The increased risk of cyberattacks against manufacturing organizations - 2018 Spotlight Report - Vectra AI

Page created by Josephine Pearson
 
CONTINUE READING
The increased risk of cyberattacks against manufacturing organizations - 2018 Spotlight Report - Vectra AI
I am artificial intelligence.
         The driving force behind the hunt for cyberattackers.
         I am Cognito.

         The increased risk
    of cyberattacks against
manufacturing organizations
                                     2018 Spotlight Report
The increased risk of cyberattacks against manufacturing organizations - 2018 Spotlight Report - Vectra AI
TABLE OF CONTENTS

Manufacturing enterprises and Industry 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Analysis of cyberattacker behaviors in the manufacturing industry.. . . . . . . . . . 4

Cyberattack severity.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Botnet attack behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Command-and-control behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Internal reconnaissance behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Lateral movement behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Exfiltration behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

                                       Vectra | The increased risk of cyberattacks against manufacturing organizations | 2
The increased risk of cyberattacks against manufacturing organizations - 2018 Spotlight Report - Vectra AI
Manufacturing organizations today rely on countless devices that         Manufacturing enterprises and Industry 4.0
are wirelessly connected, including numerous industrial internet-
                                                                         The massive effort to automate real-time data collection across
of-things (IIoT) devices and others that integrate information
                                                                         the manufacturing supply chain is known as Industry 4.0. It
technology (IT) with operational technology (OT).
                                                                         involves the integration of digital systems, IIoT devices and cloud
Without air-gapped industrial control systems, which are being           computing resources in the manufacturing supply chain.
replaced by cloud-based digital systems, these connections create
                                                                         This new digital supply chain is driven by the integration of
a massive attack surface that is easy for cybercriminals to infiltrate
                                                                         IT with OT – known as IT/OT convergence – and is
with the intent to spy, spread and steal.
                                                                         increasing exponentially.
Visibility into these internal connected systems is necessary to
curtail the extent of damage from a cyberattack. Manufacturing
security operations now require automated, real-time analysis of
entire networks to proactively detect and respond to in-progress
threats before they do damage.

           Source: Deloitte                                                                     Deloitte University Press | dupress.deloitte.com

                                                                         Vectra | The increased risk of cyberattacks against manufacturing organizations | 3
Industry 4.0 brings with it a new operational risk for connected,
smart manufacturers and digital supply networks. The                    When attackers succeed: Data
interconnected nature of Industry 4.0-driven operations and the         breaches in manufacturing
pace of digital transformation mean that cyberattacks can have far      The 2018 Verizon Data Breach Industry Report provides
more damaging effects than ever before, and manufacturers and           insight into the potential intent and motives behind
their supply networks may not be prepared for the risks.                cyberattacks in the manufacturing industry.

For cyber-risk to be adequately addressed in the age of Industry
                                                                        State-affiliated attackers: 53% of
4.0, manufacturing organizations need to ensure that proper
                                                                        breaches in manufacturing
visibility and response capabilities are in place to detect and
respond to events as they occur.                                        Manufacturing capabilities are closely related to the health
                                                                        of a nation’s economy. Many nation-states want to give their
The information in this spotlight report is based on observations       companies an edge. State-sponsored attackers caused more
and data from the 2018 Black Hat Edition of the Attacker Behavior       than half of the data breaches in manufacturing.
Industry Report from Vectra®. The report reveals attacker behaviors
and trends in networks from over 250 opt-in customers in                The most common types of data stolen were personal (32%),
manufacturing and eight other industries.                               secrets (30%) and credentials (24%), according to the
                                                                        Verizon report.
From January-June 2018, the Cognito™ cyberattack-detection
and threat-hunting platform from Vectra monitored network               Cyberespionage: 31% of breaches
traffic and collected rich metadata from more than 4 million            in manufacturing
devices and workloads from customer cloud, data center and
                                                                        Along with state-sponsored attacks, there was growth in
enterprise environments.
                                                                        cyberespionage. Espionage was the leading motive behind
The analysis of this metadata provides a better understanding           breaches in manufacturing.
about attacker behaviors and trends as well as business risks,
                                                                        This trend is reaffirmed when looking at the actor motive.
enabling Vectra customers to avoid catastrophic data breaches.
                                                                        While 53% of attempted attacks against the manufacturing
                                                                        industry had a financial motive, 47% of attempts were
Analysis of cyberattacker behaviors in the
                                                                        motivated by espionage, according to the Verizon report.
manufacturing industry
Rich metadata from the Vectra Cognito platform revealed a high          Servers: 58% of breaches in
volume of malicious internal reconnaissance and lateral movement        manufacturing
behaviors among manufacturing organizations. These behaviors
                                                                        At least one server was compromised in more than half of
are critical phases in the cyberattack lifecycle during which
                                                                        the data breaches in manufacturing, according to the
cybercriminals spy, spread and steal inside the network.
                                                                        Verizon report. Opportunistic attacks usually stick to
                                                                        endpoints and IoT devices, while attackers who are intent on
                                                                        stealing intellectual property and mapping-out critical assets
                                                                        target servers.

