Tierney - stock.adobe.com
It is critically important for organisations to know how cyber criminals target their victims, says Joseph Carson, chief security scientist and advisory CISO at privileged access management firm Thycotic.
“Knowing how cyber criminals abuse security and gain access to systems containing sensitive information helps organisations understand how they could become a target, and what they can do to reduce the risk and make it more challenging for attackers,” he told the 9th annual World Cyber Security Technology Research Summit, hosted by the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.
To illustrate this, Carson walked through a penetration-testing exercise he conducted at a modern power station on behalf of a government to test the resiliency of some critical national infrastructure, noting that cyber criminals do not always have to use the most sophisticated hacking techniques.
“In most cases, they use the simplest, easiest techniques and typically choose those that are the ‘least noisy’ and involve the least cost,” he added.
Step 1: Reconnaissance
The first and most important step for any attacker or ethical hacker is reconnaissance, said Carson. In the case of a power station, this was challenging due to the inability to get near enough to scan for Wi-Fi access points because of the physical security barriers enclosing a security perimeter, he added.
“Reconnaissance is the most critical task, but it is not something many cyber defenders think about or talk about,” he said, adding that when planning a penetration test, 90% of time spent on the task is in doing reconnaissance, which typically involves searching open source information to create a “digital blueprint” of the target before touching any of the target’s infrastructure.
This public information is contained in the target organisation’s website, recruitment websites and the CVs of employees, as well as their social media accounts.
“This tells me what types of security skills the target organisation has, what skills they are looking for, what types of hardware they are using, and the suppliers they are using,” said Carson.
In the case of the power station, Carson was able to identify the industrial control systems being used and therefore what emulation software and documentation to download.
“From open source material, I was able to gain a large enough footprint and understanding of the target, its suppliers and its employees,” he said.
Step 2: Access
This step typically involves a phishing campaign to trick people into providing their user credentials for accessing systems, and it is the route that most cyber attackers use. But in the case of the power station, Carson said there were too few staff to target without arousing suspicion or raising alarms.
“I once achieved a 99% success rate on a bet with a government that I would not be able to get the user credentials of all members of a target group of employees. I used a bogus speeding fine notification and pressured recipients into acknowledging receipt of the notification to avoid an increase in the fine,” said Carson.
The emails were sent late on a Friday afternoon, which meant that recipients had no way of using the legitimate contact details included in the email for the traffic police until the Monday.
“The only reason we did not achieve 100% success was that one staff member did not check his email until he got into the office on Monday morning, so while I did not win the bet, it underlines the importance of organisations putting controls around emails to reduce the potential impact of phishing campaigns significantly,” said Carson, noting that according to the latest Verizon Data Breach Investigations Report (DBIR), email continues to be the top method for attackers to gain access to target IT systems.
Step 3: Explore IT environment
Having decided a phishing campaign would be “too noisy”, especially as staff at the power station had received cyber awareness training in the past year, Carson turned his attention to the power station’s supply chain and applied for jobs at various suppliers, including maintenance firms.
Capitalising on the fact that a film crew was due to visit the power station, Carson posed as a photographer documenting the filming project. In this way, he was able to gain access to the power station to take photographs of equipment and screen displays, as well as smuggle in surveillance equipment without any checks and gain access to the generators.
This meant that it was unnecessary to use exploits of any of the applications or operating systems in the power station to explore the IT environment, but Carson highlighted that when this approach is necessary, he tries to use existing systems in the target organisation to achieve his aims (like most attackers).
“Wherever possible, I try not to introduce anything into the environment by using things like Microsoft’s System Center and PowerShell, as well as their vulnerability scanners and security information and event management systems,” said Carson.
“I will hide in the organisation’s own applications under the guise of legitimate network traffic, because introducing anything new increases the risk of being detected.”
Step 4: Elevate privileges
All IT systems and industrial control systems, ports and cabling within the power station were secured with expensive measures to block any physical access, complete with “advanced threat protection” stickers.
Despite this, Carson said he was able to find a document listing the usernames, passwords and IP addresses of staff members to provide access to all systems, even with administrator-level privileges.
“From this, I was able to tell that the industrial control systems were still using default credentials four years after installation, because they were the same as those I used for the emulation software,” said Carson.
“Once again, this showed that the most basic things are often overlooked, and this is typically because systems are taken from test environments and put into production without going through security controls and checking that systems are configured securely,” he said, adding that usernames and passwords should not be all that is protecting sensitive systems.
A few days later, Carson presented his findings to the board of the power station about access to the controls on generators, supply chain vulnerabilities because the power station was not doing background checks on people coming in or checking the equipment they were bringing with them, and the use of default credentials.
However, despite the findings, the CISO of the power station’s budget request for additional security measures was declined.
“According to the CEO and CFO, this was because we had gone in with the standard security approach of fear by talking about threats, vulnerabilities and technologies instead of talking about cost, the return on investment, about how additional security expenditure was going to help employees be successful.
“The role of cyber security, they said, is to enable employees to do their jobs better by using enabling technologies securely. So they asked us to revise our presentation and try again.”
Using the default credentials, Carson said he was able to add to his initial findings, but when he and the CISO spoke to the board the second time around, they talked about the cost of doing nothing, the cost of addressing the risk, and comparing the difference with the cyber insurance coverage.
“We also talked about how the proposed changes would make employees safer and be more successful in what they were doing. We talked about business risks and the return on investment, the savings and cyber insurance coverage. That is what boards really listen to.
“As security professionals, our job is not to solve cyber security, it is to look at the business risk and apply our knowledge on how to reduce that risk. Going forward, we need to focus purely on business risk because that is the way to get the budget and support from the board to make changes.”
The top lessons to be learned from this power station example, said Carson, is that security professionals need to focus on solving business risks and to take a “people-centric” approach to security. “Security needs to be easy to use, so we have to reject complexity,” he added.
Other key lessons include that supply chain is a major risk that should be understood and needs controls in place; multifactor authentication needs to be standard for all privileged access and all email accounts; management and security of privileged accounts should be automated; and employees should be empowered to ask for security advice and talk about security concerns.
“Ultimately, cyber security can be successful only if we focus on the business first,” said Carson.