INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.

Page created by Kathryn Cannon
 
CONTINUE READING
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.
INDUSTRIAL
CYBERSECURITY
USB THREAT
REPORT 2021
USB usage increased by 30%.
79% of threats capable of disrupting OT.

Research Report
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.
OVERVIEW
2020 proved to be an interesting year                staff where possible led to an        increase in the use of USB media by
in almost every context, and USB                     increased need for the movement of    30% over 2019.
cybersecurity was no exception. The                  digital data. As a result, the two
global pandemic influenced how most                  primary communication paths into OT   Through analysis of data specific to
operational technology or “OT”                       – removable media and network         this vector and specific to industrial
organizations functioned day-to-day                  connectivity – were under increased   control/OT environments, this report
to accommodate new health and                        strain, and operators faced new       attempts to shed new light on the
safety guidelines. Attempts to                       operational challenges as a result.   industrial cybersecurity threats
minimize the physical proximity of                   Based on our findings, 2020 saw an    associated with USB removable media.

    TRENDS                                                                  THREATS

                                                79        %
                                                                                                            30%
                     Threats capable                                                          Trojans
                     of disrupting OT

                                                30         %
                                                                                                            37%
                                                                                              Designed
                     USB removable
                     media usage                                                              for USB
                     is up by

                     Our ability to
                     detect threats
                     is up by                   14        %                                   Targeting
                                                                                              OT
                                                                                                            30          %

                                          110             %
                                                                                                            51%
                                                               1
                     Content-based                                                            Establish
                     malware is                                                               remote
                     up by                                                                    Access

Note: This report includes a glossary of terms for the
convenience of the reader. Terms that can be found
in the glossary are initially printed in bold.

1
    McAfee Labs Threat Report, November 2020.

1 | www.honeywell.com
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.
METHODOLOGY                                cultivated threat detection and analysis
                                           system-the GARD Engine. While the
                                                                                      detected by Honeywell’s USB security
                                                                                      solution: Honeywell Forge Secure Media
USB usage and behavioral data was          GARD Engine is used across multiple        Exchange (SMX). Forge SMX analyzes
analyzed by the Cybersecurity Global       Honeywell Industrial Cybersecurity         USB devices as they are actively used in
Analysis, Research, and Defense (GARD)     products and services, the data for this   industrial facilities, providing a highly
team, using a proprietary and highly       report was limited to those threats        focused view of industrial USB activity.

                                                                          Malware
          INTERNET

             Files from vendors            Files to/from                Files from      Unwanted content from
                & integrators             legacy systems                employees       phone & other devices

                                                             Bad
                                              SMX            files

                                                                          Deeper
                 USB drive                                                analysis             This report

                                                                 Good
                                                                 files

This Report is based on aggregated data    Pulp and Paper, Water, Buildings,          technology is 100% effective. It is
from SMX and is anonymized. A sample       Aerospace and other industrial             therefore possible that additional
set of this aggregated SMX data was        manufacturing facilities from over 60      threats were not detected, and as a
analyzed. As such, findings represent      countries across North America, South      result not included in this report. Also of
consolidated views into the collective     America, Europe, the Middle East, and      note, this report focuses exclusively on
data set, and sample set findings are      Asia. The data represents those threats    USB-borne malware and does not
interpreted in light of impact upon the    that were detected and blocked. While      discuss other USB based attacks such
larger sample set.                         the efficacy rate of Forge SMX and the     as BadUSB or USB Attack Platforms.
                                           GARD Engine is exceptionally high (see     For more information on USB Attack
Industries represented include Oil and     “Improving Detection Efficacy” later in    Platforms, please reference “[BadUSB
Gas, Energy, Chemical Manufacturing,       this report), no threat detection          report title]” at honeywellprocess.com

