Intelligent CISO Issue 06 | Page 46

industry unlocked including the Cybereason platform. Cybereason was intentionally installed in a way that made removing it simple. This was a test to gauge the attackers’ skills. Cybereason was installed again with some hardening but still below the level that is recommended in a deployed environment. The goal was to further assess the attackers’ capabilities. They were able to disable the hardened version of Cybereason. After that incident, the platform was installed a third time based on recommended guidelines and the attackers were not able to deactivate it. After disabling the security software, they used Active Directory to conduct network discovery. They looked at all accounts on Active Directory and looked for technical data files. These files, which had been planted on the machine, included information like the operational status of devices. These files were exfiltrated from the honeypot. They also discovered ICS assets like the HMI and controller components for the OT environment. The adversaries were only interested in ICS assets. They didn’t access any other systems. And after discovering the ICS assets, the attackers showed no interest in the other assets. They focused on attempting remote execution on ICS endpoints. The firewall prevented them from taking that step but the attackers knew how to circumvent these security measures. Ain’t no security measure strong enough to keep me from you After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance. This approach assumes that different assets in an environment have different firewall policies. For example, the domain name controller may have restrictive policies for interacting with the firewall but the policies for the administration console interacting with the ICS environment aren’t as strict. With multipoint network reconnaissance the attackers move laterally to multiple assets and run parallel network scans to locate an asset with more relaxed policies around interacting with the HMI and OT computers. 46 As the honeypot demonstrated, attackers are looking to use IT environments as gateways into OT environments. The attackers moved from the remote server to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers. “In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” Barak said. What does this mean for security professionals? Barak suggests that organisations and companies with ICS environments operate a unified SOC that provides visibility into both the IT and OT environments. As the honeypot demonstrated, attackers are looking to use IT environmen