Security

FeedzyRead MoreRansomware and Log4j are the latest examples of the ways cyber criminals leverage security weaknesses to spread onto
The post Gone Phishing: How Ransomware, Log4j, and Other Exploits Use Your Network to Catch the Big Fish appeared first on Cyber Defense Magazine.Ransomware and Log4j are the latest examples of the ways cyber criminals leverage security weaknesses to spread onto […]
The post Gone Phishing: How Ransomware, Log4j, and Other Exploits Use Your Network to Catch the Big Fish appeared first on Cyber Defense Magazine.

Ransomware and Log4j are the latest examples of the ways cyber criminals leverage security weaknesses to spread onto networks and steal or extort large paydays.

By Peter Bookman, Founder, and CEO of guardDog.ai

Phishing for the Big One

In order to keep yourself and your company safe, it’s important to understand the psychology of a cybercriminal and their objectives. The Internet is like a vast ocean, and like fisherman, these criminals are hunting for the best spots to catch the biggest fish. They aren’t interested in the small fish, per se, but in how they can use the smaller prey to catch the bigger ones. They are after a giant payday, and the bragging rights to go along with it. So, they troll for vulnerable targets and develop the best lures they can, to exploit the opportunities they find.

Perhaps you think, “it will never happen to me.” You’d be wrong. A report from Cybersecurity Ventures  predicts global ransomware damage costs will reach $20 billion this year, which is 57x more than in 2015. The report notes this equates to a ransomware attack on a business “every 11 seconds in 2021.”

Log4j just emerged on the scene and is already being referred to as the largest vulnerability in history with hundreds of millions of devices affected. It is expected to take years to fully address and resolve.

Let that sink in.

There are mobile device management solutions (MDM) that offer some security capabilities, but they are often exploited at the network level and unaware of the activity (I recently wrote here about how MDM isn’t enough). Gaining control of a device is not enough to achieve their goals. Cyber criminals use these entry points with the strategy of spreading over your network to gain total control. They need the kind of leverage they can use to extort the level of payday they’re after.

Accessing and spreading on the network is the common denominator most of these attacks require to succeed. This is where the opportunities lie to stop the thieves in their tracks.

Casting the Best Lure

Ransomware, phishing, and many other exploits are about using the right bait to compromise a device, get onto a network and spread. Many of these count on human behavior to help them along, like an innocent click on a link in an email.

These types of threats typically appear to come from a friendly brand you know and trust like a bank, a streaming service, or any known brand you might trust. The email may claim your subscription will automatically renew at some higher rate, unless you call now to deal with it. It might say your password has been changed and if you changed it ignore the message, but if you didn’t, click here to reset your password!

Perhaps you are a customer; perhaps not. The criminals likely don’t know and don’t care. To them, it’s a numbers game. They are fishing for a victim. The hacker is an imposter, but what they send you may look and seem very real. They aim to get you in an urgent state of mind, so you’ll respond and engage quickly without thinking it through. In the reality of things, brute force is not a common way cybercriminals get access to confidential information. They look for a weakness they can exploit more easily, such as fooling someone into aiding in the attack from the inside. This is how they get you.

Regardless of cyber security policies or training, anyone can make a human mistake and accidentally compromise their device. Who hasn’t clicked on a link in an email at some point?

Log4j is even scarier. It uses a popular open-source logging solution prolific across many software deployments to spread. Simply viewing a pixel in a chat window, for example, could infect another machine – with no other action required. This exploit relies on running a certain version of Java and the way Log4j2 libraries can be exploited.

Further complicating things is the fact that most software doesn’t contain a bill of materials, hence the possibility of it taking years to find and correct all the vulnerabilities. In the chart below on the left, we see a device attack has successfully leveraged the network to infect other devices and gain access to all private information. On the right, we see suspicious activity from a device that was detected and then isolated at the network level, preventing the spread.

Force Them to Cut Bait

There is much we can do to secure devices from attacks, such as adding virus protection software, device management solutions, EDR, and other protections, but these solutions aren’t aware of what’s happening at a network level. Once the criminal targets and infiltrates your device, then what? If you have part of your team accessing secure information from unsecured external networks, then what?

Investment in network level protection is a must, to identify a threat that is attempting to spread and stop it before it gains a foothold. Network aware solutions can see patterns and traces these threats leave as they attempt to spread. With the right cyber security strategy in place, you can minimize the damage from an attack and potentially stave off the disaster of losing control of private information and having it held for ransom.

Deploying methods that monitor networks, detect threat patterns, and respond to them in a timely manner is the key to keeping the attack surface low and halting an attack’s progress when it’s found an entry point. You could accomplish this by using professional cybersecurity services from MSSPs, or by deploying a product that offers AI-based network-oriented autonomous countermeasures flexible enough to work with distributed work environments, which is an approach we use at the company I direct, guardDog.ai.

To keep pace with cyber criminals, you will need to invest in a variety of tools, talent, and strategies to keep them at bay. Every company should build a comprehensive cyber security plan that maps out how you will respond to threats at the administrative, technical, and physical level. A great plan maps your workflows and ties policies and protocols together to ensure you are responsive and can adapt to changing conditions.

This is increasingly important as businesses must comply with many new State and Federal regulations now in effect, with many more on the way. Many of these regulations provide safe harbor, but only if you are complying according to a written plan at the time an incident occurred. The fines are steep for being negligent or for doing nothing at all.

The bottom line is that you must build a cyber security practice that is adaptive and responsive to avoid being taken by the bad guys.

About the Author

Peter Bookman is Founder and CEO of guardDog.ai. Bookman has 25 years’ experience leading teams and disrupting markets with numerous exits. He is credited as an inventor to 14 patents in both software and hardware intellectual property.

Peter can be reached online at @pbookman and at our company website http://www.guardDog.ai/

FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

FeedzyRead MoreBy Chip Epps, VP of Product Marketing, OPSWAT Every critical infrastructure sector depends on energy to operate, yet
The post Understanding Russian Hacking Tactics to Power Up Security in the Energy Sector appeared first on Cyber Defense Magazine.By Chip Epps, VP of Product Marketing, OPSWAT Every critical infrastructure sector depends on energy to operate, yet […]
The post Understanding Russian Hacking Tactics to Power Up Security in the Energy Sector appeared first on Cyber Defense Magazine.

By Chip Epps, VP of Product Marketing, OPSWAT

Every critical infrastructure sector depends on energy to operate, yet the energy industry reports one of the highest rates of cyber incidents. Operational Technology (OT) is often the target of cybercriminals given that it controls the critical physical processes within industrial facilities, and gaining control of it can cause catastrophic damage. Coupled with the critical nature of these environments is the vulnerability of aged legacy systems that operate on air-gapped and isolated OT networks which require physical access to manage and deploy system updates.

Recent news coverage on the indictment of Russian spies for conducting a global hacking campaign that targeted hundreds of energy organizations has intensified the ongoing conversation about the security of critical infrastructure, especially since one of the targets of this campaign hit close to home at a nuclear facility in Kansas. While the indictment was retroactive to the activities that occurred between 2012 and 2018, the six-year hacking campaign serves as a great case study for industry leaders in the energy sector to understand the attack vectors and learn how to prevent threats to OT in the future.

A Watering Hole of Tactics

The first tactic used by the Russian hackers is known as a “watering hole attack,” or a “drive-by attack.” This type of attack lures victims to a website that looks similar to known vendors’ websites, but it is actually spoofed and contains malicious files through application updates. A layered approach is important for threat mitigation for this type of attack, and there are many best practices that energy organizations should adopt.

The first step would be to implement Remote Browser Isolation (RBI) solutions to prevent malware from being delivered to the user’s endpoint. Additionally, scanning all files that are downloaded to both the IT and OT networks within the organization, and then using either static scanning for known malware, or sandbox dynamic analysis which can detect malicious behavior in unknown files, are effective ways to stay ahead of threats. Organizations can also introduce URL/domain reputation and sandboxing capabilities to detect network communications to known bad hosts as part of the behavior analysis.

Further, proper network architecture and complying with NERC and NRC requirements can help prevent the propagation of threats from entering the OT domain. Safeguarding the OT network also entails network segmentation using unidirectional gateways and a protocol break to ensure OT assets are protected from outside threats.

