The increased risk of cyberattacks against manufacturing organizations - 2018 Spotlight Report - Vectra AI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.
The increased risk
of cyberattacks against
manufacturing organizations
2018 Spotlight Report
TABLE OF CONTENTS
Manufacturing enterprises and Industry 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Analysis of cyberattacker behaviors in the manufacturing industry.. . . . . . . . . . 4
Cyberattack severity.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Botnet attack behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Command-and-control behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Internal reconnaissance behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lateral movement behaviors.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Exfiltration behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Vectra | The increased risk of cyberattacks against manufacturing organizations | 2
Manufacturing organizations today rely on countless devices that Manufacturing enterprises and Industry 4.0
are wirelessly connected, including numerous industrial internet-
The massive effort to automate real-time data collection across
of-things (IIoT) devices and others that integrate information
the manufacturing supply chain is known as Industry 4.0. It
technology (IT) with operational technology (OT).
involves the integration of digital systems, IIoT devices and cloud
Without air-gapped industrial control systems, which are being computing resources in the manufacturing supply chain.
replaced by cloud-based digital systems, these connections create
This new digital supply chain is driven by the integration of
a massive attack surface that is easy for cybercriminals to infiltrate
IT with OT – known as IT/OT convergence – and is
with the intent to spy, spread and steal.
increasing exponentially.
Visibility into these internal connected systems is necessary to
curtail the extent of damage from a cyberattack. Manufacturing
security operations now require automated, real-time analysis of
entire networks to proactively detect and respond to in-progress
threats before they do damage.
Source: Deloitte Deloitte University Press | dupress.deloitte.com
Vectra | The increased risk of cyberattacks against manufacturing organizations | 3Industry 4.0 brings with it a new operational risk for connected,
smart manufacturers and digital supply networks. The When attackers succeed: Data
interconnected nature of Industry 4.0-driven operations and the breaches in manufacturing
pace of digital transformation mean that cyberattacks can have far The 2018 Verizon Data Breach Industry Report provides
more damaging effects than ever before, and manufacturers and insight into the potential intent and motives behind
their supply networks may not be prepared for the risks. cyberattacks in the manufacturing industry.
For cyber-risk to be adequately addressed in the age of Industry
State-affiliated attackers: 53% of
4.0, manufacturing organizations need to ensure that proper
breaches in manufacturing
visibility and response capabilities are in place to detect and
respond to events as they occur. Manufacturing capabilities are closely related to the health
of a nation’s economy. Many nation-states want to give their
The information in this spotlight report is based on observations companies an edge. State-sponsored attackers caused more
and data from the 2018 Black Hat Edition of the Attacker Behavior than half of the data breaches in manufacturing.
Industry Report from Vectra®. The report reveals attacker behaviors
and trends in networks from over 250 opt-in customers in The most common types of data stolen were personal (32%),
manufacturing and eight other industries. secrets (30%) and credentials (24%), according to the
Verizon report.
From January-June 2018, the Cognito™ cyberattack-detection
and threat-hunting platform from Vectra monitored network Cyberespionage: 31% of breaches
traffic and collected rich metadata from more than 4 million in manufacturing
devices and workloads from customer cloud, data center and
Along with state-sponsored attacks, there was growth in
enterprise environments.
cyberespionage. Espionage was the leading motive behind
The analysis of this metadata provides a better understanding breaches in manufacturing.
about attacker behaviors and trends as well as business risks,
This trend is reaffirmed when looking at the actor motive.
enabling Vectra customers to avoid catastrophic data breaches.
While 53% of attempted attacks against the manufacturing
industry had a financial motive, 47% of attempts were
Analysis of cyberattacker behaviors in the
motivated by espionage, according to the Verizon report.
manufacturing industry
Rich metadata from the Vectra Cognito platform revealed a high Servers: 58% of breaches in
volume of malicious internal reconnaissance and lateral movement manufacturing
behaviors among manufacturing organizations. These behaviors
At least one server was compromised in more than half of
are critical phases in the cyberattack lifecycle during which
the data breaches in manufacturing, according to the
cybercriminals spy, spread and steal inside the network.
Verizon report. Opportunistic attacks usually stick to
endpoints and IoT devices, while attackers who are intent on
stealing intellectual property and mapping-out critical assets
target servers.