                                                                      Vectra | The increased risk of cyberattacks against manufacturing organizations | 4
This Spotlight Report raises three important issues:

1. The most common types of cyberattacks found in manufacturing organizations.
2. The malicious behaviors and actions behind these cyberattacks.
3. The business risks associated with these attacker behaviors.

                          800

                          700

                          600

                          500
                                                                                   55             98

                                                                    53
                          400
                                                                                   120
                                                                                                  126
                                                                    122
                          300                   22
                                                                                                                    30
                                                96                                 143                                                33
                                                                                                  118               101
                          200                                       137                                                               88
                                                91
                                                                                                                    70
                                                                                                                                      62
                          100                                                      170            165
                                                99                  121                                             96                84

                             0
                                            January             February          March          April             May              June

                                  Botnet per 10,000            C&C per 10,000       Recon per 10,000

                                  Lateral per 10,000           Exfil per 10,000
Figure 1: Attacker detections across all industries per 10,000 host devices

The volume of attacker detections per 10,000 host devices across all industries indicates that the numbers of malicious command-and-
control, reconnaissance and lateral movement behaviors are relatively equal to each other within each industry.

                          800

                          700                                                      60
                                                                                                  70

                          600
                                                                                                  169
                                                                    43             282
                          500
                                                                                                                    50                50
                                                                    148
                          400
                                               105                                                                  145               142

                          300                                                                     307
                                                                                   214

                                                                    241
                          200                  208
                                                                                                                                      173
                                                                                                                    183

                          100                                                      161
                                                                                                  139
                                                96                  99                                              84                96

                             0
                                            January             February          March          April             May               June

                                  Botnet per 10,000            C&C per 10,000       Recon per 10,000

                                  Lateral per 10,000           Exfil per 10,000
Figure 2: Attacker detections in manufacturing per 10,000 host devices

                                                                                          Vectra | The increased risk of cyberattacks against manufacturing organizations | 5
The monthly volume of attacker detections per 10,000 host devices                             In the past, manufacturers relied on more customized, proprietary
in the manufacturing industry shows a much higher volume of                                   protocols, which made mounting an attack more difficult for
malicious internal behaviors. In many instances, there is a 2:1 ratio of                      cybercriminals. The conversion from proprietary protocols to
malicious behaviors for lateral movement over command-and-control.                            standard protocols makes it easier to infiltrate networks to spy,
                                                                                              spread and steal.
These behaviors reflect the ease and speed with which attacks can
proliferate inside manufacturing networks due to the large volume
                                                                                              Cyberattack severity
of unsecured IIoT devices and insufficient internal access controls.
                                                                                              The combination of malicious behaviors across the attack lifecycle
Most manufacturers do not invest heavily in security access                                   and the context of specific behaviors is a strong threat indicator.
controls for business reasons. These controls can interrupt and                               The Cognito platform from Vectra correlates attacker behaviors to
isolate manufacturing systems that are critical for lean production                           compromised host devices, assigns a threat-severity score and
lines and digital supply chain processes.                                                     prioritizes the highest-risk threats.

Many factories connect IIoT devices to flat, unpartitioned networks
that rely on communication with general computing devices and
enterprise applications. These digital factories have internet-enabled
production lines to produce data telemetry and remote management.