2 | www.honeywell.com
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.
KEY
FINDINGS
Overall, the threat of USB-borne
malware continues to be a serious and
growing concern. Threats capable of
propagating over USB, or specifically
exploiting USB media for initial
infection, rose from 19% in 2019 to
just over 37% in 2020–the second
consecutive year of significant growth
in this area. Of the threats seen,
Trojans dominated again by comprising
76% of the malware detected. In
addition, more threats in 2020 were
wormable, and 52% (up from 34%)
were able to provide remote access or
remote control. This illustrates the
continuation of a trend identified in
last year’s report: adversaries are
leveraging USB removable media as an       was a significant contributor in 2019.   documents, PowerShell scripts, .PDF
initial attack vector, at which point      The increased severity of threat comes   files, etc.). In addition to the high
they will attempt to establish remote      from increasingly multi-functional       number (76%) of trojans overall, 12%
connectivity to download additional        malware, which is capable of directly    of the total threats detected leveraged
payloads, exfiltrate data, and establish   impacting target systems (20%),          native document structures with
command and control. Combined with         downloading stage-2 payloads (9%), or    embedded scripts and macros. This
a corresponding increase in threats        opening backdoors, establishing direct   rise in content-based malware seems
targeting industrials (from 28% to         remote access, and command and           to correspond to more subjective shifts
30%), this supports the theory that        control (52%).                           in how many organizations operated
USB removable media are being used                                                  during 2020 and would indicate that
to penetrate the air-gapped
                                           CONTENT-BASED MALWARE                    adversaries were attempting to take
environments found in many industrial
                                           AS AN INITIAL VECTOR INTO OT             advantage of these changes. Because
and OT environments.
                                           A new trend identified in 2020           there is no pre-existing data
                                           showed that a significant amount of      concerning file metadata, it is
THREATS CONTINUE TO GET                    threats specifically leveraged           impossible to draw a conclusion here,
MORE SEVERE                                altered or infected documents.           although it is something that will be
Of the threats blocked, another trend      There was a continued increase in        observed in the future.
continued from 2019: the malware was       trojans (malware disguised a
more capable of causing a disruption       legitimate sof t ware), with a seeming   Similar findings were also published by
to industrial control systems, up to       shif t from the impersonation of         McAfee Labs, who saw a 103% increase
79% from 59%. This is true despite a       executable files and archives (.exe,     in office malware and a 117% increase
slight decline in ransomware, which        .zip, etc.) to document files (Of fice   in PowerShell malware. 2

                                                                                    2
                                                                                        McAfee Labs Threat Report, November 2020.
3 | www.honeywell.com
ATTACKERS
ARE USING
USB TO BYPASS
THE AIR GAP

As mentioned above, several factors        USB removable media for this purpose.      are likely part of a larger campaign.
indicate that USB removable media are      First, a rise in sophisticated content-    While many (9%) had the sole purpose
deliberately used to circumvent the        based malware, designed to impersonate     of installing additional payloads, over
“Air Gap” that protects industrial         legitimate files that operators interact   half (52%) were designed to establish
environments. In most modern systems,      with regularly. Second, malware            a permanent backdoor or remote
true air gaps have been replaced with      samples were more sophisticated than       access, and were capable of down-
strongly segmented and protected           expected, with the ability to propagate    loading and installing additional
networks–either way, penetrating this      to other systems and establish             payloads, and providing command and
layer of defense can be a daunting task    backdoor access, download and install      control functions.
for an attacker. An alternative approach   other components, and provide
is to circumvent the network completely,   remote command and control. The            We saw the first indications of this
and physically carry your attack across    concentration of this type of malware      behavior in 2019, and the consistent
the air gap, using USB removable media,    among samples specifically entering        increase across all of these factors
or even specialized USB attack platforms   ICS/OT on removable media is simply        strongly indicates that the patterns are
(see “Honeywell Cybersecurity Report:      too high to be coincidental.               intentional: adversaries targeting
USB Hardware Attack Platforms”,                                                       industrial operators are specifically
www.honeywellprocess.com                   In addition, an increasing number of       leveraging USB removable media as an
                                           threats (30%) were known to have been      initial penetration vector, as part of a
Looking at the contents of removable       designed specifically for industrial use   larger cyber-attack campaign.
media inbound to OT environments,          or associated with industrial
there are strong indications that cyber    cyber-attack campaigns. A similar
adversaries are deliberately leveraging    proportion (34%) had qualities
                                           associated with early-stage attacks that

4 | www.honeywell.com
IMPROVING
DETECTION
EFFICACY
Malware detection is complex, and no single malware detection tool or technology
will ever be 100% effective. Using a layered detection and response strategy can
improve detection, by leveraging the specific strengths of certain techniques
                                                                                          CYBER THREATS CAN
against specific classes or families of malware. However, new malware variants are
                                                                                          AVOID DETECTION
developed at an alarming rate–as many as 419 new threats per minute or over 220

