Vectra, the leader in
AI-powered cyberattack detection and
threat hunting, today announced that while industrial control
systems are in the crosshairs, most cyberattacks against energy and utilities
firms occur and succeed inside enterprise IT networks, not in the critical
infrastructure.
Published in the Vectra 2018
Spotlight Report on Energy and Utilities, these and other key findings
underscore the importance of detecting hidden threat behaviors inside
enterprise IT networks before cyberattackers have a chance to spy, spread and
steal. These threat behaviors reveal that carefully orchestrated attack
campaigns occur over many months.
Cybercriminals
have been launching carefully orchestrated attack campaigns against energy and
utilities networks for years. Often lasting several months, these slow, quiet
reconnaissance missions involve observing operator behaviors and building a
unique plan of attack.
"When attackers
move laterally inside a network, it exposes a larger attack surface that
increases the risk of data acquisition and exfiltration," said Branndon Kelley,
CIO of American Municipal Power, a nonprofit electric-power generator utility
that serves municipalities in nine states that own their own electric system.
"It's imperative to monitor all network traffic to detect these and other
attacker behaviors early and consistently."
Remote attackers typically gain a foothold in energy and
utilities networks by staging malware and spear-phishing to steal
administrative credentials. Once inside, they use administrative connections
and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial
control systems.
"The covert abuse of administrative credentials provides
attackers with unconstrained access to critical infrastructure systems and
data," said David Monahan, managing
research director of security and risk management at Enterprise Management
Associates. "This is one of the most crucial risk areas in the
cyberattack lifecycle."
Other key
findings in the 2018
Spotlight Report on Energy and Utilities include:
- During the command-and-control phase of attack, 194 malicious external
remote access behaviors were detected per 10,000 host devices and
workloads.
- 314 lateral movement attack behaviors were detected per 10,000 host
devices and workloads.
- In the exfiltration phase of the cyberattack lifecycle, 293 data
smuggler behaviors were detected per 10,000 host devices and workloads.
The 2018 Spotlight Report from Vectra is based on
observations and data from the 2018 Black Hat
Conference Edition of the Attacker Behavior Industry Report, which
reveals attacker behaviors and trends in networks from over 250 opt-in
enterprise organizations in energy and utilities, as well as eight other
industries.
From January through June 2018, the Cognito threat-detection and hunting
platform from Vectra monitored network traffic and collected metadata
from more than 4 million devices and workloads from customer cloud, data center
and enterprise environments. The analysis of this metadata provides a better
understanding about attacker behaviors and trends as well as business risks,
enabling Vectra customers to avoid catastrophic data breaches.
The Cognito platform from Vectra enables enterprises to
automatically detect and hunt for cyberattacks in real time. Cognito uses AI to
perform non-stop, automated threat hunting with always-learning behavioral
models to quickly and efficiently find hidden and unknown attackers before they
do damage. Cognito provides full visibility into cyberattacker behaviors from
cloud and data center workloads to user and IoT devices, leaving attackers with
nowhere to hide.
Cognito
Detect and its AI
counterpart,
Cognito Recall,
are the cornerstones of the Cognito platform. Cognito Detect automates the
real-time detection of hidden attackers while giving Cognito Recall a logical
starting point to perform AI-assisted threat hunting and conduct conclusive
incident investigations.