industry unlocked
including the Cybereason platform.
Cybereason was intentionally installed
in a way that made removing it simple.
This was a test to gauge the attackers’
skills. Cybereason was installed again
with some hardening but still below
the level that is recommended in a
deployed environment.
The goal was to further assess the
attackers’ capabilities. They were able
to disable the hardened version of
Cybereason. After that incident, the
platform was installed a third time based
on recommended guidelines and the
attackers were not able to deactivate it.
After disabling the security software,
they used Active Directory to conduct
network discovery. They looked at
all accounts on Active Directory and
looked for technical data files. These
files, which had been planted on the
machine, included information like the
operational status of devices. These
files were exfiltrated from the honeypot.
They also discovered ICS assets like the
HMI and controller components for the
OT environment. The adversaries were
only interested in ICS assets. They didn’t
access any other systems. And after
discovering the ICS assets, the attackers
showed no interest in the other assets.
They focused on attempting remote
execution on ICS endpoints. The firewall
prevented them from taking that step but
the attackers knew how to circumvent
these security measures.
Ain’t no security measure strong
enough to keep me from you
After being stymied by the firewall, the
adversaries began using a multipoint
network reconnaissance. This approach
assumes that different assets in an
environment have different firewall
policies. For example, the domain name
controller may have restrictive policies for
interacting with the firewall but the policies
for the administration console interacting
with the ICS environment aren’t as strict.
With multipoint network reconnaissance the
attackers move laterally to multiple assets
and run parallel network scans to locate
an asset with more relaxed policies around
interacting with the HMI and OT computers.
46
As the honeypot
demonstrated,
attackers are
looking to use IT
environments as
gateways into OT
environments.
The attackers moved from the remote
server to the SharePoint server, to the
domain controller, to the SQL server to
run network scans to determine if one
of these assets would allow them to
access the ICS environment. Instead
of scanning the full network, attackers
focused on scanning for assets that
would give them access to the HMI and
OT computers.
“In two days, the attackers got into the
environment, conducted reconnaissance
aimed at finding an entry
point from the
IT environment
to the OT
environment,
which is
really
what they
wanted,”
Barak
said.
What does this mean for
security professionals?
Barak suggests that organisations and
companies with ICS environments operate
a unified SOC that provides visibility into
both the IT and OT environments. As
the honeypot demonstrated, attackers
are looking to use IT environmen