     300                                                                                                                                                    293

     250                                                                                                     245
                                                                                                                                    239

                                                                                      210

     200
                                                             187

                                  156
     150

     100
                                                                                                                                                  85

                                                                            65                     66                     63
                                                   54
      50                46
                                                                      39                                                                     39
                                                                                 32           34                                                       34
                                             31                                                                      28
                             27                         25                                              27
                   19                                                                                                          23

        0
                        January                   February                  March                  April                  May                     June

             Critical severity per 10,000               High severity per 10,000            Medium severity per 10,000              Low severity per 10,000
Figure 3: Threat-severity scores in manufacturing per 10,000 host devices

                                                                                               Vectra | The increased risk of cyberattacks against manufacturing organizations | 6
Botnet attack behaviors
Botnets represent opportunistic attacks that are not targeted at specific organizations. While botnet attacks persist everywhere, their occurrence is
not significant in manufacturing and is more often associated with user desktops that browse the web.

                            8

                            7                                                                                           1

                                                                                                                        0
                                                                                     0
                            6
                                                                                                      0

                            5
                                                                                                      1                 3                   1
                                                                   0
                            4                                      0                 4

                            3                                                                                                               2
                                                                                                      3

                                                                   3
                            2                  1
                                                                                                                        3

                            1                                                        2
                                                                                                                                            2
                                               1
                                                                                                      1

                                               0                   1
                            0
                                           January            February             March            April             May               June

                                 Abnormal ad activity           Abnormal web activity         Cryptocurrency mining           Brute-force attack
Figure 4: Botnet attack behaviors in manufacturing per 10,000 host devices

Command-and-control behaviors
The use of external remote access tools is the most common command-and-control behavior in manufacturing, which is shown in green in
Figure 5. External remote access occurs when an internal host device connects to an external server.

                           80
                                                                                     4
                                                                                     2                                                      2
                           70
                                                                                                      3                 3
                                                                                     17               2                 2
                           60                                                                                                               24

                                                                                                      18
                                                                                                                        22
                           50
                                                                                     21

                           40                                                                                                               17
                                                                   3                                  18
                                                                                                                        13
                                                2
                           30                   2
                                                                   10
                                                6
                                                3                  3
                           20
                                                                                     34
                                                                                                                                            31
                                                                                                      26                27
                           10                  20                  31

                            0
                                            January            February            March            April             May                  June

                                 External Remote Access                 Hidden DNS CnC Tunnel        Hidden HTTP CnC Tunnel

                                 Hidden HTTPS CnC Tunnel                  Malware Update        Peer-to-Peer        Pulling Instructions

                                 Stealth HTTP Post             TOR Activity         Threat Intelligence Match CnC           Suspicious Relay
Figure 5: Command-and-control behaviors in manufacturing per 10,000 host devices

                                                                                             Vectra | The increased risk of cyberattacks against manufacturing organizations | 7
In this instance, the behavior is inverse from normal outbound                               Internal reconnaissance behaviors
client-to-server traffic. The client receives instructions from the
                                                                                             Vectra observed a spike in internal reconnaissance behaviors in
external server, and a human on the outside controls the exchange.
                                                                                             manufacturing due to internal darknet scans and SMB account
While external remote access is common in manufacturing                                      scans, as shown in Figure 6. Internal darknet scans occur when
operations, it introduces risk. Cyberattackers also perform                                  internal host devices search for internal IP addresses that do not
external remote access, but with the intent to disrupt industrial                            exist on the network.
control systems.
                                                                                             An SMB account scan occurs when a host rapidly makes use of
Additionally, IIoT devices can be used as a beachhead to launch                              multiple accounts via the SMB protocol, which can be used for file
an attack. Once an attacker establishes a foothold in IIoT                                   sharing, RPC and other lateral movement.
devices, it is difficult for network security systems to identify the
                                                                                             Manufacturing networks consist of many gateways that
backdoor compromise.
                                                                                             communicate with smart devices and machines. These
Consequently, IIoT devices collectively represent a vast,                                    gateways are connected to each other in a mesh topology to
easy-to-penetrate attack surface that enables cybercriminals to                              simplify peer-to-peer communication. Cyberattackers leverage
perform internal reconnaissance, with the goal of stealing critical                          the same self-discovery used by peer-to-peer devices to map
assets and destroying infrastructure.                                                        a manufacturing network in search of critical assets to steal
                                                                                             or damage.

