The continued addition of operational technology (OT) into connected networks is playing a key role in expanding the threat landscape. And unfortunately, today’s sophisticated hackers see the evolution as an opportunity to deploy new ways to attack manufactures.
Ransomware 2.0 is a prime example. These advanced, human-operated attacks use APT-style tactics designed to bypass traditional security controls. These threat actors often do not encrypt data and demand ransom on the first system they compromise. Instead, they use it as a foothold into the network to conduct network discovery, probe Active Directory, move laterally, and identify high-value assets to target. Only after attackers have found the organization’s essential assets, encrypted the critical data, or taken control of assets do they send their ransom demands.
To counter Ransonware 2.0, Attivo Networks recently announced new capabilities to its Endpoint Detection Net (EDN) solution to improve file protection by concealing and denying access to production mapped shares, cloud storage, and selected files or folders. By hiding this information, the EDN solution limits the malware’s choice to engage only with the decoy environment and dramatically reduces the risk of a successful data compromise. Many organizations continue to struggle with the cost and impact of widespread ransomware attacks but derailing these attacks early can save organizations from those consequences.
Traditional endpoint solutions, like Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR), use signature matching or behavioral anomaly detection to identify malicious binaries and block the execution of ransomware to stop the infection. Unfortunately, with human attackers using advanced methods, many of their techniques can evade these solutions.
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data,” said Srikant Vissamsetti, senior vice president of engineering, Attivo Networks. “This advanced protection by the Attivo EDN solution disrupts ransomware’s ability to move laterally and prevents unauthorized access to data by concealing production files, folders, removable disks, network shares, and cloud storage.”
Protecting Operational Technology
Carolyn Crandall, chief deception officer at Attivo, tells IndustryWeek that securing connected operational technology (OT) devices against external and insider threats has its unique set of challenges. “It is not always possible to load security software onto these systems and they may be running on old firmware that cannot be patched. There may also be situations where they are not allowed to modify them for safety reasons as it could alter operating behaviors,” says Crandall. “The logistics of updating OT software can also be problematic as they are difficult to take offline and often operate 24/7. It should also not be assumed that every device coming from the factory is safe, there can be tampering at the factory or during the supply chain. It is always best to have the ability to efficiently detect the compromise and lateral movement of attackers within these networks.”
According to Crandall, when an attacker seeks to gain a foothold onto the network using an OT device, they will compromise the initial device and then move laterally across the network seeking out and loading malware onto vulnerable devices, they may also seek out local admin credentials for use to access and steal the information they need in order to launch a wide-spread attack.
“Any connected device can become part of a ransomware attack including OT technology. An attacker will seek to scan hosts and services for compromising them and dropping malware onto them. Also, ransomware attacks like Robinhood and Maze will also seek to exploit common local admin credentials that exist on an endpoint,” she says. “With the new enhancements from the Attivo Endpoint Detection Net, the odds get turned in the favor of the defender. Organizations can choose to hide and deny access to their production data so that the attacker can only see decoys.”
Manufacturers can also augment this with deception credentials that lead them to decoys, explains Crandall. “They can also add decoys that appear as the production assets so as an attacker scans the network for hosts and services to exploit, they are lead to a high-interaction decoy that will engage with them, slow their attack, and raise an alert so that they infected system can be isolated from the system,” she says. “There is no other security control that has this high of an impact ratio in derailing a ransomware attack and efficiently detecting an adversaries activities as they try to swim upstream in their attack.”