CarahCast: Podcasts on Technology in the Public Sector

Strengthening Cyber Risk Posture in Critical Infrastructures

Episode Summary

Listen to Forescout’s podcast to strengthen your cyber risk posture, protect critical infrastructure and secure your enterprise environments against evolving cyber threats.

Episode Transcription

 

[Anthony Jimenez]

Welcome back to CarahCast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.

 

On behalf of Forescout, we would like to welcome you to today's podcast. You'll hear from Dr. Daniel Dos Santos, Forescout's VP of Vadir Labs, as he breaks down the latest threat intelligence on risky devices, OT protocol exploitation, AI-enabled attacks, and the blurring of lines between criminal, nation-state, and hacktivist actors. We'll hear from Sophie Walker, Forescout Certified Administrator and Demo Specialist at Carahsoft, who will discuss Forescout's Cyber Threat Intelligence platform and how it delivers real-time asset visibility, risk and exposure management, network security controls, and automated threat detection to secure federal IT networks.

 

[Daniel dos Santos]

So I'll go over some of the research we've been doing to understand the cyber risk in terms of threats, risky devices. So that's the agenda for today, right? I'll go over the threat landscape overview.

 

The data here is based on two reports that we published recently in January and March, looking at all of the kind of summarizing all of the threats we saw last year, and then looking ahead into the riskiest devices that we see this year in our customer networks. Before we dive into the actual data, I just want to do a very brief introduction of Vadir Labs, which is the research department or the threat intelligence department at Forescout, the department that I lead, where our role is basically to consume threat intelligence from external parties, but also generate our own unique proprietary threat intelligence and share that with customers, partners, and the community, and help everybody to kind of understand where the threat landscape is moving and how organizations to both proactively be prepared for threats that are coming, but also detect and mitigate threats that are already happening, right, via indicators of compromise, via reports and things like that. And you can see some of the data there that we use as kind of sources for our threat intel, right?

 

So, you know, in a little bit more detail, we basically look at things like malware repositories, Darknet, communications of attackers, so Telegram, underground forums, and so on, the ransomware leak sites, and what we call the adversary engagement environment, which is a set of specialized honeypots on operational technology, IoT, medical devices, unmanaged IT, and so on. And we kind of correlate all those signals and generate this intel that goes back to both our customers via Forescout products, Forescout platform, but also to the community via the reports that we share publicly. Right, so let's talk about the threat landscape, right?

 

And this is, as I said, a summary of what we have seen last year. We are preparing right now an update for the first half of this year. We usually do every six months an update of the threat landscape.

 

But this data is still pretty much relevant and kind of factual to what we continue to see. So I'll go over some of the headlines here that we had in the report, right? The report is something like 30 pages long, full of statistics and descriptions and so on.

 

I'm not going to go into everything, but the things that I think that organizations really need to be paying more attention to right now. So the first point is that attacks are becoming more distributed. We used to see a lot of attacks coming from obviously the well-known countries such as Russia, China, Iran, and so on, but also coming from proxy networks based in countries such as the United States or the Netherlands, where I'm based, or other Western European nations that basically have a good internet infrastructure, good cloud providers and so on.

 

So basically attackers would compromise those legitimate providers or would lease infrastructure from those legitimate providers to carry out their attacks and proxy their attacks. We're seeing attacks becoming more distributed, right? So that means they're coming from different locations.

 

Only 60% of the attacks or 61% of the attacks last year came from the top 10 countries of origin. And in the past, that used to be 70, 80, even 90% really in the past, right? So there are more and more devices being compromised throughout the world and being used by attackers to build botnets and proxy systems that make detection, especially if it's based on origin, much harder.

 

Second, to also compound this detection problem, cloud abuse is also increasing, right? So abuse of assets that are in IP space managed by ISPs or legitimate cloud providers. And here I can mention services like Telegram or Discord or even compute infrastructure like AWS and Microsoft and Google and so on.

 

These cloud applications and providers are often, their services are abused to distribute malware for command and control and so on. And last but not least there, we continue to see an increase or increasing numbers of attacks on web applications, right? Whether they are web applications by themselves, IT web applications or the web management interfaces of unmanaged assets such as IoT operational technology and so on.

 

If we go on some of the actual details on the exploitation that we see, the vast majority of exploits these days are using or are targeting edge devices. So those devices that sit at the perimeter of firewalls, routers, VPNs, and so on. We have seen an increase looking at the past four years, not just last year, of over 500% on the number of attacks targeting those devices.

 

Especially the past two years have seen an immense kind of growth in the number of zero days and vulnerabilities that are being exploited very fast after discovery. And there is no time for organizations to really rely on patching those devices anymore. The second part of it is the IoT exploitation, right?

