APTs in critical infrastructure organizations
Utilities and other critical infrastructure organizations can no longer ignore the numbers: Three of four energy companies and utilities have suffered from at least one data breach in 12 months, according to a survey released last year from the Ponemon Institute. Clean-up costs average $156,000 per incident. And nearly 70 percent of IT security practitioners at these businesses feel that another attack in the near future is unavoidable. The statistics are even worse for financial institutions and the costs of a breach are far worse.
Why? Because managers don't understand or appreciate the value of IT security, according to seven of 10 survey participants.
There's more: The Repository of Industrial Security Incidents (RISI) reports that 60 intrusions involving power plants and other industrial-control systems have surfaced within the last decade that have cost time, property and even lives. One resulted in $10 million in damages, and the report's authors have concluded that the growing level of sophistication conveyed by incidents, like Stuxnet, Ghostnet and others, will only elevate the potential for future consequences.
Perhaps most telling is the reaction of Ty Moser, the network and smart-grid analyst for Salt River Project, a large public power utility and water supplier in Arizona that got hit by the “Here You Have” virus. Moser said that anti-virus software did virtually nothing to thwart the intrusion. “It wasn't any help,” he said. Most security experts today will tell you that anti-virus and anti-malware programs are nothing more than a speed bump.
All of this should amount to a major wake-up call for energy companies and utilities. But many fail to grasp how very “real” the threats are. They refuse to acknowledge what all is controlled by industrial control systems or SCADA (supervisory control and data acquisition) systems – the energy we use every day, the water we drink, the gas in the pipelines that fuels our cars – presents a precious opportunity for hackers. Gain access to control systems and you've penetrated a “crown jewel” target. You now command the power to unleash a crippling attack – not only on the utility, but on an entire region. If not the nation.
Yet, there's a continued lack of understanding about the current threat landscape (including the players involved, motivations, prevalence in vulnerabilities and attack vectors, and ultimately in advanced persistent threats (APTs)). This isn't about teenagers with multiple piercings hacking in a basement anymore. It's about sophisticated, underworld operations – possibly aligned with a foreign state – that develop threats that aren't simply designed to disrupt, but to steal valuable information or gain access so deep into a victim's environment that they essentially have full control.
They don't announce their presence with a bang either. They prefer to enter quietly through the backdoor, such as a trusted network user who unsuspectingly clicks on a cleverly disguised link, or other sophisticated methods or social engineering attacks. Then, they exist within the enterprise and bury themselves further into the environment and on other trusted systems, keeping a low profile and communicating just like other “normal” network activity. They carry on in multiple forms, so that if you manage to spot one, you won't likely detect the others. I've personally seen malware used by a major infrastructure organization that was specifically configured for its operating system configuration, using the exact system settings and configuration to avoid detection (this infection would not have worked on any other companies systems).
Which is why traditional defenses (anti-virus tools, firewalls, signature-based IDS, and more) offer little remedy, really. These are designed to trip up already known malware with a specific signature. They aren't capable of alerting IT managers or security analysts to traffic the new wave of abnormalities look and act like, which is to say “normal” traffic. We've cautioned many help-desk supervisors about an infected system that we can see beaconing out to a C&C server or a botnet, for example, and they'll proceed to check it out (scan with several AV tools) and tell us that there isn't any detectable problem. That's when anti-virus prevention really operates as just a speed bump, not a safeguard.
So what's the solution?
First, come to the realization that – given the stakes with a utility – you oversee the most important of assets and, therefore, present the greatest of appeal to the most advanced of adversaries. Then, instead of taking the passive, firewall/anti-virus/IDS approach, get proactive instead with full-packet capture and inspection along with other advanced techniques, such as advanced malware analysis, data/alert analysis based on patterns, baselines, statistics, and more
Full-packet combines the oversight of people, processes and technology to help managers gain a complete-view perspective of the enterprise, capturing all of the data packets that in most cases come or go from the network (usually your main ingress and egress points or at main data center entrance points). It requires a forensic-focused response that collects traffic data to analyze for subtle, but troubling trends and patterns. When there's something unusual going on, managers don't shut down the network, like Oak Ridge National Laboratory did last year after discovering network intruders. This knee-jerk reaction, unfortunately, results in the loss of all available data/information that can help you understand what's going on and who the attacker is (or at least the indicators of compromise) – and stop it in its tracks.
So why isn't this the industry-standard approach now? Because it costs money and requires high-level skill sets. Given the very public nature of these companies, it's difficult to justify the spending without proving that it's worth the investment. Senior management concludes that complying with regulations from the North American Electric Reliability Corp. (NERC) and the Federal Energy Regulatory Commission (FERC) will suffice. But taking a strict “just meet compliance standards” position ensures that the money only gets spent where a regulator says it needs to get spent.
It would better serve utilities to closely tie ROI to the reduction of risk. How much money do you lose with a breach? If you can document that it's well into six figures (as Ponemon reports), then you've taken the first, vital steps toward proper mitigation.
And, with full-packet capture and inspection performing as the backbone of such a mitigation effort, the bad guys will soon discover that their APTs are no longer simply navigating speed bumps within a utility's system. They're getting spotted on site, pulled over and taken out.