CyberArk’s cybersecurity researcher Lavi Lazarovitz wrote about some of the key steps attackers took to cause a black out in the Ukraine. By examining the attack path, we’ve identified five best practices for locking down privileged access that when followed can help to mitigate risk:
- Proactively secure all privileged and ICS credentials: From the IT admin accounts that were compromised in the early phases of the attack to the VPN accounts used to connect to the OT network, the utility companies should have had stronger controls in place to limit access to these powerful system accounts. In addition, proactive scans for privileged accounts and credentials could have helped the companies detect and remove the unauthorized SSH keys that the attackers created to establish persistent access.
- Rotate admin credentials after each use: Frequent rotation can stop lateral movement by invalidating credentials that may have been captured. In this case, the attackers could have stolen the admin credentials from the infected endpoints, but as soon as the credentials were rotated, these compromised passwords would have been useless.
- Establish a single, controlled access point into ICS systems: In ICS environments, particularly those that control critical infrastructure such as energy, transportation or water, it’s critical that organizations do everything they can to limit and control access to systems. By forcing all ICS users through a single access point, requiring multi-factor authentication, and closing down all other routes into the control systems, companies can reduce the attack surface of critical systems, granularly control exactly who is able to access what systems, and limit the permissions that each operator has on each system. In addition, with all traffic flowing through one location, organizations can monitor and audit exactly who did what and gain the opportunity to detect attacks before they become serious.
- Monitor privileged account use to detect anomalies: In this case, the attackers were able to avoid detection for months by masquerading as true users with authorized credentials. However, their behavior was likely very different than that of true users. Behavioral analytics tools can detect anomalous activity and alert security teams to possible attacks in progress. Had the utility companies been monitoring privileged account behavior, they likely would have detected the attackers well in advance of the blackout and system destruction.
- Control applications to reduce the risk of malware-based attacks: By controlling application permissions on endpoints and servers, organizations can reduce the damage caused by malware. For example, by restricting untrusted applications from accessing files, the KillDisk malware would not have been able to access and overwrite files throughout the IT environment, thus significantly limiting damage to IT systems.
While this was a sophisticated, highly coordinated attack, proactive privileged account controls layered with behavioral analytics tools, such as those CyberArk provides, could have helped the energy companies block lateral movement early on, detect if the attackers were able to capture credentials, and ultimately, prevent the end goal of a massive, unprecedented blackout.