                                                                                          46            %
million per year–and the sheer volume of threats in existence requires makes it
difficult to maintain strong detection efficacy. 2

To help improve detection, GARD implemented Early Threat Detection (ETD) in
                                                                                          of known OT cyber threats are poorly
2020. ETD combines proactive security research to identify the newest and
                                                                                          detected or not detected at all
emerging threats as early as possible in a malware’s lifecycle. Doing so allows
GARD to provide improved detection to these “early day” threats, when commercial
detection signatures and threat intelligence feeds strategy focus on the challenge
of OT-relevant threats, why some AV engines might not catch certain threats.

As in previous reports, we cross-checked the base detection results of GARD
against a variety of commercial anti-malware software solutions. The results show
an increasing amount of threats that were able to avoid detection by the
commercial anti-malware engines tested. 11% completely avoided detection by all
                                                                                          11           %
                                                                                          completely avoid detection

                                                                                          35%
tested engines, while 35% were classified as “poor detection rates”, able to avoid
detection by the majority of engines tested. Focusing our results only on those
threats that are known to specifically target OT, as many as 46% of the threats
analysis fell into this category. There could be several reasons for this poor
detection rate: for example, an increase in more sophisticated threats that are           poorly detected by most engines
capable of evasive behaviors, or the use of newer and target-specific variants.

While the implementation of ETD did impact the efficacy gap, it alone does not
account for the delta. Of the threats detected, 7% were the direct result of ETD.
Therefore, it is more likely that the threats detected and analyzed in this report were
simply more specialized and difficult to detect using traditional means–a likely
scenario considering the highly focused nature of this report, which looks at threats
exclusively from a specific vector (USB) into a specific environment (OT). This
hypothesis also supports previous findings of the types of threats detected, and
their highly targeted qualities, presented earlier in this report.

While the exact cause of poor detection rates is unknown, it remains a concern.
Many industrial organizations rely on legacy anti-virus systems as a sole-source for
protection against malware. In addition, these anti-virus systems are typically
updated less frequently on OT assets due to the limited availability of maintenance
windows where such updates can occur. This further increases the risk of
depending solely on commercial AV scanning.

5 | www.honeywell.com
SECURITY
IMPLICATIONS
FOR OPERATORS

New evidence indicates that USB               Evidence continues to indicate that new      As workplaces adapt to a global
removable media is intentionally used         threat variants are being introduced         pandemic, additional scrutiny should
as an initial attack vector into industrial   more quickly, specifically via USB, and      be placed on the files, documents, and
control and OT environments. As               specifically targeting industrials. To       other digital content. Inspection and
such, a clear USB security policy             this end, existing controls should be        detection-based controls are necessary
must be established, and technical            re-examined, and patch cycles should be      for the primary vectors into and
controls and enforcement must                 re-evaluated in an attempt to close the      between protected industrial facilities
be established to better secure               Mean Time to Remediation (MTTR).             (e.g., removable media, network
USB media and peripherals.                    External controls to provide real-           connections), to prevent the
                                              time detection and protection of key         introduction and propagation of
                                              systems should be considered, as well        content-based malware. Threats
                                              as integrated monitoring and incident        crossing the air gap via USB.
                                              response procedures. For more
                                              information on closing the MTTR gap in
                                              OT environments, please refer to https://
                                              www.sans.org/webcasts/114525

Threats crossing the air gap via USB          Security upkeep remains important.           Due to the extent of threats that are
are used to establish a toehold into          It is critical that anti-malware controls    capable of establishing persistence
industrial systems, establishing              are kept current in order to be effective.   and covert remote access to
backdoors and remote access to install        Anti-virus software deployed in process      otherwise air-gapped systems,
additional payloads and establish             control facilities needs to be updated       patching and hardening of end
remote command-and-control.                   daily. Even then, a layered approach         nodes is necessary. Hardening of
Outbound network connectivity from            to threat detection that includes OT-        OT systems is also a key contribution
process control networks must be              specific threat intelligence is strongly     to improving incident MTTR.
tightly controlled and be enforced by         recommended for maximum efficacy.
network switches, routers and
firewalls.

