Fighting Back Against Targeted Attacks
By John Worrall
Energy and oil companies in Norway have been facing what local security authorities are calling, “the biggest targeted cyber-attack ever on local companies.”
These attacks are very similar to multiple attacks on critical infrastructure companies here in the U.S. and around the world. While we’ve become conditioned to expect news on attacks of this nature, the latest were followed with a surprising report: how one company was able to get ahead of the bad guys to mitigate their attack before damage was done.
The report on how Statoil continues to defend itself is revealing for critical infrastructure companies facing similar attacks.
Statoil provided some great insight into the attack methods used against it, including:
Attackers used watering hole tactics to gain access to employee credentials. This is a common tactic. In the case of Statoil, attackers targeted a well known international company that gathers data for the oil industry. By targeting and infecting this site, the attackers were able to identify and steal credentials from more than 40 Statoil employees – giving them the foothold they needed into the business.
Attackers elevated privileges on stolen credentials to gain additional information and access. This is the most common step in a targeted attack – gaining valid employee credentials and exploiting their privileges to gain broad access to the target network. This is the pathway we’ve seen used in almost every single advanced attack – from the recent spate of retail/PoS attacks, to the continued attacks on critical infrastructure. These two steps alone can give attackers broad access to the network they’re targeting, and are critical in advancing their attacks. This is also where Statoil was able to make its stand.
Because the company understands the power of privileged accounts, and the vulnerabilities they represent, they were able to incorporate the management of these accounts into their broader defense in depth strategy.
From the reports, Statoil’s team was first alerted to the breach when its intrusion detection system discovered that malicious code was trying to be downloaded to an employee machine. The code tried to enable communications with black listed areas of the network that aren’t normally used or accessed for normal business.
By following the privileged account activity, Statoil was able to back track, identify the infected machines that precipitated the attack, remove them from the network and make sure the employee credentials that were stolen were updated and secured. It’ll be interesting to see the additional details emerge, but Statoil provides a valuable lesson for companies by sharing the information they’ve released so far. Another example of why privileged account security is essential to any organizations defenses.