Search Security and other publications, October 24, 2017; Atiq Raza & Satya Gupta comment on DHS, FBI APT warnings;
The Department of Homeland Security (DHS) issued an alert on Friday, October 20, stating that an advanced persistent threat (APT) group -- called Dragonfly in a September report from Symantec -- has targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors with specific focus on industrial control systems (ICS).
The Dragonfly attackers use many steps and methods to steal login credentials. The attackers go after a company’s public-facing website in search of sensitive information to use to their advantage. In one example, the attackers took a publicly accessible photo from a company HR page that showed control systems equipment models in the background and used that as part of a phishing campaign.
Attacks Include Spear Phishing, Altered Web Sites and Login Credential Hijacking
A further layer of victims in a series of victims consists of using third-party supplier sites to develop watering holes, including trade publications and information websites related to ICS or critical infrastructure, that host some legitimate information from reputable organizations. Through phishing attacks, the threat actors lure victims to these sites that contain malicious content designed to capture victims’ login credentials. From there, the stolen credentials are used to gain access to victims’ networks where multi-factor authentication isn’t used and seek out file servers, SCADA systems and information on the victim’s network.
The DHS alert says in part: "The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks … The threat actor uses the staging targets' networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks."
While DHS Alerts Are Well and Good, Many Say They Are Insufficient
Satya Gupta, Virsec Systems founder and CTO told SC Media, “While the DHS warnings are warranted, their specific security recommendations are inadequate. The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted. Security focus needs to shift from the network perimeter to the applications themselves.”
Virsec Systems CEO Atiq Raza shared with eSecurity Planet that the attack methodology described in the alert fits an increasingly common pattern. "Rather than directly attacking high security networks, hackers are doing careful reconnaissance of connected third parties, staging servers or watering holes for insiders," he said. "Once hackers steal credentials, or find a less secure backdoor, they can quickly pivot to more secure servers, bypassing traditional network perimeter security."
"IT security needs to assume the perimeter is porous and focus more directly on guarding sensitive applications and data," Raza added.
Satya Gupta also told SearchSecurity (TechTarget) and Utility Dive that the DHS security recommendations are warranted but inadequate, agreeing with Raza that perimeters are inevitably porous, and that “the air-gaps that many ICS systems were designed around have disappeared." Gupta reiterated that our security focus must shift to applications themselves. “By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads."