How to Find an APT Attack

Wednesday, November 1, 2017 @ 12:11 PM gHale


By Gregory Hale
It is no secret the Department of Homeland Security and Federal Bureau of Investigation issued a warning for critical infrastructure organizations regarding an attack campaign.

The main question to come to mind is yes, there is a warning, but how can you tell if the bad guys are in the system?

RELATED STORIES
Cyber PHA Secures Safety
IT/OT Convergence, a SANS Focus
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed

“There are indications they are looking for things inside the networks themselves,” said Dana Tamir, vice president of market strategies and security provider, Indegy. “It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn’t meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities.”

The alert on the US-CERT site warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.”

They consider the attack to be ongoing. The DHS and FBI warning centers around an ongoing attack campaign from an advanced actor, most probably Dragonfly and its associated names of Crouching Yeti and Energetic Bear.

The warning went out to government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

It appears the attacker is seeking a position for possible action against the critical infrastructure in the future, the report said.

Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the Server Message Block (SMB) protocol. This sends the user’s credential hash to the remote server, where “The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

Watering holes are also used to gather credentials.

“The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” the report said. “Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”

When credentials have been gained, the attackers use these to access victims’ networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.

“This alert shows adversaries are getting into networks and they are getting in deeper and deeper,” Tamir said. “Previous alerts on phishing attacks on the energy sector and campaigns like Dragon Fly they all referred to things like gathering credentials and infiltrating the systems. What this report shows is reconnaissance activity within industrial control networks and this is an alarming thing. It means adversaries are getting through into these networks and can access the physical processes as they operate.”

These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.

“Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain – more than retail or financial industry targets we tend to see in the news,” said David Zahn, GM of the cybersecurity business unit at PAS. “The reason is that the industrial control systems that sit at the end of the industrial facility’s kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability.”

“This is not the first time that we’ve heard of recon attacks leveraged against ICS with command and control capabilities on our energy, nuclear and critical manufacturing sectors,” said Dean Weber, CTO at Mocana. “This is the first recent cyber attack campaign targeting water utilities and aviation. Unfortunately, corporate IT networks are not always separated from the operational technology (OT) networks, making them particularly vulnerable.”



Leave a Reply

You must be logged in to post a comment.