 

Where we see things like IP cameras and VRs and other types of exposed assets being often compromised as well. Often because they are misconfigured and exposed online. And the last part is that we track exploited vulnerabilities in a list that is kind of complementary to CISA's non-exploited vulnerabilities CAV list.

 

And we see both CISA's list growing and our list growing as well. And we do see a change there in that, by design, we track more unmanaged devices and, as I mentioned before, IoT, OT, things like that. And we do see that there is an increase in the number of those devices being exploited with specific vulnerabilities that are not captured in standard lists such as CISA CAV.

 

It's not a surprise, I think, to anybody that critical infrastructure organizations or critical infrastructure sectors are the ones that are most targeted by threat actors or the ones that have the highest number of incidents. This is, again, not something that we have seen changing last year. It has been like that for some time now.

 

But the one thing that we see growing is attacks targeting specifically OT operational technology protocols. Suffice it to say that, you know, there is a large increase, 84% increase in attacks using these OT protocols last year. And built-in automation protocols are now the second most common target.

 

And that's relevant because built-in automation is the type of operational technology that is present in virtually every organization nowadays, right? Even if you're not in the power or water or transportation sector or something like that that uses dedicated OT devices, PLCs and HMIs and so on. You will have an office with badge readers and other HVAC systems and so on, other types of devices that are managed by operational technology protocols.

 

And those are often being attacked as well. You know, moving from the data to more of the trends that we see, right? More of the, like, extrapolating from the data, what are the relevant kind of events that we see happening?

 

Hacktivism is something that has been around for a long time, but had a big shift back in 2022 with the Russian invasion of Ukraine. And that shift was driven by the conflict, driven by geopolitics. But basically, groups started attacking critical infrastructure and groups started aligning with kind of nationalistic movements as well or geopolitical interests of some countries, rather than, you know, protesting in a kind of grassroots fashion against whatever they wanted to protest in the past.

 

That was, you know, much more peaceful in a way than destruction or sabotaging or destructing critical infrastructure. Right. So, again, we've seen an increase that's going on back since 2022.

 

But this year specifically, last year already, that was relevant. But this year as well, with the ongoing conflict in the Middle East, we do see more and more groups kind of joining these attack campaigns against the United States, against the second one there is actually in Canada, the UK. It's kind of a global movement.

 

Right. And those attacks are coming from Iran. They're coming from Russia, but they are also coming from other places that are aligned with those pro-Russian or pro-Iranian groups.

 

And we do expect that this is something that will continue, even as the current geopolitical conflicts may be resolved, hopefully, at some point. The kind of attacks and the kind of activity that they have brought with these groups will very likely continue to happen because these groups now have the skills and have the kind of the motivation to carry out those attacks. The other point, and this is also probably not a surprise to anybody, but AI enabled attacks are becoming kind of commonplace these days.

 

You know, AI is also something that we have seen since early days, 2019, with deep fakes around 2023 or end of 2022, when Chattopadhyay, the recent wave of generative AI became very relevant. We started seeing this widespread use of generative AI for simple tasks like phishing, understanding vulnerabilities, cold example, and so on. But last year, and especially the beginning of this year, the rise of agentic AI, reasoning models, and other technologies have enabled very automated, very sophisticated attacks.

 

There are a few examples there with actors building ransomware fully using LLMs or specifically Mauer using AI in real time to create dynamic payloads and so on. We had a research piece at the beginning of this year where we showed how even pre-Methos, right? Obviously, everybody nowadays is discussing how Methos can find and exploit vulnerabilities.

 

But even before that, using Cloud Opus 4.6, we could also find zero days in critical devices and how that's kind of changing the game. So again, just an example here, right? Again, talking about critical infrastructure.

 

At the end of last year, there was an attack from a Russian threat actor called Berserk Bear against the Polish power grid, against distributed energy resources there. And they used one specific wiper, and you can see that the full source code there is a very simple wiper that was generated using LLMs, right? Generated kind of on the fly using AI and deployed as part of that attack.

 

So that is becoming, it's not something just for sophisticated attackers anymore. It's something that is becoming much more commonplace. But when we look at those kind of AI-enabled attacks and when you look at hacktivism and so on, it's important to also keep in mind that not everything is real.

 

We need to kind of look at the data and understand what are the real risks and real threats. And that will be part of the next discussion that I'll have there when I talk about risky devices. But one of the groups that we were tracking called the Infrastructure Destruction Squad is a hacktivist group.

 

They post on Telegram. You can see a Telegram screenshot there. They are pro-Russia, China, North Korea.

 

You can see kind of the flags on the description of the group. They claim several attacks on OT and ICS. But interestingly, and you can see an excerpt of code they posted here, clearly most of what they posted was AI-generated slop, right?

 

It was not real exploit calls. It was something that is supposed to create a psychological impact more than a practical effect. And whether that's something that the attackers don't really know or they don't care, it's hard to say.

