Most common attack vectors over Critical Infrastructures
This post has been written by Joaquín Rodríguez, ICT Consultant at ATOS Research and Innovation (Cybersecurity Lab).
(Madrid, Spain), Jan. 26th
In this post, we introduce most common attack vectors in critical infrastructures (CIs) in a clear and understandably way.
An attack vector is the method or path that an attacker uses to access the active target of the attack, that is, the steps that the attacker follows to materialize the threat, it is known that each attacker follows his own "strategy" to be able to consummate Its objective, however, can be recognized some activities of a general nature that they may be carrying out.
Usually, attack vectors are placed within intentional threats since they have a human origin and also require some planning actions.
The actors commonly intervening can be identified into 6 large groups, such as:
- Disgruntled employees
- Individuals / Small groups / Hacktivists
- Cyber-criminal Groups
- Intelligence Services / Governments
The chart below shows the main types of cyberattack vectors faced by critical infrastructure owners and operators.
Types of cyberattack vectors faced by critical infrastructure owners and operators.
Attack vectors are often materialized directly or indirectly through the use or creation of code or specific software like malware, scripts, shell sessions, etc. The main attack vectors for Critical Infrastructures, also including industrial control systems, can be mapped into:
This is a well-known traditional vector attack. Phishing could be defined as the social engineering technique that aims to take over some relevant or sensitive information supplanting the identity of a person or organization of trust for the individual to attack. The interest it pursues can be very diverse, from getting information on a project or prototype to credentials of system administrators or process engineers, including OT equipment details. Usually, Phishing is the entrance door of malware.
The malware, in any of its flavours (Trojans, worms, rootkits, etc.), can have a range of different purposes, from denial of service, pivoting, escalation of privileges, sabotage, to a very long etcetera. Obviously the results may be equally diverse; for example, the flooding of the network with broadcast traffic, the capture of traffic or activity of the equipment, the scan of host and services, change of parameters and configurations, etc. In turn, this information can be sent to a "Comand and Control, C & C" for its exploitation and to carry out different options. These communications are often encrypted under protocols and services normally open according to environments such as TCP 80, 8080, 443, 21 or UDP 53, 123, among other possible. The wide spread examples in CIs are the well-known malwares Stuxnet and Duqu, but we can also remark others like Havex , BlackEnergy 2, Conficker , NightDragon among other related with CIs and Industrial Control Systems (ICS).
How Stuxnet works
Exploit unpatched vulnerabilities
Exploiting some vulnerability, taking advantage of a "bug" or validation error of an application or operating system, an attacker could either carry out tasks is not authorized to do or inherit the permissions of another user.
Code injection consists in taking advantage of those programming bugs present in the applications or operating systems to carry out different types of actions. Some of them can be the collection of information, the denial of service, introducing a file less malware, the opening of a session against a specific device. Nevertheless, depending on the injected code and the vulnerability, the results can be many others.
Example of code injection is SQL injection. SQL Injection is a method of infiltration of intruder code that uses system vulnerability present in an application at the level of validation of the inputs to perform unexpected operations on a database.
Another well-known attack based on code injection is Cross Site scripting (XSS). XSS is a malicious code injection attack for later execution that can be performed on websites, local applications and even the browser itself.
It happens when a malicious user sends malicious code to the web application and places it in the form of a hyperlink to take the user to another website, instant messaging or an email. Likewise, it can cause a denial of service (Dos).
DoS - Denial of service
Although it has been already mentioned before, a denial of service consists in preventing a system from offering a specific service for which it is intended to. As the main driver for a DoS to happen we may highlight both weaknesses that may affect applications that provide this service, and other related to communications. An example related to the first case, may refer to how an application can be "blocked" under certain conditions of processing. An example related to the second case may refer to a field device that cannot process several simultaneous communications since there are no hardware resources enough and therefore can be blocked. The latter can be very common when Security Analyst launch certain vulnerability scans on field devices. When the DoS is coordinated by an attacker and performed from several sources it is known as DDoS (Distributed Denial of Service).
Basically it could be summarized as the technique aimed at obtaining information from an individual and also getting her/him to do what she/he would not do otherwise. As Kevin Mitnick says it is based on 4 basic principles:
- We all want to help.
- The first movement is always trusting towards the other.
- We do not like to say “No”.
- We all like to be praised.
Many times the techniques used by attacker starts with a fake technical problem asking for help or advice to some Technical Service, for example by phone. The staff, naively, and always trying to help customers very often reveals sensitive data or give clues about the organization.
Why healthcare information is valuable. - KPMG infographic. (PRNewsFoto/KPMG LLP)
The term APT, which stands for Advanced Persistent Treatments, refers to a computer threat that consists of a coordinated attack between several malicious programs controlled by hackers directed against a company or organization They are called advanced by the existing coordination and the use of very sophisticated techniques to penetrate the computer systems of the victim using vulnerabilities and backdoors of the operating systems.
Summing up, we introduce the possible vectors of attacks that can be targeted by critical infrastructures, always assuming an intentional point of view. As countermeasures, the CIPSEC project is designed and developed to orchestrate different security solutions and services in the so-called CIPSEC framework, enabling CI compliance with previously established and mandatory compliance security policies. But above all, CIPSEC will work to raise awareness of the people who have contact with the operation, maintenance and deployment of these facilities on the threats and the growing increase of these. Recognized the fact that a CI cannot be 100% safe, the CIPSEC framework can substantially reduce the risks to acceptable levels.
CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.