Cyberattacks targeting energy and utilities firms have increased inside enterprise IT networks, rather than the critical infrastructure, according to Vectra’s 2018 Spotlight Report on Energy and Utilities. This discovery emphasizes the need for companies to make efforts to locate hidden threat behaviors early, said the press release.
Unfortunately, most companies aren’t successful in threat hunting, according to another recent report. While all companies value threat detection, many are limited by a lack of time, skills, and visibility, which leaves them vulnerable to sophisticated attacks that are harder to detect.
“When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration,” said Branndon Kelley, CIO of American Municipal Power, in the release. “It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.”
Orchestrated cyberattack campaigns typically occur over many months, said the release. Attacks against energy and utilities networks have occurred for years, acting as slow, quiet, unique attacks that observe operator behaviors, added the release.
Remote attackers gain access to energy and utilities networks through malware and spear-phishing strategies that steal administrative credentials, according to the release. Once the attacker is inside the system, they optimize administrative connections and protocols to engage in reconnaissance and search for sensitive data about the control systems, said the release. The report found 314 lateral movement attack behaviors per 10,000 host devices and workloads.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates, in the press release. “This is one of the most crucial risk areas in the cyberattack lifecycle.”
Within the command-and-control phase of attack, 194 malicious external remote access behaviors were found per 10,000 host devices, according to the report. Additionally, 293 data smuggler behaviors were found per 10,000 host devices in the exfiltration phase of attacks.