Our recent announcement of PAN-OS 8.0 provides scalable prevention through automation, speed and accuracy – three areas by which all cybersecurity deployments should be measured.
Traditional security implementations require too much manual intervention, fail to stop attacks in time, and hinder business with numerous false positives. To address these shortcomings, Palo Alto Networks spearheaded the concept of prevention with the fully integrated and increasingly automated Next-Generation Security Platform to prevent successful cyberattacks. Thanks to the enhanced features available in PAN-OS 8.0, security teams responsible for IT/OT can now scale their capabilities, automate security enforcement, and prevent user identities from being compromised. This can be done quickly and accurately, and without unnecessary manual intervention, allowing your organization to be more secure in all locations.
Tactics Used to Attack ICS
Over the last several years, there have been several successful phishing attacks against industrial controls infrastructures. Most of these attacks obtained valid corporate credentials to the enterprise network, which has proven to be a common factor in the success of these phishing attacks.
Typically, ICS/SCADA are not directly connected to the internet, although there are sometimes exceptions. In most instances, the organization’s enterprise networks sit in front of the production environments. They are providing mission-critical services, the most valuable being network security, from both the internet and intranet, to and from the ICS.
Obtaining valid credentials allows attackers to circumvent enterprise network security solutions without arousing suspicions. This allows the attackers the time to learn and exploit the attached industrial control systems. Sometimes the attacks were just hacktivists working to bring awareness of the vulnerable state of these systems to public attention; for example, the attack on the Water & Sewer Department in Texas, back in November 2011.
Let’s take, for another example, an act of cybercrime, like the incident reported by F-Secure in which CryptoWall, a variant of CryptoLocker, infected a concrete manufacturer in April 2015. A further example was the direct act of cyber terrorism on the Ukrainian power grid later that year in December. It is becoming clear that hacktivists, cybercriminals and cyberterrorists have developed an interest in industrial automation and control systems (IACS).
After Stuxnet, there were significant breaches of companies’ control environments: the Kemuri Water Company (2016) and the German Steel Mill (2014). These breaches were accomplished by pivoting through the enterprise network by way of some form of phishing attack. Credential theft is one of the leading vectors to a data breach. One reason is the majority of organizations continue to use password-based credentials as the primary means of securing user access. It is much easier for an attacker to steal passwords than it is to find and hack a vulnerable system. Thus, password-stealing techniques are used by a broad spectrum of attackers to breach organizations, compromise their networks, and steal critical data from internal data centers and the cloud. In instances where the company happens to own and operate industrial control and SCADA systems, this lack of detection affords the adversary the time and opportunity needed to find, learn, disable or destroy operational infrastructure.
Because attacks of this nature are increasing, companies and their users must remain vigilant and aware and they must defend against the many forms of phishing attacks launched against them.
The attacks may be as simple as luring a user to a fake enterprise login on a similar-looking domain, a tactic known as “deceptive phishing,” or standing up fake Outlook Web Access (OWA) or single sign-on authentication pages, using the more personalized “spear phishing” technique. The objective is the same either way: to trick the user into clicking the malicious attachment or URL and willingly hand over personal data.
Now that industries have become more mindful of these deceptive practices, attackers have begun developing and deploying tactics that are more obfuscated, like “pharming,” a form of domain name system (DNS) cache poisoning. In this type of phishing attack, instead of baiting a potential victim with an email or attachment, they are redirected to a phony website and asked to supply necessary login information.
Another tactic with significant obfuscation is to craft attack emails directed to an identified cloud-based services company and its users, like Dropbox or Google Docs. In all instances of Dropbox and Google Docs phishing attacks, attempts were made to lure users to enter their login credentials on fake sign-in pages hosted by these services providers – a clever tactic even the most diligent security practitioner could fall prey to, since the certificates and SSL connections are being provided by the service being exploited.
The 2016 Verizon Data Breach Investigation Report stated both the frequency and level of sophistication of phishing attacks are increasing and pose a significant threat to all organizations, especially those operating with critical infrastructures.
An obvious, yet not so simple, first step in securing the ICS ecosystem is to secure the business network.
Phishing Attack Prevention
The most damaging breaches related to ICS/SCADA involved the use of stolen enterprise credentials at some stage of the attack. Attackers consistently find that it is easier to move throughout the network as a valid user than it is to find and exploit vulnerable systems. Passwords have remained one of the weakest links in security for years. It is easier than ever to phish for passwords, and multi-factor authentication’s cost and complexity has limited its footprint in the organization. Additionally, the use of multi-factor authentication technology is currently not an ideal fit with IACS.
Prevent Phishing Site Access, Five-Minute Updates
PAN-OS 8.0 brings a robust new defense against credential theft by identifying and blocking password phishing attacks as they are attempted. The firewall analyzes login actions to identify valid corporate credentials being sent to illegitimate websites and prevents the attacker from obtaining credentials that can be used to enter or move throughout the network. Newly discovered phishing sites are then categorized by PAN-DB within five minutes, blocking access to these malicious sites entirely.
In the event the adversary is already in possession of stolen credentials or already has a presence within the network, PAN-OS 8.0 neutralizes the attacker by requiring secure multi-factor authentication before granting access to sensitive resources. Enforcing policy-based multi-factor authentication at the network layer applies strong authentication requirements for all sensitive applications, including those that cannot natively integrate with third-party authentication services, like many found within a process controls network. Enabling this feature limits an attacker’s ability to move freely throughout the network without having to secure each application individually.
These new capabilities work together to neutralize the problem of credential theft and abuse by preventing the adversary from phishing for credentials and using stolen credentials to move laterally throughout the network. This, in turn, helps to secure ICS/SCADA environments.
To learn more about PAN-OS 8.0 and other enhancements made to the Next-Generation Security Platform, visit the What’s New in PAN-OS 8.0 page or contact your Sales Account Manager for details.
[Palo Alto Networks Research Center]