May 20189 Process Control, and Critical infrastructure. These sites will be laced with malicious content that can achieve a "drive by" breach to an unpatched web browser or entice the victim to download malicious content. Highly targeted spear-phishing attacks may also be used to penetrate the target networks.Once the initial foothold is established, the attackers access the victim network and: Download additional tools to establish presence, persistence, and control. Use malicious tools to harvest credentials Create user accounts Attempt to escalate the privilege of these user accounts Disable any host firewalls Establish Remote Desktop Protocol access Install VPN Clients Research internal documents describing how the ICS environment is implemented Leverage IT/ICS network interconnectivity to control the ICS network in malicious ways.There is one very important observation to make here: the "traditional" IT network is the initial vector of most attacks against ICS infrastructures. There are several reasons for this: The malicious operators can harvest credentials from the IT network. The malicious operators can conduct research on the infrastructure layout accessing systems using the harvested credentials. In most cases, there are connections between the traditional IT network and the ICS network that can be leveraged through the use of harvested credentials.To accomplish these objectives, the malicious actors must:Exploit vulnerabilitiesExploit weak endpoint configurationsInstall malware Create new user accountsThe reality is that "owning" the IT network is an effective way to ultimately "own" the ICS network, since for critical infrastructure operators the two are intimately related. For operators of critical infrastructure, both the traditional IT environment and the ICS environment must be continuously monitored for not only indicators of compromise but also for proper configuration, the presence of vulnerabilities, and changes of state to the endpoints. Some recommendations include: Discover all assets, all the time to understand and reduce risk due to "unknown unknowns" Continuously monitor devices for vulnerabilities Constantly search for the presence of unknown software or active unknown processes on endpoints Continuously monitor critical infrastructure devices for proper secure configuration and detect systems where the configuration has mysteriously changed Monitor for changes in critical directories or executable files to detect malicious modifications Monitor for new user accounts on endpoints which may have been created by malicious actors Continuously monitor the ICS environment for vulnerabilities and unusual traffic patterns Detect, monitor and understand in detail the connections that exist between the IT network and the ICS network Detect, monitor and understand in detail the connections that exist between "trusted" third parties and the IT network Detect, monitor and understand any outside connections that may exist directly to the ICS network Insist that "trusted" third parties comply with minimum security standards Consider universal adoption of two factor authentication Given that the threat is real and ongoing, there is now a sense of urgency for operators of critical infrastructure to be diligent in the configuration and monitoring of their IT and ICS environments. THERE IS NOW A SENSE OF URGENCY FOR OPERATORS OF CRITICAL INFRASTRUCTURE TO BE DILIGENT IN THE CONFIGURATION AND MONITORING OF THEIR IT AND ICS ENVIRONMENTS
< Page 8 | Page 10 >