A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks Alex Leemon, Sr. Manager 1
The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached In the past: I can stop everything at the perimeter Today: I can t stop anything at the perimeter Information and process security focus shifts to inside the network Over 35% of breaches are internal driven by malicious and unintentional insiders Compromised credentials empower any attacker to act as an insider Compliance and audit requirements focus on privileged accounts Privileged accounts provide access to the most sensitive and valuable assets Information exposure damages brand reputation and customer confidence 2
Critical Infrastructure is a Target A world full of attackers Nation States Criminals Hacktivists Employees Third-Party Vendors Motivation Industrial Espionage Political Protest Financial Gain Environmental Activism Blackmail or Retaliation Job Security Fun 3
Critical Infrastructure is a Target A world full of attackers Motivation Nation States Criminals Hacktivists Employees "I fully expect that during my tenure Third-Party as commander Vendors of the U.S. Cyber Command there will be offensive activity directed against critical infrastructure of the United States designed to damage, destroy, or manipulate. Mike Industrial Rogers, Director Espionage of the National Security Agency Political Protest Financial Gain Environmental Activism Retaliation Job Security Fun Reuters Cybersecurity Summit, May 2014 4
Known Attacks on Industrial Control Systems (ICS) Steel Mill, Germany Hackers worked their way into the production networks to access plant automation equipment. They disrupted the control systems that resulted in massive physical damage. Energy Info Mgmt. Co., Canada Attackers stole project files related to a remote administration and SCADA information management software.they maintain that customers were not affected. SPEAR-PHISHING ATTACK REMOTE ACCESS COMPROMISED IN SUPPLY CHAIN Oil & LNG Co., Middle East A spear-phishing attack compromised 30,000 computers with the virus Shamoon. This virus express purpose was the crippling of this oil and natural gas company. INDUSTRIAL MALWARE 5
6 The New Cyber Battleground: Inside Your Network Typical Lifecycle of a Cyber Attack
7 Privilege is a the Center of the Attack Cycle Typical Lifecycle of a Cyber Attack
Privileged Accounts - Keys to the IT Kingdom External Attackers Malicious Insiders 8
Privileged Credentials Are Everywhere Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications Power Plants, Factory Floors Laptops, Tablets, Smartphones 9
Privileged Credentials Are Everywhere Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Organizations Routers, Firewalls, typically have Servers, Databases, Applications 3-4x more Privileged Accounts than employees Power Plants, Factory Floors Laptops, Tablets, Smartphones 10
Hijacked Credentials Put the Attackers in Control Compromised Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications Power Plants, Factory Floors Laptops, Tablets, Smartphones 11
Hijacked Credentials Put the Attackers in Control Compromised Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Enable attackers to: Bypass security controls & monitoring Routers, Firewalls, Servers, Databases, Applications Access all of the data on the device Disrupt normal operation of the device Cause physical damage Power Plants, Factory Floors Laptops, Tablets, Smartphones 12
The Common Thread: Privileged Accounts Steel Mill, Germany Hackers worked their way into the production networks to access plant automation equipment. They disrupted the control systems that resulted in massive physical damage. Energy Info Mgmt. Co., Canada Attackers stole project files related to a remote administration and SCADA information management software.they maintain that customers were not affected. SPEAR-PHISHING ATTACK REMOTE ACCESS COMPROMISED IN SUPPLY CHAIN Oil & LNG Co., Middle East A spear-phishing attack compromised 30,000 computers with the virus Shamoon. This virus express purpose was the crippling of this oil and natural gas company. INDUSTRIAL MALWARE 13
14 Privileged Account Security Breaks the Attack Chain Typical Lifecycle of a Cyber Attack
A New Critical Security Layer PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCOUNT SECURITY 15
The Role of Privilege The role of privilege in the attack Attackers stole passwords to gain initial foothold Embedded passwords in the worm to facilitate its rapid spread Worm used account access to spread and cause destruction Could this have been prevented? Possibly; speculation is that a privileged insider may have been involved Attack may not have been able to prevent the initial attack Extent of damage could have been greatly reduced 16
CIP-005-5 R2: Electronic Security Perimeter(s) Interactive Remote Access Management R2.1 Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset R2.2 For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System R2.3 Require multi-factor authentication for all Interactive Remote Access sessions Beyond Regulatory Compliance: Protect your organization against advanced security threats
Best Practice Methodology to Reduce Impact Lock Down Credentials Isolate & Control Sessions Continuously Monitor Protect privileged passwords and SSH keys Prevent malware attacks and control privileged access Implement continuous monitoring across all privileged accounts The initial breach may not have been preventable, but proactive controls coupled with advanced detection would have significantly limited the resulting damage. 18
Thank you Alex Leemon Alex.leemon@CyberArk.com