Vectra | The increased risk of cyberattacks against manufacturing organizations | 4This Spotlight Report raises three important issues:
1. The most common types of cyberattacks found in manufacturing organizations.
2. The malicious behaviors and actions behind these cyberattacks.
3. The business risks associated with these attacker behaviors.
800
700
600
500
55 98
53
400
120
126
122
300 22
30
96 143 33
118 101
200 137 88
91
70
62
100 170 165
99 121 96 84
0
January February March April May June
Botnet per 10,000 C&C per 10,000 Recon per 10,000
Lateral per 10,000 Exfil per 10,000
Figure 1: Attacker detections across all industries per 10,000 host devices
The volume of attacker detections per 10,000 host devices across all industries indicates that the numbers of malicious command-and-
control, reconnaissance and lateral movement behaviors are relatively equal to each other within each industry.
800
700 60
70
600
169
43 282
500
50 50
148
400
105 145 142
300 307
214
241
200 208
173
183
100 161
139
96 99 84 96
0
January February March April May June
Botnet per 10,000 C&C per 10,000 Recon per 10,000
Lateral per 10,000 Exfil per 10,000
Figure 2: Attacker detections in manufacturing per 10,000 host devices
Vectra | The increased risk of cyberattacks against manufacturing organizations | 5The monthly volume of attacker detections per 10,000 host devices In the past, manufacturers relied on more customized, proprietary
in the manufacturing industry shows a much higher volume of protocols, which made mounting an attack more difficult for
malicious internal behaviors. In many instances, there is a 2:1 ratio of cybercriminals. The conversion from proprietary protocols to
malicious behaviors for lateral movement over command-and-control. standard protocols makes it easier to infiltrate networks to spy,
spread and steal.
These behaviors reflect the ease and speed with which attacks can
proliferate inside manufacturing networks due to the large volume
Cyberattack severity
of unsecured IIoT devices and insufficient internal access controls.
The combination of malicious behaviors across the attack lifecycle
Most manufacturers do not invest heavily in security access and the context of specific behaviors is a strong threat indicator.
controls for business reasons. These controls can interrupt and The Cognito platform from Vectra correlates attacker behaviors to
isolate manufacturing systems that are critical for lean production compromised host devices, assigns a threat-severity score and
lines and digital supply chain processes. prioritizes the highest-risk threats.
Many factories connect IIoT devices to flat, unpartitioned networks
that rely on communication with general computing devices and
enterprise applications. These digital factories have internet-enabled
production lines to produce data telemetry and remote management.
300 293
250 245
239
210
200
187
156
150
100
85
65 66 63
54
50 46
39 39
32 34 34
31 28
27 25 27
19 23
0
January February March April May June
Critical severity per 10,000 High severity per 10,000 Medium severity per 10,000 Low severity per 10,000
Figure 3: Threat-severity scores in manufacturing per 10,000 host devices
Vectra | The increased risk of cyberattacks against manufacturing organizations | 6Botnet attack behaviors
Botnets represent opportunistic attacks that are not targeted at specific organizations. While botnet attacks persist everywhere, their occurrence is
not significant in manufacturing and is more often associated with user desktops that browse the web.
8
7 1
0
0
6
0
5
1 3 1
0
4 0 4
3 2
3
3
2 1
3
1 2
2
1
1
0 1
0
January February March April May June
Abnormal ad activity Abnormal web activity Cryptocurrency mining Brute-force attack
Figure 4: Botnet attack behaviors in manufacturing per 10,000 host devices
Command-and-control behaviors
The use of external remote access tools is the most common command-and-control behavior in manufacturing, which is shown in green in
Figure 5. External remote access occurs when an internal host device connects to an external server.
80
4
2 2
70
3 3
17 2 2
60 24
18
22
50
21
40 17
3 18
13
2
30 2
10
6
3 3
20
34
31
26 27
10 20 31
0
January February March April May June
External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel
Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions
Stealth HTTP Post TOR Activity Threat Intelligence Match CnC Suspicious Relay
Figure 5: Command-and-control behaviors in manufacturing per 10,000 host devices
Vectra | The increased risk of cyberattacks against manufacturing organizations | 7In this instance, the behavior is inverse from normal outbound Internal reconnaissance behaviors
client-to-server traffic. The client receives instructions from the
Vectra observed a spike in internal reconnaissance behaviors in
external server, and a human on the outside controls the exchange.
manufacturing due to internal darknet scans and SMB account
While external remote access is common in manufacturing scans, as shown in Figure 6. Internal darknet scans occur when
operations, it introduces risk. Cyberattackers also perform internal host devices search for internal IP addresses that do not
external remote access, but with the intent to disrupt industrial exist on the network.
control systems.
