Attackers Poised to Jump on Mistakes

Wednesday, May 4, 2011 @ 05:05 PM gHale

By Gregory Hale
There are plenty of smart people working on control systems in the manufacturing automation industry, but not everybody is perfect by any stretch of the imagination.

“Attackers assume smart people make mistakes,” said Jonathan Pollet, founder and principal consultant at Red Tiger Security during his talk Wednesday entitled “How APT, Night Dragon and Stuxnet Impact SCADA Systems” at the ICSJWG 2011 Spring Conference in Dallas.

The Night Dragon attack was an advanced persistent threat (APT), Pollet said. He called an APT on ongoing, consistent threat targeted on one person, company, or system.

The Night Dragon attack came in stages, Pollet said. It was a slow process to infect the system, he said. It took a series of weeks or months to fully compromise a system. There were incremental uploads, downloads and exchanges that looked for intellectual property, designs, any kind of information the attacker could its hands on.

Once it was up and running though, Night Dragon took no prisoners.

“Night Dragon was not very covert,” he said. “It was kind of crude. They were pulling information at such a high rate of speed through the firewall.”

At the beginning, the goal for the hackers was to get the worm into the system, where it can immediately start researching and gathering intelligence, and then begin building attack vectors.

There are quite a few ways to get into the system, Pollet said, like using open source intelligence gathering, social engineering, targeted spear phishing, USB devices, and websites. Once the bot gets into the system it sets up a command post to gather information to continue to escalate privileges to gain a domain account.

Social engineering is able to leverage one nugget of information upon other little pieces of information and eventually, the attacker is able to gather enough information to begin an attack against a specific person or system. Facebook, Twitter and LinkedIn are good information gathering sites for attackers, he said.

“Adobe products get the attention of attackers” as one favored malware attack vector, Pollet said.

The difference with “Night Dragon is after it got into the system, it went looking for SCADA systems,” he said. It went into the system and gained more information.

One story Pollet told was when Night Dragon got into the system using a specific user’s profile it would sometimes lock out the real user and not allow him to log into the system since two people with the same log in could not connect into the system at the same time. So, what happened in one case is the user would call the help desk and leave a ticket requesting help. When the attackers finally figured out they could potentially be discovered on the system, they started answering the help desk tickets themselves so they could allay any questions and fears. The goal for the attackers is to remain as anonymous as possible, Pollet said.

APTs will continue to grow in the coming months and years, Pollet said. There are ways to protect against them.
“A lot of these bots are not hiding,” Pollet said. “You can see traffic increasing at 2 in the morning during not business hours.”

APTs can be beat with Advanced Persistent Diligence, he said. “A firewall deployment two years ago for a manufacturer is not sufficient. You need to be diligent in keeping up to date with the threats.”

In the same vein of remaining diligent, a manufacturer “needs to learn what information about your company is out there on the Internet and available to an attacker. You need to think like an attacker to protect your system,” Pollet said.
In addition, even though workers undergo training on the company’s security plans, employees still continue to click on emails and links loaded with malware.

Users also have to understand antivirus software catches most attacks, it won’t catch them all.

Manufacturers often remain in a defensive, reactionary posture when it comes to security. But if the manufacturer studies and understands the system, they do not have to wait to get hit by an attack.

“The best defense spends its time understanding the offense,” Pollet said.

Leave a Reply

You must be logged in to post a comment.