Monitoring Network Could Help Find Attack

Wednesday, June 14, 2017 @ 04:06 PM gHale

By Gregory Hale
This past December the Ukraine suffered an attack that hit its power grid among other key governmental infrastructure organizations.

It was a systemic attack hitting key governmental and infrastructure points across the country and was very similar to the attack that struck the Ukrainian power grid in December 2015.
The question coming out of the attack and with further knowledge of what transpired, is what could ICS/SCADA users do to protect themselves?

Grid Attack: Understand ‘What We Will See Tomorrow’
Ukraine Attack: An Insider’s Perspective
ICS Malware Linked to Grid Attack
Attack Group Targets Ukraine

Monitoring the network is one quick answer.

“There was a lot of activity,” said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the December Ukraine utility attack during an interview with ISSSource. “By the time you discover the final code or malware that will wipe your hard drive or switch off your lights, it is already too late. They have already been on your site for at least six months. This when you had a chance to notice something abnormal. Command and control communication, some abnormal movement within your network, abnormal activities on accounts. When the attack already had a reliable backdoor, it then becomes very difficult to monitor. Once you have the backdoor, you just drop the tools and you have an attack.

“In this specific attack, in the modules there were also firmware updates. It was not used in the attack, but if you monitored your control network you would see a firmware update and you would flag it and you would say what is going on, I am detecting a firmware update. Monitoring your control networks would help.”

If the malware had been on a system for six months to a year, another question is the network monitoring device could simply think it is a normal piece of software that has always been there.

“The intrusion lasted for a long time. At the beginning, there is a lot of activity where the attacker tries to capture some user credentials, tries to understand normal behavior of the network, normal behavior of the moderators,” Krotofil said. “At this point the attacker is still creating a lot of noise. Once the attacker captures a few credentials, a few administrator credentials or system accounts and understands who the applications are working, then they try to mimic the behavior, then it is difficult. Once they start preparing for the attack, they start to become more noisy, they need more back doors, they need to deliver tools and so on. This is also a good stage to discover the malware. Understanding the stages of an attack is really helpful in building your monitoring activities.”

Leave a Reply

You must be logged in to post a comment.