Attivo Networks Detects Attack at Major Petrochemical Company
Cyber risk to industrial sectors has grown and accelerated dramatically, led by ransomware impacting industrial processes and new activity from adversaries targeting Industrial Control Systems (ICS).
According to a Dragos ICS Cybersecurity 2020 report, most of its services clients had no visibility into their ICS environments and many of their customers did not monitor for threat activity inside their ICS networks.
Most companies have invested heavily in perimeter defenses, but in-network detection gaps remain, which leaves risk and exposure to attack. Internal network monitoring remains a challenging task, and while there are many ways to tackle this, most of them are resource-intensive solutions. Whether monitoring all internal network traffic and looking for anomalies, deploying internal IDS sensors and hoping to get signature alerts, or using analytics to identify bad actors, these solutions all require extensive time, effort, and resources to implement, tune, and maintain. Even then, inaccurate alerting with false positives still occurs. Organizations need a different approach and are turning to deception technologies to help.
Modern deception technologies stand guard over internal networks with low noise, effort, and maintenance. These technologies use principles developed over hundreds of years: deceive the adversary to gain an advantage. By deploying decoys and bait throughout their internal network, organizations can monitor for bad actors that have breached their perimeter and are moving around inside their environment. While attacks may differ, all attackers follow an intrusion “kill chain” that involves everything from reconnaissance to actions on the objective. Decoy systems can silently detect such actions and alert the organization’s security teams to the attacker’s presence while delaying or diverting the attacker from actual production assets. Attivo Networks has real-world customer examples of where Attivo solutions were the only security controls to detect attack activity.
For example, an Attivo Networks customer reached out to support regarding alerts on their BOTsink deception server dashboards. Their small IT staff needed a way to detect threats on their internal network efficiently and had chosen the Attivo Networks BOTsink to give them that capability. Attivo Engineers immediately identified four separate alerts that indicated multiple system compromises. The activities indicated network reconnaissance, attempts to access the Veritas Backup services, attempted SMB share access with a compromised network login, and attempted access to default windows shares. The activity indicates a possibility that the attackers are leveraging information gathered from previous activity, as their reconnaissance used system names that were internal to the organization.
All other internal detection systems missed these activities. Only the Attivo Networks solutions captured the information and provided records of malicious activities, PCAPS, and other relevant information for the organization to investigate. This incident exemplifies how attackers can dwell for long periods inside a network without being discovered and can leverage the knowledge gained from previous attacks to target specific systems or services within the network. This level of inside knowledge highlights the difficulties of internal threat detection, from staffing and resources to proper visibility to misconfigurations and exposures. Had the attackers gone undetected, the attack would have resulted in a material breach, with the potential for extensive impact on the organization.
Although the specific goal of the attackers remains unknown, the fact that they were conducting extensive reconnaissance and targeting specific services points to prior knowledge of the network. Despite what appears to be multiple penetrations to security defenses, Attivo was the only system on the network that detected the reconnaissance.
Conversations have moved from “if” to “when” an attack will occur on an IACS for critical infrastructure. A modern-day security approach now assumes the network has been breached and accepts that even the best security prevention systems have prevention gaps that allow attackers to get into the network. Therefore, it is essential to have an active defense program that includes prevention and in-network threat detection.
A defense-in-depth approach based on layered prevention security is a good foundational approach. However, adding a line of defense that reliably detects Zero-day or signature-less attacks, stolen credentials, ransomware, insider, or 3rd party threats dramatically reduces the risks of catastrophic damage or data exfiltration. Whether one chooses to start by protecting only the most critical devices turning the entire network into a ubiquitous trap, the Attivo ThreatDefend platform provides a fast, reliable, and cost-effective solution to detect and defend against malicious cyberattacks.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise