risks – in terms they can understand – and reminded of best practices when it comes to web browsing and email usage.
- Handle admin accounts with care. Admin accounts are undoubtedly high value targets and should be treated as such. Businesses should keep the total number of admin accounts to a minimum and their activity should be closely monitored, particularly in regards to privilege escalations and role changes. Additionally, network admin accounts should be cut off from the outside world to prevent them from being co-opted. Finally, wherever applicable, admin accounts should be further hardened with two-factor authentication.
Next steps: Putting those recommendations into action
These are just some of the recommendations put forth by the DHS and FBI. The full list is long and admittedly time-consuming, something no one in IT, or otherwise, wants to hear. However, these steps can have real, meaningful benefits on the health and well-being of all organizations, not just those who fall under the scope of this warning. That’s where Arraya Solutions can help. Our Cyber Security Practice has real world experience, at both the executive and the hands-on level, building and maintaining security solutions for businesses in high-risk industries. We can help execute the above steps and more to ensure manufacturers, industrial organizations, and beyond are ready for the worst today’s cyber criminals have to offer.
Start a conversation with our Cyber Security team today by visiting: https://www.arrayasolutions.com/contact-us/. Arraya can also be found on social media: LinkedIn, Twitter, and Facebook. While you’re there, leave us a comment on this or any of our posts and follow us to keep up with all of our latest industry insights, exclusive learning opportunities, and more.