by John Worrall
The targeted attack against U.S. Department of Energy, and subsequent loss of contractor and employee information, is the latest example of an advanced threat that continues to plague businesses and critical infrastructure (see our recent blog post on the “Red October”). This attack and breach at the DoE provides a good illustration of the advanced and long-term nature of these type of attacks, which continue to draw the attention of President Obama and his administration (“Executive Order on Improving Critical Infrastructure Cybersecurity”).
Advanced threats are about the long-game – whether targeting critical infrastructure, financial systems or otherwise, attackers are using simple hacking methods, such as spear-phishing, to gain a foothold in an organization. Once inside, the attackers spread throughout the organizations by exploiting privileged accounts, either by exploiting poor password security on these accounts, or by posing as an employee to try and surreptitiously gain additional information and passwords from IT administrators.
The key to this strategy is gaining privileged access – attackers know that administrative and privileged accounts act as a gateway to an organization’s most sensitive data and this is why they’re the primary target of the majority of data breaches. Saudi Aramco. Stuxnet. The Flame Virus. Red October. Subway Restaurants. Global Payments. Utah and South Carolina. U.S. Chamber of Commerce. Pacific Northwest National Laboratory. These attacks follow the same, distinct pattern. Attackers use simple means to breach the perimeter – once inside, they leverage the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases and other high-value systems only a select few people are actually granted permission to access.
This latest attack demonstrates that these vulnerabilities are not unique to any specific business – our critical infrastructure companies, and the US agencies that are supposed to protect it, need to re-examine their current approach and secure their organizations from the inside out. President Obama’s Executive Order supports this push, as he now officially has called for increased scrutiny into the development of a coordinated framework of cybersecurity policies for critical infrastructure.
At this point though, we all need to assume there are attackers inside our networks – the first step in stopping them, however, is to block the privileged pathway that they’re riding right to our sensitive information.