When an unfortunate event occurs, people tend to be curious about who was responsible for the event. It can be interesting and helpful to know who your enemy is and what their motives might be. But in cybersecurity, the primary focus is ultimately on preventative and detective measures to avoid similar issues.
Let’s use a recent example to illustrate this point below.
State-Sponsored Attacks Against U.S. Infrastructure
In January 2022, a joint advisory from CISA, FBI, and the NSA highlighted common Tactics, Techniques, and Procedures (TTPs) across a range of Russian state-sponsored campaigns. The advisory identified three specific groups – APT29, APT28, and the Sandworm Team – and it attributed this Russian activity to more than a dozen previously communicated known vulnerabilities. Moreover, the advisory discussed specific OT attacks in which those teams participated.
(CISA maintains a list of past attributions to Russia. You may also wish to subscribe to CISA alerts for further awareness and updates of those attack attempts.)
Putting These Attacks in Context
Although the advisory discussed above is specific to Russian threat actors, the lessons learned and approaches to preparedness, detection, and prevention are generically applicable to a wide range of threats for both IT and OT. Tim Erlin, VP of Strategy at Tripwire, agrees.
“Organizations should also review their preventive controls against the tools and techniques described in this alert,” he noted. “Identifying the attack in progress is important. But preventing the attack from being successful at all is better.”
CISA Recommendations for Your IT and OT CYBERsecurity Posture
Here’s an executive summary of those cybersecurity recommendations:
1. Apply the usual best practices
a. Use antivirus solutions properly by keeping signatures up-to-date and performing regular scans.
b. Use Multi-Factor Authentication (MFA) everywhere and for everyone. This means on OT networks, as well.
c. Back up your systems, and be prepared to recover by performing regular tests of the recovery procedures.
d. Mitigate or patch as many vulnerabilities as you can, prioritizing known exploits that allow for remote code execution or denial-of-service on internet-facing equipment.
e. Protect against phishing attacks with spam filters, user training, and email filtering for messages that contain executable files.
2. Become better prepared by developing, communicating, and practicing your policies. Give a concerted effort to reviewing immediately your preparedness in these three areas:
a. Incident Response Plan – Clearly define the procedures, roles, and responsibilities your organization will follow in the event of an incident for both IT and OT. CISA has prepared recent guidance to help in this area. These guidance plans are known as “playbooks.”
b. Resilience Plan – “Resilience” has become a cybersecurity buzzword, but the goal is to prepare your organization’s critical networks to become resilient from attacks as well as prepare your organization to resiliently respond and recover. A four-phase resilience framework includes: preparation, detection, response, and recovery.
c. Continuity of Operations Plan – This might sound similar to the above, but it is more specific to ensuring your operational technology (OT) can continue to operate in the event of an IT attack – and whether you have the necessary contingency plans for manual control of safety critical functions. A great starting point might be to run through some tabletop exercises as identified by the SANS Institute here.
3. More specific guidance beyond the usual best practices
a. Rigorous configuration management can help identify and prevent misconfigurations and security weaknesses. Although CISA doesn’t provide much guidance, it is recommended to follow the safeguards outlined in the CIS Controls. CISA also recommends disabling unnecessary ports and protocols. This is not always an easy task. Fortunately, tools, such as Tripwire’s State Analyzer makes it easy to define allowlists, going beyond ports and protocols to include services, users, software, local shares, persistent routes, and more.
b. Investigate abnormal activity using network monitoring tools and log collection to identify lateral movement by a threat actor or malware. These solutions make it easy to baseline normal network activity, identify new protocols and new communication paths, as well as implement network-based signature threat detection. Specifically, CISA recommends looking for “impossible logins,” “impossible travel,” and suspicious privileged accounts.
c. Beyond MFA and password complexity, take additional measures on Windows machines to secure credentials including disabling NTLM and to implement Credential Guard.
d. Take network segmentation more seriously to help prevent lateral movement. This necessitates the proper implementation and continuous monitoring of any Industrial Demilitarized Zones (iDMZ), if applicable. If you don’t have the budget, time, or resources for a complete network segmentation project, there are software solutions that can help you to identify your current segmentation, providing a blueprint for defining more specific zones and conduits while also allowing you to establish rules and alerts for approved connections and communication paths.
Takeaways from Russian APT Activity
These three Russian APT groups, as well as similar nation-sponsored groups throughout the world, have very sophisticated cyber capabilities which include the ability to discover vulnerable servers using large-scale scans, develop ICS-focused destructive malware, steal Kerberos tickets using “Kerboroasting“, and masquerade as legitimate traffic using VPSes. Zero-day threats are part of their arsenal, and traditional antivirus or preventative measures may not work. Subsequently, organizations may need to take a zero-trust approach and proactively hunt for changes and misconfigurations within their networks. If good cybersecurity practices are followed within the business, the attacks from any location will have little impact.