What’s your motivation? That’s the common question asked of many an actor but it’s also a highly relevant one in the cyber security industry – particularly when it comes to protecting critical infrastructure. Understand the reasons for an attack and you’re more likely to be able to narrow down the field and focus resource on attack mitigation. But gaining that information can be difficult.
It’s not always the lead villain that’s responsible. In the Critical Infrastructure Readiness report, McAfee identifies no less than thirteen possible perpetrators, ranging from the reckless employee, to the disgruntled individual, to the activist and competitor. So while it’s tempting to point the finger of blame at your country’s political nemesis this isn’t necessarily the case.
If we look at one particular type of malware we can see evolution in action. BlackEnergy, which is currently in its third incarnation, is a form of commercial crimeware that has evolved and continues to do so and is accessible to a variety of perpetrators. BlackEnergy 3 features a number of plug-ins, making it highly versatile and appealing to organised criminal gangs as well as nation states, and this makes it difficult to attribute to any one source. Another example is Trojan.Laziok, which aims to gather information and was deployed against multiple energy companies worldwide. While countries in the Middle East accounted for 55 percent of attacks, the Trojan also targeted eight other countries, including the UK, suggesting it was being used either in a highly coordinated fashion by more than one country or by an organised criminal gang.
Nation states have at their disposal almost unlimited resources, are highly specialised in approach, and typically build bespoke, from the ground-up, as we saw with Stuxnet or Energetic Bear. Stuxnet was so select in the code it used that it was easily attributable to a Nation state.
Why does this matter? Well, making assumptions about the origins of an attack can cloud our perception and ability to detect threats going forward. In The State of Critical Control Systems Today report produced by the SANS Institute, 42 percent of those surveyed believed the attacks carried out against their organisation were carried out by external actors, making them less receptive to the idea of an internal compromise, while 44 percent were unable to identify the source of the infiltration. Detection was also a long-winded process with 15 percent saying it took over a month for them to even realise a breach had occurred.
It’s this monitoring and detection capability that is currently lacking in the critical infrastructure industry, making it difficult to improve resilience. That’s a picture borne out by the fact another survey conducted in November 2015 of 150 IT professionals revealed 69 percent of oil and gas industry respondents said they were “not confident” their organisations were able to detect all cyberattacks.
One thing is for certain: attacks are on the increase. Figures in the US from ICS-CERT show that there were 295 reported incidents, up from 245 the previous year (October 2014-September 2015). The reasons for this are numerous, from the IP enablement of ICS, the move towards a hyper-extended supply chain which exposes the provider by increasing dependency on vendors, to the increase in deployed technical touchpoints on the network.
A good example of the latter is the proliferation of IoT sensors used to monitor and regulate the flow of consumables. This effectively creates an external network of access systems with physical control over the supply of oil and gas, for example, and increases the attacks surface exponentially. The move towards M2M communications and deployment of IoT is set to be a key technology trend as providers seek to become more competitive but a bigger attack surface equals an increased likelihood of a successful large-scale attack. It’s therefore vital to look at threats and threat realisation in relation to these deployments.
One of the principle methods of defense in critical infrastructure has been to focus on the cyber kill chain. A term coined by Lockheed Martin, this is used to describe the maturation of an attack, from the initial reconnaissance phase (where Trojan.Laziok would have played a vital role), through to weaponisation, delivery, exploitation, installation, command and control and actions on objectives. This is still a relevant approach but its one the sector has not used to its full advantage with too much emphasis on the latter stages of the chain.
For example, a recent attack on the Ukraine energy sector that disabled 27 substations and saw 225,000 people without power is thought to have taken six months to execute. That’s a potential window of opportunity the sector has been slow to exploit. There’s been a tendency to leave it to the security industry to flag vulnerabilities but there is another way.
Critical infrastructure energy providers can and should look to proactively hunt for threats, reaching out to monitor a variety of sources from social media to the dark web. Many of the attack campaigns, such as BlackEnergy, rely upon phishing attacks to provide them with the way in and such attacks are often preceded by chatter on underground forums and networks as the perpetrators seek to obtain and align themselves for an orchestrated attack.
Solutions capable of probing and collating events from these sources are now available, such as the next generation Security Operations Center (SOC) which not only mines these sources for information but can also spot patterns, and improve detection rates over time with machine learning. Intelligent SOC services can be tuned to the sector to look for regulatory or geopolitical triggers from these external sources.
The SOC can also simultaneously monitor the inner machinations of the organisation so that any suspect behaviour and anomalies on the network trigger an alert. This can also accommodate changes in strategy, the addition of new systems or staff as key events to monitor. Any such alerts are then subjected to scrutiny by dedicated security analysts who can connect the dots and interpret the likely escalation of a threat.
Gaining such insights can warn the provider of an impending attack and provide some indication of what the attack might be happening, its likely scale, level of sophistication etc buying the organisation time to rally its defences and mitigate the effects. It can help improve resilience in a focused way, with resource channeled to where it is needed and that incident response is appropriate and timely. And, ultimately, it sees the provider become less reactive and reliant upon detection to determine response. Know thy enemy has never been more important and that can only be achieved through proactive threat intelligence.
James Parry is technical manager at Auriga