My Insights on the 2020 OT Threat Landscape, Based on 2019’s Threat Analysis Reports

Rani Kehat, Radiflow VP Business Development

As 2019’s Threat analysis reports are made available, I’d like to share my insights with the ICS community.

Vulnerabilities
The 2019 reports indicate that new IT vulnerabilities are down by around 20% from 2018.

The estimated number of published OT vulnerabilities that are actuality exploitable varies. A survey by researchers from Virginia Tech and other research institutes estimating that “5.5% of all 100,000+ vulnerabilities contained in the National Vulnerability Database have been exploited in the wild” (source: Fortinet).

The European Union Agency for Cybersecurity (ENISA) claims that “at least 8.65% of vulnerabilities are exploitable… this number is expected to be higher due to zero-day exploits and the incompleteness of the datasets” (source: ENISA). It should be noted that this figure refers to both OT and IT vulnerabilities.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

My educated guess is that 5.5% is indeed a likely ball-park figure for OT vulnerabilities.

Bear in mind that historically, whenever a vulnerability is assigned a high CVSS score, we can expect to see an exploit running in the wild very soon after.

Tactics Techniques and Procedures

• Many 2019 reports point out a rise in masquerading. This is done, for example, to steal log-on IDs and passwords or find security gaps in programs. In addition, we’ve also observed a rise in the use of SMB protocol exploitation (e.g. EternalBlue).
• According to Crowdstrike’s report, there has been a rise in malware-free attacks. Malware-free attacks are attacks where the initial tactic did not result in a file or file fragment being written to disk, for example attacks where code executes from memory or where stolen credentials are used for remote login using known tools.
• “Hands-on-keyboard” techniques have also been on the rise, including command-line interface attacks, PowerShell and credential theft, credential dumping, and account discovery.
• The hacking “industry” is transitioning to an outsourced service model. This model includes Ransomware-as-a-service (RaaS) (e.g. LockerGoga that attacked ICS manufacturing facilities), Malware-as-a-service (MaaS), and Download-as-a-Service (DaaS).
• Finally, there has been a prolific use of network shell commands, RDP, RATs, Active directory scanners, network protocol vulnerability exploitation, non-secure DNS manipulation (DNS tunneling, Anchoring), and RCE remote code execution.

2019 OT Advisories and Increase in Attacks
All the 2019 reports I have read were unequivocal about the rise of attacks on the ICS sector. Moreover, in a recent survey of OT leaders, 77% of respondents said they had experienced a malware intrusion in the past year, and half experienced between three and ten (source: Fortinet).

The Tactics, Techniques and Procedures (TTP’s) aimed at the ICS environment that made the headlines were BitPaymer, Ryuk, and LockerGoga.

• BitPaymer – BitPaymer is a Ransomware that collects data such as Active Directory (AD) credentials, private user data and lists of all computers on the network. BitPaymer uses the PowerShell Empire tool for lateral movement in the network.
• Ryuk – Ryuk is a ransomware that resembles and is probably somewhat based on BitPaymer. It uses TrickBot modules (e.g. pwgrab) to execute credentials theft, and PowerShell Empire traffic for reconnaissance and lateral movement.
• LockerGoga – uses the PsExec (a sys-admin tool) to perform reconnaissance and lateral movement in the network. Since LockerGoga neither gives the victims a chance to recover the files nor specifically asks for payment, it is likely intended to disrupt operations.

My Insights and Takeaways:

If indeed only 5-8% of vulnerabilities are actually exploited, we should shift our attention to:

• Focusing on threat intelligence (TI) and contextual information about your sector, geo-location, and possible threat adversaries.
• Developing smart algorithms to calculate the probability of possible exploitation and attack vectors, using MITRE ATT&CK as well as your own penetration test (PT) experience. This will help to understand what aspect of the network is actually exploitable, what needs to be addressed immediately and what actions can be postponed.
  Developing a solid risk-based cyber security policy and cyber-security management system (CSMS) to patch or work-around what the security concerns that matter the most.
• Lastly, for threats with high CVSS scores: if an exploit hasn’t already occurred, it is soon to come.
• The rise of OT-focused adversaries and reported attacks using a variety of masquerading techniques brings home the importance of implementing anomaly detection in production networks. Adversary lateral movement from enterprise to production zone is a given fact. ICS environments do not always lend themselves to EDR and inline prevention and detection systems, so OT operators should adopt a hybrid solution: the best passive and active detection solution available, applying EDR where possible and passive monitoring as needed in the production environment.
• The rise of malware-free attacks in 2019-2020 implies that even in ICS systems with no known vendor vulnerabilities, other hacking techniques such as credential theft, escalation of privileges, exploitation of network services and exploitation of admin tools will continue. This trend stresses the need to adopt a risk-based approach that continually simulates movement in the network and calculates the probability of a breach.
• Unfortunately, the move to service-based operation (XaaS) by criminal groups and the rise of criminal interest in the ICS sector suggests a rise in attacks in 2020, as the “membership fee” to become an ICS cybercriminal has gone down significantly.

Meeting the challenges – Radiflow’s solution
Radiflow’s iSID Industrial Threat Detection System and iRISK Industrial Risk Analytics provide a holistic solution to the trends I have listed.

• Detecting lateral movement inside the network: iSID is able to detect lateral movement between different OT network zones (west to east) and from the enterprise to the production networks (north to south), as is the MO of the LockerGoga Ransomware and other types of malware.
• Anticipating malware-free attacks: iRISK uses the MITRE ATT&CK methodology to simulate different attack vectors to calculate the likelihood of possible exploitation and attacks. This is a key element in understanding the OT network’s actual exposure to risk and subsequently optimizing risk mitigation expenditure.
• Detection of abnormal network activity: iSID continuously monitors all network assets for changes and abnormal communications that may indicate malicious activity in the form of network shell commands and other attempts to breach the network.
• Cyber Security as a Service – using an MSSP: Just as more and more cyber attacks originate from attacker services (XaaS), so has network monitoring and alerting. The use of MSSPs (Managed Security Services Providers) is becoming a popular alternative to setting up an in-house network monitoring operation for organizations that lack both the capital and the expertise in industrial cyber-security. Radiflow’s iSID can be easily deployed per-customer or customer network at an MSSP SOC, with central monitoring and management of all iSID instances through the iCEN management system.

****

Rani Kehat is Radiflow’s V.P. Business Developement. His experience spans various disciplines including risk management, GRC and cyber security defense and advising and supporting various industries including Critical Information Infrastructures and ICS environments.