Mitigation Techniques for Energetic Bear
By Shiri Licht
In the last post, we talked about the Energetic Bear, also known as Dragonfly, which is suspected to be a series of attacks by a group of Russian hackers who have been in operation since at least 2011 and have mainly targeted the energy sector and related industries. In that post, our research team at CyberArk Labs dissected how the Energetic Bear attackers operated to reach their goals using the privileged escalation pathway, making themselves defacto “insiders” on a network. In this post, we’ll discuss mitigation techniques.
There are ways that these types of attacks can be mitigated. By protecting privileged credentials, organizations can prevent the attackers from operating inside the network, even if the attackers are successful in their initial breach, stopping the attack before it reaches its actual goal. As attackers are looking to hijack and exploit privileged credentials to operate in the network, here are some techniques that can be used in isolation or as part of a comprehensive privileged account security strategy:
- Implement a jump server that prevents credentials from residing on endpoint machines and therefore prevents the attackers from hijacking the credentials and gaining direct access to sensitive assets.
- Monitor privileged account activity to learn the normal privileged behavior in your network and detect anomalies that may indicate malicious activity. .
- Use an automated password management solution to eliminate typing or observing passwords when connecting to systems in the network. This way, attackers can’t retrieve passwords from screenshots or key-loggers.
- Use a credentials management system that can generate random, complex and unique passwords and replace the passwords according to your organizational policy. This can prevent an attacker from brute forcing passwords to assets in the network.
Critical infrastructure will always be a top target in nation state-sponsored attacks. Energy companies and other critical infrastructure organizations need to take steps to better secure their ICS by locking down privileged accounts and preventing outside attackers from becoming privileged insiders.