6 | www.honeywell.com
CONCLUSION:
Active USB Cybersecurity Controls
are Required

For the third year in a row, the threats seen attempting to enter industrial/OT
environments have continued to increase in sophistication, frequency, and the
potential risk to operations. USB-borne malware is clearly being leveraged as part of
larger cyber-attack campaigns against industrial targets and has adapted to take
advantage of how leveraging the ability of USB removable media to circumvent
network defenses and bypass the air gaps upon which many of these facilities
depend upon for protection. Continued diligence is necessary to defend against the
growing USB threat, and strong USB security controls are highly recommended.

7 | www.honeywell.com
GLOSSARY
AIR GAP                                      COMMAND AND                                INDUSTRIAL CONTROL
An air gap refers to the purposeful          CONTROL, C2                                SYSTEMS, ICS, INDUSTRIAL
absence of digital connectivity between a    Command and Control typically refers       CONTROL AND AUTOMATION
computing environment and any outside        to servers used by cyber adversaries       SYSTEMS
or untrusted network, such as the            that provides the attacker with the        Industrial Control Systems refer
internet. In industrial controls, there is   ability to communicate with and send       to the systems, devices, networks,
typically an approximation of an air gap     commands to a compromised system,          and controls used to operate and/
                                                                                        or automate an industrial process.
that separates operational and               providing control over that system.
automation systems (“OT”) from
                                                                                        MEAN TIME TO
business systems (“IT”). While absolute
                                             CYBER ATTACK                               REMEDIATION, MTTR
air gaps are rare due to the increasing
                                             CAMPAIGNS                                  Mean Time to Remediate refers to
need for digital communications between
                                             A set of coordinated cyber activities      the amount of time required for an
business and operational systems, the
                                             carried out by a cyber adversary,          organization to react and recover from
term is still widely used to refer to the
                                             towards a common objective, is often       an identified cyber threat or incident.
layer of strict network access policies,
                                             referred to as a cyber-attack campaign.    In OT, MT TR typically extends beyond
logical segmentation, and security
                                             Campaigns typically utilize multiple       simple computer system and network
controls around OT environments.                                                        recovery, to fully operational.
                                             attack techniques over time.
                                             Campaigns are coordinated efforts, and
ATTACK VECTOR                                sometimes implicate threat actors from     OPERATIONAL
An attack vector is any potential path       nation states, crime syndicates or other   TECHNOLOGY, OT
by which a cyber adversary might             organized cyber adversaries.               Operational Technology (OT) is
attempt to gain access to a computer                                                    analogous to Information Technology
network or system.                                                                      (IT), referring to the underlying
                                             EARLY THREAT DETECTION,
                                             EARLY-DAY THREAT, ETD                      technology used in ICS environments.
BACKDOOR                                                                                While many of the general computing
                                             Early Threat Detection is a service
                                                                                        platforms used in ICS share common
Backdoors provide unauthorized access        offered as part of Honeywell’s GARD
                                                                                        hardware, operating systems, and
to computer files, systems, or networks.     threat detection offerings. Early Threat
                                                                                        networking technology, OT systems are
Backdoors that provide access over a         Detection refers to the curation of
                                                                                        used in fundamentally different ways to
network are often referred to as Remote      threat and incident information from
                                                                                        support industrial automation and
Access Toolkits or RATs, although            Honeywell as well as public- and
                                                                                        control, and therefore represent a
backdoors may also be specific to            private-sector partners, with the intent
                                                                                        unique challenge in terms of
local systems or applications.               of providing detection of newly
                                                                                        cybersecurity.
                                             emerging threats as quickly as possible.

BADUSB
An exploitation of certain USB devices       GARD ENGINE
allowing the firmware to be overwritten      GARD refers to the Honeywell Global
by a hacker, to modify how that device       Analysis Research and Defense threat
operates. Typically used to alter            detection service, which provides
commercially available USB devices,          advanced threat detection and
so that they can be used as a cyber-         response capabilities to supported
attack tool.                                 Honeywell cybersecurity products.

