According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.
Given these findings, detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal becomes all the more critical, according to the report. Attackers are taking their time and carefully orchestrating attack campaigns so that they occur over the course of several months.
Analyzing specific attacker behaviors in recent campaigns used to steal vital ICS information, the report found that “in multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious admin and suspicious Kerberos account behaviors.”
Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials, the study found. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyber-attack life cycle.”
The report, based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, also found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. Also in every 10,000 host devices and workloads, 314 lateral movement attack behaviors were detected. And during the final stage of the attack life cycle, the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.