An SMB account scan occurs when a host rapidly makes use of
Additionally, IIoT devices can be used as a beachhead to launch multiple accounts via the SMB protocol, which can be used for file
an attack. Once an attacker establishes a foothold in IIoT sharing, RPC and other lateral movement.
devices, it is difficult for network security systems to identify the
Manufacturing networks consist of many gateways that
backdoor compromise.
communicate with smart devices and machines. These
Consequently, IIoT devices collectively represent a vast, gateways are connected to each other in a mesh topology to
easy-to-penetrate attack surface that enables cybercriminals to simplify peer-to-peer communication. Cyberattackers leverage
perform internal reconnaissance, with the goal of stealing critical the same self-discovery used by peer-to-peer devices to map
assets and destroying infrastructure. a manufacturing network in search of critical assets to steal
or damage.
350
300
63
50 46
250
30
36
200
16
111
111
129
95
150 65 132
19 10
14 14
100
20 16
8 8 10
15
50 79 88 80
60 62
42
12 13 11 10 11 10
0
January February March April May June
File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan
Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query
Figure 6: Internal reconnaissance behaviors in manufacturing per 10,000 host devices
Vectra | The increased risk of cyberattacks against manufacturing organizations | 8Lateral movement behaviors
Lateral movement occurs when connected systems and devices communicate with each other across the network. Figure 7 shows a high
level of activity associated with authentication, with SMB brute-force behaviors being the most common.
SMB brute-force behaviors occur when an internal host utilizes the SMB protocol to make multiple login attempts for the same user
account, which most often fail. Vectra observed a high volume of automated replication, which indicates an internal host device is sending
similar payloads to several internal targets.
IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical
subsystems, until they find a way to complete their exploitative missions.
It is critical to maintain visibility into all internal connected systems to understand which are legitimate and which are attackers propagating
on the network.
180
160 14
13
140 14 11
36
26
120 21 22
13
10 9
9 8
100 23
13
80 7
29 62 57
59 62
60 36
7
40 14
5
4
20 34 34
26 30 29 29
0
January February March April May June
Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access
Ransomware File Activity Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack
SQL Injection Activity Suspicious Admin Suspicious Remote Desktop Threat Intelligence Match Lateral
Suspicious Kerberos Account Suspicious Kerberos Client
Figure 7: Lateral movement behaviors in manufacturing per 10,000 host devices
Vectra | The increased risk of cyberattacks against manufacturing organizations | 9Exfiltration behaviors
Among exfiltration behaviors, data smuggling was the most prevalent in the manufacturing industry. With data smuggling, an internal host
device controlled by an outside attacker acquires a large amount of data from one or more internal servers and then sends a large data
payload to an external system.
80
70
10
6
60
6
5
50
40 4
30 58 59
49 51
20 37
10 4
9
0
January February March April May June
Data Smuggler Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab
Figure 8: Exfiltration behaviors in manufacturing per 10,000 host devices
Conclusion
Driven by Industry 4.0 initiatives, more manufacturing processes are becoming automated and connected to the cloud, resulting in big
improvements for speed and efficiency of industrial production.
But the IT/OT convergence in manufacturing – along with unpartitioned networks, insufficient access controls and the proliferation of IIoT
devices – has created a massive and vulnerable attack surface that cybercriminals can exploit to steal intellectual property and disrupt
business operations.
Consequently, a higher-than-normal rate of malicious internal reconnaissance behaviors indicates that attackers are mapping-out
manufacturing networks in search of critical assets to steal or damage. And the abnormally high level of lateral movement behaviors is a
strong indicator that attacks are proliferating inside the network.
To learn more about cyberattacker behaviors seen in other real-world cloud, data center and enterprise environments, get the 2018 Black
Hat Edition of the Attacker Behavior Industry Report from Vectra.
Vectra | The increased risk of cyberattacks against manufacturing organizations | 10I am artificial intelligence.
The driving force behind the hunt for cyberattackers.
I am Cognito.
Emailinfo@vectra.ai Phone +1 408-326-2020
vectra.ai
© 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo and Security that thinks are registered trademarks and Cognito, Cognito Detect, Cognito Recall, the Vectra Threat
Labs and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.You can also read