8 | www.honeywell.com
PAYLOAD                                       USB/UNIVERSAL SERIAL BUS                    as a computer or other digital system
                                              The USB protocol defines how many           with a USB interface; or the USB
In general computing a “payload” refers
                                              device types can interconnect to a          protocol itself.
to the part of a digital communication
that is the actual content or message.        single computer interface, designed to
A malicious payload, or the payload           replace many custom computer                USB REMOVABLE MEDIA
delivered by a cybersecurity threat, refers   peripherals with a single, common           USB removable media typically refers
to software that performs a malicious         interface. The term “USB” could refer to    to data storage devices that connect
activity. Newer and more sophisticated        any specific USB device, such as a          using the USB standard. Often
malware will typically operate in a           mouse, keyboard, removable storage,         referred to as flash drives, thumb
modular fashion, where specific               network adapter, et. al; a USB host, such   drives, USB sticks, et. Al., the most
payloads can be used to execute specific      as a computer or other digital system       common form of USB removable media
tasks in a cyber-attack campaign.             with a USB interface; or the USB            utilizes solid state storage (i.e., “flash”)
                                              protocol itself.                            and connect to USB type-A interfaces
REMOTE ACCESS, RAT
                                                                                          using the USB standard “USBStor”
Remote access refers to the
connectivity to a computer system or
                                              USB ATTACK PLATFORMS, UAPS                  device classification. However, the
                                              The USB protocol defines how many           USB standard is diverse and other
network from a remote location. In the
                                              device types can interconnect to a          storage device types are available,
context of cyber threats, remote access
                                              single computer interface, designed to      and non-flash USBStor devices
typically refers to backdoors or RATs
                                              replace many custom computer                also exist.
(Remote Access Trojans or Remote
Access Toolkits), which are designed to       peripherals with a single, common
establish unintended network access to        interface. The term “USB” could refer to    WORM, WORMABLE
a cyber adversary.                            any specific USB device, such as a          A computer worm is a standalone
                                              mouse, keyboard, removable storage,         malware computer program that is
                                              network adapter, et. al; a USB host, such   able to self-replicate by spreading
SECURE MEDIA EXCHANGE                         as a computer or other digital system       to and infecting other computers.
Secure Media Exchange (SMX) is a              with a USB interface; or the USB            As malware continues to evolve, it
commercial industrial cybersecurity           protocol itself.                            becomes harder to strictly classify
technical solution developed by
                                                                                          a particular malware into a single
Honeywell to lower the risk of USB-
                                              USB-BORNE MALWARE                           category. For example, a trojan
borne threats. For more information,
                                              The USB protocol defines how many           might also be able to self-replicate.
visit https://www.hwll.co/SMX
                                              device types can interconnect to a
                                              single computer interface, designed to
TROJAN                                        replace many custom computer
A “trojan” is any malware designed to trick   peripherals with a single, common
a user into executing it. Typically this is   interface. The term “USB” could refer to
done by masquerading as legitimate            any specific USB device, such as a
software, or by embedding malicious           mouse, keyboard, removable storage,
code or scripts into everyday documents       network adapter, et. al; a USB host, such

9 | www.honeywell.com
ABOUT HONEYWELL’S GLOBAL
ANALYSIS, RESEARCH AND DEFENSE
TEAM FOR OT CYBERSECURITY
Honeywell ’s Global Analysis, Research, and Defense team (GARD Team) is
dedicated to OT-focused cybersecurity research, innovation, and integration. As
part of Honeywell Forge Cybersecurity, GARD leverages data curated from 7
Honeywell cybersecurity research centers, and from over 5,000 deployments in
over 65 countries–to provide OT threat analysis and threat detection. Proactive
threat research, mining, hunting and other techniques can help ensure that
targeted OT threats are detected early.

Honeywell Forge Cybersecurity better protects industrial assets, operations and
people from digital-age threats. With more than 15 years of OT cybersecurity
expertise and more than 50 years of industrial domain expertise, Honeywell
combines proven cybersecurity technology and industrial know-how to maximize
productivity, improve reliability and increase safety. We provide innovative
cybersecurity software, services and solutions to better protect assets, operations
and people at industrial and critical infrastructure facilities around the world. Our
state of-the-art Cybersecurity Centers of Excellence allow customers to safely
simulate, validate and accelerate their industrial cybersecurity initiatives.

.

Honeywell Connected Enterprise
715 Peachtree Street NE
Atlanta, Georgia 30308                        Industrial Cybersecurity USB Threat Report 2021 | Rev 1 | 6/2021
www.honeywell.com                             ©2021 Honeywell International Inc.
You can also read