How to find an APT attack against a network

Advanced persistent threat (APT) attacks against critical infrastructure are on the rise and companies and users need to learn how to find anomalies in their network and be proactive before serious damage can be inflicted.

12/22/2017


It is no secret the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning for critical infrastructure organizations regarding advanced persistent threat (APT) attacks. The main question for users is how to tell if the bad guys are in the system.

"There are indications they are looking for things inside the networks themselves," said Dana Tamir, vice president of market strategies and security provider, Indegy. "It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn't meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities."

The alert on the US-CERT site warns, "Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks."

They consider these APT attacks to be ongoing. The DHS and FBI warning centers around an ongoing attack campaign from an advanced actor, most probably Dragonfly and its associated names of Crouching Yeti and Energetic Bear.

The warning went out to government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

It appears the attacker is seeking a position for possible action against the critical infrastructure in the future, the report said.

Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the server message block (SMB) protocol. This sends the user's credential hash to the remote server, where "The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users."

Watering holes are also used to gather credentials.

"The threat actors compromise the infrastructure of trusted organizations to reach intended targets," the report said. "Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure."

When credentials have been gained, the attackers use these to access victims' networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.

"This alert shows adversaries are getting into networks and they are getting in deeper and deeper," Tamir said. "Previous alerts on phishing attacks on the energy sector and campaigns like Dragon Fly they all referred to things like gathering credentials and infiltrating the systems. What this report shows is reconnaissance activity within industrial control networks and this is an alarming thing. It means adversaries are getting through into these networks and can access the physical processes as they operate."

These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.

"Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain—more than retail or financial industry targets we tend to see in the news," said David Zahn, GM of the cybersecurity business unit at PAS. "The reason is that the industrial control systems that sit at the end of the industrial facility's kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability."

"This is not the first time that we've heard of recon attacks leveraged against ICS with command and control capabilities on our energy, nuclear and critical manufacturing sectors," said Dean Weber, CTO at Mocana. "This is the first recent cyber attack campaign targeting water utilities and aviation. Unfortunately, corporate information technology (IT) networks are not always separated from the operational technology (OT) networks, making them particularly vulnerable."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me