While the above prevention protocols are best practices, hackers may still find their way into networks, so it’s important to deploy intrusion prevention systems right before critical assets, such as PLCs, RTUs and other industrial appliances.

Finally, an organization can deploy automated workflows to scan for malicious links and file scanning to prevent human error.

A Chain of Attacks

As we’ve seen with SolarWinds and Log4j compromises, software supply chain attacks are another common tactic used by cybercriminals and one that has been leveraged by the Russian espionage groups. In this case, the hackers worked to hide malware in software updates used by systems that control the equipment in power plants.

To mitigate this common type of attack, organizations should adopt a zero-trust philosophy and consider software updates from third-party vendors to be suspect and thoroughly inspected until considered safe. This entails disabling automatic software updates in OT networks, validating all updates in a test environment prior to delivery in production, checking software against known malware and vulnerabilities and running them through dynamic analysis, and inspecting the software component’s country of origin for compliance.

As U.S. legislation and global conversations on contingency planning for attacks on critical infrastructure evolve—and as these types of cyber incidents increasingly play out— the security of the energy sector should be at the top of everyone’s mind and mitigation list.

About the Author

Chip Epps is the VP of Product Marketing at OPSWAT.  He joined OPSWAT in 2021 with a 15+ year security career in both Product Management and Product Marketing, having been CISSP certified. He’s focused primarily on emerging product categories and associated go-to-market strategies spanning security domains including Endpoint, Datacenter, Network, Gateway, Cloud, IAM, SOAR and Threat Intelligence. Prior to a career in security, Chip spent 10+ years in IT operations and service delivery across numerous market segments including Healthcare, Finance, and Government, being ITIL certified. Chip received his BME (Mechanical Engineering) from Georgia Tech, was certified Chief Engineer by Naval Reactors (submarine qualified) and obtained his MBA with a focus on new ventures from University of San Diego.

Chip can be reached at [email protected]  and at our company website https://www.opswat.com/.

FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

FeedzyRead MoreBy Ian Bramson, Global Head of Industrial Cybersecurity at ABS Group Did you know almost 50% of ICS
The post Vulnerable Today, Hacked Tomorrow: How a Lack of OT Cybersecurity Affects Critical Infrastructure appeared first on Cyber Defense Magazine.By Ian Bramson, Global Head of Industrial Cybersecurity at ABS Group Did you know almost 50% of ICS […]
The post Vulnerable Today, Hacked Tomorrow: How a Lack of OT Cybersecurity Affects Critical Infrastructure appeared first on Cyber Defense Magazine.

By Ian Bramson, Global Head of Industrial Cybersecurity at ABS Group

Did you know almost 50% of ICS (Industrial Control Systems) organizations don’t have dedicated 24/7 security to manage Operational Technology (OT) incidents should a cyber event occur? While this fact may not be common knowledge to organizations, hackers have been readily exploiting this gap, as seen in incidents such as the Colonial Pipeline shutdown or the Oldsmar, Florida water treatment plant breach. Adversaries have learned that targeting ICS can result in quicker and higher payouts because of the potential to disrupt operations, prompting threat actors to focus on ICS targets. Ransomware attacks have proven very effective for OT systems just as with IT systems and are now being used as a weapon in international politics. As the conflict between Russia and Ukraine continues, adversaries are looking to gain real-world advantages from these kinds of cyberattacks. The pro-Russia hacking group Conti recently released a statement stating, “We are going to use all of our possible resources to strike back at the critical infrastructure of an enemy.” This should be a warning bell for any organization involved in critical infrastructure to be on high alert and consider themselves a potential target. All of this begs the question: are organizations prepared to detect and respond to a cyber attack on their OT systems?

