Crash Course in How Cyberattacks Start
In order to effectively defend against such attacks, it is critical to understand how an attacker thinks and how the actual attack is conducted.
By Johannes Bauer, Principal Security Advisor, UL and Contributor to IndustryWeek | Feb 11, 2019
Today, most people are aware of the abstract threat of cyber attacks from the news or company training, or worse, know first-hand how harmful they are because their systems were breached. However, what many people do not know is how the execution of an actual attack starts, how it progresses and how it can persist.
To give some insight into this, first we need to distinguish between targeted and untargeted attacks. Many breaches in IT security are, surprisingly, the latter. What this means in practice is that the attacker is not trying to deliberately hurt a specific business or company, but instead simply browsing through the Internet, looking for vulnerable components that have been accidentally left exposed.
The IoT search engine Shodan is a common way to find these vulnerabilities. Essentially, it periodically goes through all Internet addresses and records the types of equipment it finds, including useful metadata information such as vendor or version number of the firmware.
Attackers can then simply query for a particular type of equipment that they would like to investigate. More often than not, these are relatively inexperienced people who are not looking for a monetary incentive, but want to claim bragging rights as “hackers” and sharpen their skills. In the hacker scene, they’re usually referred to by the derogatory term “script kiddies.”
Unfortunately, many systems today are so poorly protected that it often does not take sophisticated equipment nor great skill to wreak havoc on a piece of infrastructure. On the contrary, this is often an unwanted side effect of a person stumbling around in an IT system. With reasonable effort, many of these attacks can be effectively thwarted.
Targeted attacks are much more difficult to defend against. In such a case, the attacker will usually have a much higher degree of knowledge, experience, and the resources and time to specifically create hacking tools that are meant for a particular objective.
The first stage of such an attack is called the scouting phase. The attacker performs reconnaissance on their target and tries to find out as much as possible about the used equipment. Usually, this is done by means of network scanning, passive eavesdropping of network traffic and detailed analysis of components. Many protocols used today have certain implementation-specific parts defined in them that are not important for the functional aspects of the protocol. Imagine a protocol in which a shopping list is sent over a network — the message could contain “apples, bananas, carrots” or it could read “bananas, carrots, apples.” While for the functionality, both messages would be identical, the fact that one list is in alphabetical order gives the observer a clue as to which internal implementation of the protocol is used. In practice, this is much more sophisticated and many implementations of different protocols have been fingerprinted for their specific quirks. The attacker therefore can infer specifically used software and, sometimes, even particular version numbers.
With a good idea of how the target looks, attacking becomes much easier — the attacker would now look for specific vulnerabilities in the identified software or hardware components to try to exploit them. A particularly nasty class of weaknesses are side channel vulnerabilities. Similar to the fingerprinting stage, the attacker here does not infer information by the means of the messages that are transmitted, but rather listens to side effects that occur during that transmission. For example, let’s say an attacker tries to attempt to subvert authentication by randomly trying passwords. They know that almost all guesses will be wrong and therefore the answer of the system will almost always be “Access denied”. However, the attacker might be able to precisely measure the time from sending the authentication request to the reception of the rejection message. While it would seem that there should be no discernible difference in timing between an entirely wrong, an “almost” right, and a correct passphrase, this unfortunately is not always the case. In particular, an attacker can use this type of approach to surgically “pick” an electronic lock instead of using brute force.
When one hurdle has been cleared for the attacker, they can use the control they now have over one device to move laterally through the network. They can also attempt to persist their access to that system in case the original vulnerability gets eventually remediated. What this means for the asset owner of such systems is that all devices that are connected to a network, regardless of their criticality, may give leverage to an attacker and may serve as an unwanted entry point.
This then leads to the host of unwanted consequences you’ve read about or been victim to, from data theft to system lockouts to equipment or production shutdowns.
To find out how to mitigate these breaches, IndustryWeek invites you to attend the live hack, “Once More into the Breach,” presented by UL’s cyber security expert Johannes Bauer, at the Manufacturing & Technology Conference & Expo at 9:45 a.m. ET, April 2, at the David L. Lawrence Convention Center in Pittsburgh. To register for the conference or expo, visit: www.mfgtechshow.com.