<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">

Keeping the Lights On in the Era of Critical Infrastructure Attacks

The recent and ongoing attacks on the power grid in the Ukraine and elsewhere highlight an alarming trend: sophisticated hackers are targeting critical civilian infrastructure and using advanced techniques to bypass conventional security systems.

Researchers at ESET and Dragos have released a detailed analysis of the initial attacks targeting Kiev’s power systems using malware now known as Industroyer or Crash Override. The full ESET report is here. These threats are particularly dangerous, because they are capable of taking direct control over power station switches and circuit breakers, leveraging industrial communication protocols used worldwide in power infrastructure, transportation control systems, water and gas delivery and other critical infrastructure.

 

Industroyer-network.jpg

 

Many of these industrial control systems were designed decades ago, for isolated systems, without much thought about external security. Even today, while these systems typically have air gaps from the broader internet, that are not immune from malicious insiders, or targeted credential phishing.

For a more detailed analysis of the specific hacking techniques used please see our next blog, Hack Analysis: Deep Dive into Industroyer. Here is a summary of the key elements that made these attacks successful, along with new strategies that organizations need to adopt for future-proof cyber security.

  • Motivation was political, not financial: While most hacking today is financially motivated, focused on stealing or ransoming valuable data, these new attacks appear to be nation-state sponsored and aimed at political harassment, business disruption, or even terrorism.
  • Hackers are highly knowledgeable: These attacks have been perpetrated by hackers with significant knowledge of industrial control systems, who built a framework of on-demand swappable components that mimic trusted software.
  • Simple actions can wreak havoc: In one instance, a particular Siemens relay switch was shut off to interrupt service. But in another instance the same switch was turned on continuously causing power equipment to overheat and suffer permanent damage.
  • Legacy infrastructure is porous: Many infrastructure control systems rely on a patchwork of new and older technology that is highly specialized, difficult to update and often impossible to patch against today’s threats. Older systems often can’t be taken offline, yet run on platforms that no longer get the latest security patches.
  • Signature-based malware protection was useless: Most security systems rely on recognizing signatures, files or known attack patterns. All of these solutions are backwards-looking and only react to previously identified threats. Recent attacks have proven that today’s sophisticated hackers are in a new league – innovative, resourceful, well-funded (often by nation-states), and several steps ahead of conventional security.
  • Perpetrators cover their tracks: These attacks are sophisticated and designed to both cause damage, and hide any footprints of the hackers. Multiple techniques were used to corrupt Windows services, overwrite files with garbage, make systems unbootable, and erase tools used in the attacks. And by covering their tracks they can come back repeatedly to perpetrate new attacks.

Many experts in the security space have called this new generation of attacks “indefensible” and with most anti-malware solutions, that may be true. In fact, these and other recent attacks highlight a fundamental flaw in how most organizations address cyber security.

More significantly, these next-generation attacks target applications at the memory layer, below the radar of conventional security tools. These sophisticated attacks no longer rely on files that can be easily identified with signatures, but instead manipulate benign code at the memory level to trigger illicit actions. Memory-based attacks were once considered arcane, but with the Shadow Brokers leaks of NSA tools, these advanced tools are widely available, and were used in WannaCry, Industroyer, Petya and other recent hacks.

Focus on the Application – Not the Malware

Practically all cyber threat solutions focus on the malware – identifying, dissecting, categorizing, creating signatures, and looking for predictable patterns of behavior. More recent solutions claim that artificial intelligence can effectively predict new behavior, based on past malware examples.

However, all of these solutions only detect threats that are known, and are useless against the infinitely larger world of unknown and future threats. When new attacks are launched, the exposure time can be significant before they are discovered, and signatures or patches are deployed. For example, the SMBv1 flaw that WannaCry exploited had been exposed for over 8 years.

Virsec ARMAS takes a radically different approach, focusing on the application itself, instead of playing an eternal game of Whack-a-Mole with malware. ARMAS understands the DNA of applications and maps their correct behavior across the full application stack, from the interpreted code, down to the memory layer. By understanding all possible good behavior of an application, ARMAS can instantly spot any bad behavior, indicating unexpected malware activity. In fact, Virsec’s patented technology can spot insidious memory corruption attacks, undetectable by other existing technology.

ARMAS has been tested against the NIST National Vulnerability Database (NVD) and found to have near 100% detection rates, with no false positives. This remarkable result is possible because ARMAS is deterministic and focuses on the application, instead of chasing malware. Any deviation from possible legitimate behavior of the application, is a definitive indicator of incorrect, and likely illicit activity.

Because of ARMAS’ instantaneous detection, and high accuracy, alerts can be acted upon automatically, avoiding the alert fatigue from legacy solutions with constant false positives. ARMAS protects applications by providing automated response to attack alerts, and provides APIs for customized actions. ARMAS can also be deployed with any application, including legacy solutions that have not kept up with security patches.

For more information about Virsec ARMAS or a free demonstration, please get in touch.