How to find an APT attack against a network

Advanced persistent threat (APT) attacks against critical infrastructure are on the rise and companies and users need to learn how to find anomalies in their network and be proactive before serious damage can be inflicted.

12/22/2017


It is no secret the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning for critical infrastructure organizations regarding advanced persistent threat (APT) attacks. The main question for users is how to tell if the bad guys are in the system.

"There are indications they are looking for things inside the networks themselves," said Dana Tamir, vice president of market strategies and security provider, Indegy. "It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn't meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities."

The alert on the US-CERT site warns, "Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks."

They consider these APT attacks to be ongoing. The DHS and FBI warning centers around an ongoing attack campaign from an advanced actor, most probably Dragonfly and its associated names of Crouching Yeti and Energetic Bear.

The warning went out to government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

It appears the attacker is seeking a position for possible action against the critical infrastructure in the future, the report said.

Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the server message block (SMB) protocol. This sends the user's credential hash to the remote server, where "The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users."

Watering holes are also used to gather credentials.

"The threat actors compromise the infrastructure of trusted organizations to reach intended targets," the report said. "Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure."

When credentials have been gained, the attackers use these to access victims' networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.

"This alert shows adversaries are getting into networks and they are getting in deeper and deeper," Tamir said. "Previous alerts on phishing attacks on the energy sector and campaigns like Dragon Fly they all referred to things like gathering credentials and infiltrating the systems. What this report shows is reconnaissance activity within industrial control networks and this is an alarming thing. It means adversaries are getting through into these networks and can access the physical processes as they operate."

These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.

"Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain—more than retail or financial industry targets we tend to see in the news," said David Zahn, GM of the cybersecurity business unit at PAS. "The reason is that the industrial control systems that sit at the end of the industrial facility's kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability."

"This is not the first time that we've heard of recon attacks leveraged against ICS with command and control capabilities on our energy, nuclear and critical manufacturing sectors," said Dean Weber, CTO at Mocana. "This is the first recent cyber attack campaign targeting water utilities and aviation. Unfortunately, corporate information technology (IT) networks are not always separated from the operational technology (OT) networks, making them particularly vulnerable."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
February 2018
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
HMIs
Automation and controls continue to help HMI hardware and software advance. As computing capabilities progress, hardware has become more rugged with less maintenance required, with wider environmental capabilities, and integrated input/output (I/O) connections.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Machine Vision
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
February 2018
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
HMIs
Automation and controls continue to help HMI hardware and software advance. As computing capabilities progress, hardware has become more rugged with less maintenance required, with wider environmental capabilities, and integrated input/output (I/O) connections.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Machine Vision
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
March 2018
Digitalization integration, process sensors, edge computing, fog computing, condition monitoring, and motors
February 2018
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
HMIs
Automation and controls continue to help HMI hardware and software advance. As computing capabilities progress, hardware has become more rugged with less maintenance required, with wider environmental capabilities, and integrated input/output (I/O) connections.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Machine Vision
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
December 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me