In recent years, the number of incidents in critical infrastructure networks and industrial systems has increased significantly. There have been attacks with a high degree of complexity and knowledge about the elements affected and about how to take advantage of the historical deficiency in security implementations that these types of networks have. This generates a high risk on the lives of the people who work in these industries or who depend on them, as well as on the critical infrastructures of the countries.
In previous articles we have talked about how industrial networks base their safety on keeping industrial systems isolated. This is what we know as AirGap, but it is increasingly unlikely and inefficient. The false security confidence generated by this isolation has allowed cyberattackers to take advantage of remote control tools (RAT) to filter into IT networks and reach OT networks. From where they exploit the vulnerabilities of industrial systems without being detected.
Security measures have been somehow delayed in reaching these types of environments due to a lack of knowledge in OT cybersecurity, to the isolation that is generated in companies between IT and OT equipment or simply because of the erroneous assumption that these devices cannot be reached by criminals. However, earlier this year, MITRE published the framework known as ATT&CK (Adversarial Tactics, Techniques and Common Knowledge), which specialises in industrial control systems.
This matrix has been very important in the investigations of incidents that have occurred in the last six months, as our partner Nozomi Networks indicates in its report for the first half of 2020. This report points out how the COVID-19 pandemic is being used to carry out ransomware and botnet expansion attacks on OT and IoT systems, as well as analysing the tactics and techniques used for this purpose.
Case Study with MITRE ATT&CK Step by Step
To understand how this matrix is applied, it is best to analyse an attack with it. In this case we will take an advanced persistent threat (APT) called GreyEnergy, which was made public in November 2018 but whose first detections are in incidents on Poland’s electricity grid in 2015 and later in incidents in the financial sector during 2018.
The initial attack used a technique that is well known to all of us who work in security and to which all Internet users are permanently exposed, which is phishing. It is also a technique whose use has increased significantly in this time of pandemic. Therefore, the initial access on the ATT&CK map is in the SpearPhishing Attachment, as the attack begins with a Word document containing a malicious macro with the necessary commands for the following execution, evasion and persistence phases.
Since the malicious load is in a macro, which requires user interaction, the User Execution section on the ATT&CK map must be marked. In order to achieve persistence, the malware searches for web servers with a vulnerability in order to hide, managing to camouflage itself in the network. Therefore, the Hooking in Persistence and Masquerading in Evasion are marked in the ATT&CK map, due to the packer it uses to hide the real malicious code.
To detect targets within the affected network, the malware uses several widely known tools that can be grouped within the discovery in the ATT&CK map, such as Network Service Scanning and Network Sniffing. Therefore,managing to detect the vulnerable services mentioned above for lateral movement, which in the ATT&CK map would be Exploitation of Remote Services.
For command execution it uses a known technique among C&C systems, which is to deploy proxy within the network to redirect requests to external network equipment, hiding the traffic of the network security monitoring systems among the internal traffic. Therefore, in the phase of inhibiting the response functions, Program Download and Alarm Suppression are marked on the ATT&CK map, since they use an external program such as procy and suppress the alarm after hiding in internal traffic.
The last two phases within the ATT&CK map are more complex to analyse because, as it is a modular malware, it is possible that the control process that wants to damage changes according to the case and, therefore, its final impact. However, in the samples collected, it was found that they sought to stop services by generating wipes on the hard disks of the human machine interface (HMI), so the final impact would be damage to property or denial of control. Thus, what we should mark would be Service Stop and Damage to Property.
In industrial networks this impact is very critical, because when control or visibility of operation is lost, there is no other way out than to stop the service at an emergency stop to mitigate the possibility of human loss, environmental damage or physical damage. Which usually generates very serious economic and reputational losses for the companies affected.
As can be seen, MITRE ATT&CK makes it possible to clearly identify the tactics and techniques used by cybercriminals in cyberattacks aimed at industrial environments. As well as providing the possibility of obtaining common information gathered in other incidents that help in the deployment of specialised monitoring systems and the application of threat intelligence systems to minimise the impact of an incident.
In each of the phases there are possible indicators of compromise, such as the hash of the file used in phishing (f50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321) where, as seen below, the macro contains the malware. This would have been detected with our DIARIO tool and the control systems would have made it possible to avoid the start of the incident.
This methodology makes it possible to ensure the three stages industrial systems control, as we explained in the articles on introduction to industrial systems a few years ago. Correct measurement of data must be ensured so that the evaluation and processing of the data guarantees compliance with safe working standards.
Due to the severity that an incident in industrial environments can cause, it is essential that these security frameworks are considered in such environments so that the monitoring and response to cyberincidents, as well as remote control systems, manage safety requirements more successfully and avoid literally putting lives at risk.