New SANS report highlights lack of preparedness

Despite known and increasing threats, many organizations have not made OT cybersecurity a priority. A recent report from the SANS Institute titled “Threat-Informed Operational Technology Defense: Securing Data vs. Enabling Physics”, found that only 22% of security technology managers have the visibility needed to defend against modern threats. If an organization is creating a response plan after an attack occurs, then they are already too late. Keeping your response plan ready for implementation at a moment’s notice and your staff current on the procedures for addressing an attack enables a swift and unified response, yet 40% of those surveyed have not run incident response exercises in the last 18 months. On the positive side, although it appears many OT environments are not well positioned to detect or respond to an attack, many companies do have investments planned. The research reveals that 52% of respondents rank increasing visibility into control systems and implementing ICS-specific network security monitoring (NSM) as top priorities in the next 18 months.

Why is OT cybersecurity lagging behind?

Attacks on the OT environment are not entirely new, with notable incidents like the Stuxnet attack in Iran dating back 12 years. But there is still a perception gap between senior decision-makers and those on the front lines about the importance of a robust cybersecurity program in OT. In the SANS report, 35% of participants indicate such a gap between senior management and OT/ICS cybersecurity front line teams. This gap manifests itself as a lack of investment in OT cybersecurity programs which means security teams are resource-challenged and running on threadbare budgets.

The expertise required to manage OT cybersecurity programs is highly specialized. An effective program requires experience in both cybersecurity and the industrial environment within which the systems operate. Too many organizations take a “copy and paste” approach, applying the same principles and techniques from IT environments to OT, which have drastically different concerns, processes, and equipment. Attacks on these OT systems go beyond data and into physical spaces and deal with networks of legacy equipment installed at different times and with varying levels of technological capabilities. As a result, a dedicated team of experienced professionals is needed to better protect the security of the system and the people working inside of it. However, the survey found that currently, 47% of ICS organizations do not have internal, dedicated, 24/7 security response teams.

Taking steps to close the gap

Getting in front of this challenge requires change from the top down. To close the gap between front line teams and senior management organizations, decision-makers can take several different steps:

Appoint a Chief Information Security Officer (CISO) who can oversee OT/ICS security from a senior executive position, guaranteeing OT security professionals have a voice in the boardroom to help prioritize security initiatives.
Educate the board of directors on common misconceptions surrounding OT security. This means making sure they understand that OT security can’t be copied from IT, that being compliant does not mean being secure, and that this is a quickly evolving space where solving the last attack won’t prepare you for the next one.
Run OT-specific tabletop exercises regularly to keep team members from different levels of the company on the same page regarding a response to an attack. ICS incident response teams must understand the control system processes, the engineering, industrial protocols, safety factors, and ICS-specific cyber threats and maintain response plans that fit their organization.
Employ an active cyber defense cycle (ACDC) whereby they can secure, maintain, monitor for, and respond to threats. This repeatable process is driven by human cyber defenders who have both the necessary engineering knowledge of the OT environment and a background in cybersecurity defense. An active defense keeps security personnel engaged in identifying vulnerabilities and takes a more proactive than reactive approach with the focus on understanding not just the last attack but looking ahead to the next one.
Bring in a third-party organization to aid in identifying vulnerabilities, setting up a robust security program, and advising on maintaining OT protection moving forward. These experts can provide support for companies as they make key hires and set up an in-house cybersecurity program.

Cybersecurity now or forever hold your peace

OT environments are still playing catch up in terms of cybersecurity as 45% of survey participants estimate threats to their control systems are at high risk. And they’re right. The effect on operations, human safety and the environment could all prove costly when OT systems are exploited.

Many companies are not prepared for the potential onslaught of attacks that could be headed their way. While many are coming around to the necessities of building a more robust cybersecurity program for their OT environments, they are fighting an uphill battle to prepare for these attacks. Threat actors are actively plotting their next OT/ICS attack, looking to disrupt critical infrastructure either for profit or political gain. Without a proper plan for how to identify, respond to and recover from an attack before the attack occurs, organizations could find themselves in costly and dangerous situations.

About the Author

Ian Bramson is Global Head of Industrial Cybersecurity at ABS Group and a recognized leader in the emerging threat landscape of attacks on industrial operations and critical infrastructure. With more than 20 years of experience in cybersecurity and technology, Ian works directly with executives in the energy, industrial and maritime sectors to help minimize their cybersecurity risks. Ian can be reached online through his LinkedIn page at https://www.linkedin.com/in/ianbramson/ and at our company website https://www.abs-group.com/

FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.