Tactics and techniques of the bad guys in SCI
The joint integration of Information Technologies (IT) and Operational Technologies (OT), in addition to the growth of Industry 4.0, is generating a wealth of possibilities and benefits in industrial networks. On the other hand, and due to the importance, that ICS are acquiring in critical infrastructures, it is increasingly common for industrial control systems to be the focus of attackers.
In the next illustration, its possible to see the different IT / OT levels and the subdivisions of which they are composed:
- Architecture IT / OT; Source -
OT systems, like IT systems, may contain vulnerabilities that can be exploited by attackers. Withing industrial control systems there are a large number of devices, including Human Machine Interfaces (HMI), electrical devices and Supervisory Control and Data Acquisition Systems (SCADA). These devices stand out as the most vulnerable in an ICS environment.
Currently, the most common vulnerabilities in industrial control systems are the following:
- CWE-121 Stack-Based Buffer Overflow: Such vulnerabilities consist of programming errors that could allow code to generate a buffer overrun and memory blocks to be overridden. Insufficient validation of input processes can lead to blocking of ICS programs. In the case of SCADA, HMI and DCS systems, successful exploitation of this vulnerability exposes these devices to other forms of industrial attacks. There are different strategies to mitigate this vulnerability, some of them are:
- Real-time detection systems.
- ‘Static-analysis’ techniques to identify vulnerabilities of this type.
- ‘Combined static/ run time’ technique: Combination of the two previous ones.
- Providers classification of the CWE-121 Stack-Based Buffer Overflow. Source -
- CWE-287 Improper Authentication: Authentication is used to identify the user in the systems within the network. In industrial control systems, it is very common for authentication systems to be weak or non-existent, allowing attackers to overcome or circumvent these authentication processes, thus gaining free access to the system. There are two basic methods to reduce these risks:
- Continuous updates of user databases.
- Include authentication processes in all areas.
- Inclusion of double authentication factors.
- CWE-522 Insufficiently Protected Credentials: Is one of the most common vulnerabilities in any device, network, or industrial control system. It is directly related to CWE-287. The use of passwords with a low level of security, few digits, shared with other platforms or equipment and few updates, are one of the most important causes of vulnerability in industrial control systems, allowing the attacker to gain control of the system or access the rest of the network.
The risks associated with this vulnerability can be reduced as follows:- Policy for creating robust credentials, with minimum requirements, such as length, inclusion of special characters or case sensitive.
- Scheduled and mandatory password updates, avoiding repeating a previously used password.
- CWE-400 Uncontrolled Resource Consumption: This type of vulnerability is very common in Programmable Logic Controllers (PLC). It consists of modifying the operation of the device, putting it at the limit in terms of resources used. Commonly these vulnerabilities result in an unexpected shutdown of the equipment or a reset and therefore, the interruption of the services controlled by the PLC. This vulnerability can be mitigated by the following techniques:
- Monitoring of these devices located in the OT layer of process control to detect any alteration of more than 5% of normal operation, as this could indicate exploitation of the vulnerability by an attacker.
- Segmentation of processes for faster and more exhaustive analysis in cases of vulnerability exploitation.
These are some of the most common vulnerabilities in industrial control systems. The tactics and techniques used by attackers to exploit these vulnerabilities will be detailed below. MITRE ATT&CK’s ICS Matrix comprehensively lists the objectives, methods and procedures that an attacker performs depending on his ultimate goal.
Tactics and techniques applied in a real case
This section will explain the tactics and techniques used by the attackers during a ransomware-type cyberattack known as Colonial Pipeline, which was carried out on an industrial control system, specifically on the oil derivatives distribution system of Colonial Pipeline, listed as one of the most important oil infrastructures in the United States.
The security incident was caused by the ransomware infection of several essential assets of the industrial process, which allowed the attackers to completely stop the supply of diesel, fuel oil and gasoline to the companies that depend on this process.
To take into account, the magnitude of the attack and to see the real impact, it should be noted that Colonial Pipeline operates a pipeline network of approximately 8500 km, supplying oil derivatives to 45% of the US East Coast.
The attack was orchestrated by the DarkSide group, known for its Ransomware as a Service (RaaS). DarkSide intrusion into Colonial Pipeline´s system allowed the theft of more than 100 GB of corporate data. This double theft or double extortion feature is a very important characteristic of this ransomware.
To get a better important understanding of the attack, below are the MITRE ATT&CK ICS Matrix tactics (in blue) and the MITRE ATT&CK Enterprise Matrix tactic (in green) used by DarkSide to carry out the attack.
In addition, below each tactic, the different attacks, software, and solutions used are presented.
- Tactics used by DarkSide; Source: MITRE Matrix ICS -
It will be proceeded to explain the four most important and specific tactics used in the Colonial Pipeline attack:
- Initial Access: Initial Access tactics were employed by DarkSide to gain access to the Colonial Pipeline system. Within this tactic, phishing and External Remote Services techniques were employed. Specifically, DarkSide used the Remote Desktop Protocol (RDP). In addition, the attack employed commonly used tools such as Metasploit and BloodHound for reconnaissance and PowerShell for reconnaissance and persistence.
- Lateral Movement y Privilege Escalation: This phase can be considered a discovery phase in any ransomware process. The goal with this tactic and its corresponding techniques is to gain access to the domain controller (DC), also called Active Directory. Through this, DarkSide managed to obtain credential at the same level, escalate privileges and acquire valuable assets for data exfiltration. Once credential was obtained at the horizontal level of almost all the devices at that level, there was already the possibility of deploying the ransomware on the other machines.
- Exfiltration: Using this tactic, attackers aim to exfiltrate critical files before the ransomware is lunched. The techniques used range from Exfiltration Over Alternative Protocol, Exfiltration Over Physical Medium to the use of Data Transfer Size Limits. In addition, and as can be seen in Illustration 3: Tactics used by DarkSide; Source: MITRE Matrix ICS, different solutions are used, such as puTTy, allowing network file transfer or Rclone, used to filter files to cloud storage. This step of the attack is one of the most important for defenders, since during this procedure, it is the moment when the defender will have the highest probability of detecting the attack.
- Impact: This tactic involves the execution of the ransomware. The use of PowerShell is essential to install and operate the ransomware itself. The DarkSide group employs two encryption methods depending on the operating system of the infected computers. These ciphers are usually RSA-4096 on Linux or RSA-1024 on Windows.
- MITRE ATT&CK tactics and techniques employed; Source: MITRE Matrix ICS -
Conclusiones
Although the tactics, techniques and solutions used during this attack may vary in other cyberattacks, it is of vital importance for industrial control systems to have all this information, and once the type of attack is detected, to have knowledge of all the tactics and techniques with their due explanation to try to mitigate the attack or even manage to evade it.
In a world like that of industrial control systems, which is constantly evolving, the ability to have all the information on similar or even identical attacks in a database, such as MITRE ATT&CK, can mean a before and after in the defense against cyber-attacks.