Cybersecurity company Dragos has identified a new approach by hackers who use publicly and semi-publicly available data to disrupt Industrial Control Systems (ICS). This marks a significant change from the manner in which adversaries target traditional enterprise resources, because of the legacy operating systems still in use across various critical infrastructure environments, and inadequate segmentation.
The Hanover, Maryland-based company observed adversaries conducting ICS-targeting activities that sought data about energy infrastructure and physical processes necessary to recover from a compromise, Dragos said. With the data, an adversary could target operational functions that are pertinent to recoverability to further the consequences of an attack.
The hackers use publicly and semi-publicly available data, referred to as open source intelligence (OSINT), culled from search engines, social media websites, job listings, company and news websites, usernames and passwords in public repositories dumped by adversaries or stored in GitHub, and other sources.
Understanding critical infrastructure can put an adversary at a tactical advantage in times of conflict to establish a foothold as a contingency option when conflict occurs, Dragos said in a blog post. With the OSINT data, adversaries may seek multiple types of information in an attempt to conduct reconnaissance on a target and create a plan of attack. By identifying this information and educating company personnel on the potential risks of public exposure, defenders can proactively assess or remove potential information that can be weaponized, it added.
Practicing defense in depth, including conducting OSINT risk assessments to strengthen external security postures, and limiting the ability for adversaries to use public information, can prevent initial access and movement within an operational environment.
Dragos’ red flag is not unwarranted. Last month, research carried out by Dragos and IBM Security X-Force revealed that disruptive ransomware attacks on operational technology (OT) are on the upswing, with the manufacturing and utilities sectors identified as the most targeted. The two companies suggested that the threat of attacks to ICS and OT-connected networks is likely to increase, as future attacks build on the new efforts of ransomware such as EKANS, capable of disrupting industrial processes. This trend is also driven by the pressure on companies to publicly report incidents of compromise.
To help mitigate these security risks in ICS environments, Dragos has created an OSINT collection risk framework to help defenders identify and restrict openly available information most valuable to adversaries intending to disrupt critical infrastructure, Dragos said. By identifying and prioritizing data that could be used in OSINT collection, defenders can establish methods to reduce the availability of potentially high-risk company and user data, and limit the information an adversary can use in a potential attack. The framework helps prioritize countermeasures and mitigations to deny an adversary the opportunity to use OSINT collection against a victim.
Source identification is an important step in the collection process. Defenders can use the resources to find relevant, publicly available information, the company added. Asset owners and operators should also consider information exposed by third-party entities that could be used in reconnaissance operations.
Information collection should focus on publicly available information that could be used to facilitate reconnaissance or attack development. Security teams should also identify gaps in security architecture, like remote login portals that lack strong passwords and multi-factor authentication (MFA), including remote desktop protocol and virtual private network services.
To enable asset owners and operators to better understand the risk that openly collected information poses to an organization, Dragos also developed the OSINT Collection and Risk Scoring Matrix. With this matrix, users can apply scores to identify information and the risk of an adversary using it against them. Once data is collected, users should determine how an adversary may use data to achieve objectives outlined in potential attack scenarios.
As information is assessed and scores assigned, defenders can adopt the Priorities of Defense and Mitigation (PODAM) table to visualize how collected data could be used, the value of the information, and if protections and mitigations are in place to address the potential risk, Dragos said. The PODAM table used to assess OSINT collection contains multiple examples and potential use cases for using OSINT, including target identification, exploitation, infrastructure development, delivery, capabilities development, and actions on the objective.
Conducting regular OSINT collection risk assessments as part of quarterly or bi-annually scheduled cybersecurity reviews can improve an organization’s safeguards against adversary misuse of publicly available information and exploitation of known vulnerabilities, Dragos said. The framework will also better identify potential risk to an organization, understand risk of publicly exposed data, and create risk mitigation strategies.
Once defense and mitigation priorities have been established, users must look at corrective actions to prevent or lower the risk of adversaries exploiting vulnerabilities, or using information identified in the previous stages of the assessment. These can include issuing patches to vulnerable hardware and applications, removing sensitive data from public websites or databases, implementing MFA to access documentation on cloud storage systems, and changing default passwords on devices within the ICS.