                       350

                       300
                                                                                                      63
                                                                                       50                                46
                       250
                                                                                                                                            30
                                                                  36

                       200
                                             16
                                                                                                      111
                                                                                                                         111
                                                                                       129
                                                                  95
                       150                   65                                                                                            132

                                                                                                      19                 10
                                             14                                                                          14
                       100
                                                                  20                   16
                                                                   8                    8                                                   10
                                                                                                                                            15
                        50                   79                                                       88                 80
                                                                  60                   62
                                                                                                                                            42

                                             12                   13                   11             10                 11                 10
                          0
                                          January            February              March             April              May               June

                               File Share Enumeration              Internal Darknet Scan          Kerberos Account Scan            Port Scan

                               Port Sweep            RDP Recon             SMB Account Scan           Suspicious LDAP Query
Figure 6: Internal reconnaissance behaviors in manufacturing per 10,000 host devices

                                                                                             Vectra | The increased risk of cyberattacks against manufacturing organizations | 8
Lateral movement behaviors
Lateral movement occurs when connected systems and devices communicate with each other across the network. Figure 7 shows a high
level of activity associated with authentication, with SMB brute-force behaviors being the most common.

SMB brute-force behaviors occur when an internal host utilizes the SMB protocol to make multiple login attempts for the same user
account, which most often fail. Vectra observed a high volume of automated replication, which indicates an internal host device is sending
similar payloads to several internal targets.

IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical
subsystems, until they find a way to complete their exploitative missions.

It is critical to maintain visibility into all internal connected systems to understand which are legitimate and which are attackers propagating
on the network.

              180

              160                                                               14

                                                                                                                13
              140                                                                             14                                   11
                                                                                36
                                                                                                                26
              120                                                                             21                                   22
                                                        13
                                                                                10                               9
                                                                                              9                                    8
              100                                       23
                                    13

               80                                        7
                                    29                                          62                              57
                                                                                              59                                   62
               60                                       36
                                     7

               40                   14
                                                                                                                 5
                                     4
               20                                                               34                              34
                                    26                  30                                    29                                   29

                 0
                                 January            February              March             April              May               June

                      Automated Replication              Brute-Force Attack (internal)         Kerberos Brute Force           Kerberos Server Access

                      Ransomware File Activity               Shell Knocker Client         Shell Knocker Server           SMB Brute-Force Attack

                      SQL Injection Activity           Suspicious Admin              Suspicious Remote Desktop           Threat Intelligence Match Lateral

                      Suspicious Kerberos Account                Suspicious Kerberos Client
Figure 7: Lateral movement behaviors in manufacturing per 10,000 host devices

                                                                                            Vectra | The increased risk of cyberattacks against manufacturing organizations | 9
Exfiltration behaviors
Among exfiltration behaviors, data smuggling was the most prevalent in the manufacturing industry. With data smuggling, an internal host
device controlled by an outside attacker acquires a large amount of data from one or more internal servers and then sends a large data
payload to an external system.

                        80

                        70
                                                                                                                                      10
                                                                                                                   6
                        60
                                                                                                6
                                                                                 5
                        50

                        40                                         4

                        30                                                                                         58                 59

                                                                                49              51

                        20                                         37

                        10                    4

                                              9
                          0
                                          January             February        March           April              May                June

                               Data Smuggler              Hidden HTTP Exfil Tunnel    Hidden HTTPS Exfil Tunnel            Smash and Grab
Figure 8: Exfiltration behaviors in manufacturing per 10,000 host devices

Conclusion
Driven by Industry 4.0 initiatives, more manufacturing processes are becoming automated and connected to the cloud, resulting in big
improvements for speed and efficiency of industrial production.

But the IT/OT convergence in manufacturing – along with unpartitioned networks, insufficient access controls and the proliferation of IIoT
devices – has created a massive and vulnerable attack surface that cybercriminals can exploit to steal intellectual property and disrupt
business operations.

Consequently, a higher-than-normal rate of malicious internal reconnaissance behaviors indicates that attackers are mapping-out
manufacturing networks in search of critical assets to steal or damage. And the abnormally high level of lateral movement behaviors is a
strong indicator that attacks are proliferating inside the network.

To learn more about cyberattacker behaviors seen in other real-world cloud, data center and enterprise environments, get the 2018 Black
Hat Edition of the Attacker Behavior Industry Report from Vectra.

                                                                                      Vectra | The increased risk of cyberattacks against manufacturing organizations | 10
I am artificial intelligence.
                                                                           The driving force behind the hunt for cyberattackers.
                                                                           I am Cognito.

Emailinfo@vectra.ai Phone +1 408-326-2020
vectra.ai
© 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat
Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.
You can also read