 

But very likely, they just don't care necessarily about the attack actually working. It's more about creating a psychological impact, right? So again, think of attacks on critical infrastructure not just as things that disrupt operations and so on, but things that can cause a reputational damage that can have an impact beyond just stopping operations.

 

To kind of analyze this part about threat landscape before we go into risky assets, threat actors are evolving, right? And we saw that. We continue to track that, but we saw it very clearly last year where criminal organizations, nation states, and activists, we used to divide threat actors very neatly into these categories, right?

 

And criminal organizations are after money. Activists are doing sabotage. Nation state actors are doing espionage and so on.

 

And things are not so clear-cut anymore, and the lines are very much blurred. And one example that I posted there on this slide is a hacktivist group that is selling initial access to SCADA systems in Poland, which it's interesting because that's the typical behavior of a cyber criminal organization rather than a hacktivist. But we see this kind of cross-pollination of TTPs and capabilities among different kinds of attacks.

 

We also saw lots of examples last year and early this year of nation states purchasing initial access from criminal organizations or nation states or state actors using ransomware, using other types of malware developed by criminal organizations as well. So, you know, with more threat actors and shared knowledge and shared infrastructure and capabilities, the number of attacks will certainly only increase. You know, that's kind of the background of what the threat actors are doing, what's the threat landscape these days.

 

Let's talk a little bit about risky devices, right? What organizations have on their networks that is presenting risk nowadays? It's not necessarily what is currently being attacked.

 

Some of those devices are currently being attacked, and we talked about them in the past slides. But some of these devices are actually presenting future risk, right? They have vulnerabilities, they have misconfigurations, open ports, you know, internet communications and so on that are not yet necessarily being exploited at scale, but they will be exploited at scale.

 

When we started doing this work a couple of years ago, we actually saw, for instance, that routers, and you can see routers are still the riskiest device in the IT category there, started increasing their risk profile, right? Again, we started doing this work in 2022, and we repeated year by year, and we kept seeing network infrastructure, routers, firewalls, you can see there as well, kind of increasing their risk profile and then remaining in this category of risky devices for a very long time. And we now see, like I showed in the past slide, the threat landscape, that they are among the most exploited by threat actors.

 

So it's relevant to keep in mind the other devices that we look at here that are risky in organizations' networks, as I mentioned, and that might become next targets of attacks, right? So I will go into the details of each one of those categories a little bit more in detail. Obviously, again, I'll not, you know, drill down into everything.

 

There is another report here about riskless devices. Again, around 20 pages of details on each type of device and risk mitigation actions and things like that. So it's really relevant that you have a look at that.

 

But I'll definitely talk about, in general, these categories, right? So on the IT side, we definitely see, again, network infrastructure at the top, at the edge of the network. And one of the main reasons why they're risky is, even if they are kind of on the IT side, they have no security agents and organizations very often have limited telemetry and limited visibility into those devices, right?

 

So the attack in Poland that I mentioned before, for instance, on the Polish power grid, started because multiple facilities used this firewall-slash-VPN appliances at the edge that were sharing credentials and telenet actors managed to get those credentials logging to several of those devices. And that was not detected as an attack for a long time because there was no detection of abnormal behavior of those devices. And the detection only happened later on when they reached other monitored devices.

 

Serial-to-IP converters are something that we went into more detail. We did a whole research recently into new vulnerabilities of those devices. So they see the kind of the intersection between IT and OT.

 

So it's interesting to look at them in more detail. Workstations and domain controllers are the traditional endpoints in IT that continue to be risky in any case. IoT devices, I'll go a little bit faster here, but basically VoIP systems, NVRs, network video recorders, printers, all of those things have been kind of come and going in this list from time to time.

 

They are often kind of forgotten in a way in organizations, right? That's their main risk. Kind of the main reason behind their risky profiles in organizations is that people come and install them once and forget that they ever have to upgrade a printer or a VoIP system or an NVR and forget that sometimes they are remotely accessible or because firewall exceptions are created once and then removed later and so on.

 

So those devices are definitely risky because of their forgotten profile. On the OT device side, I want to kind of highlight again the nature of OT devices that are not just the DLCs or the HMIs or the RTUs or the things that are used in power, water, transportation, manufacturing and so on, those OT heavy industries, but things that are used, for instance, in data centers or in building automation and so on. So things like PDUs, right, power distribution units, uninterruptible power supplies, UPSs, they are used in every data center and they have high consequence risk, right?

 

So taking over those devices means messing with the power on the data center, potentially taking down power. Things like physical access control, things like BACnet routers that are used specifically for building automation are risky as well because they are frequently configured with exposed management services. And interestingly, there are specifically physical access control systems, badge readers mainly, there is a long history of vulnerabilities on those devices being exploited by botnets.

 

It's oftentimes they are misconfigured and exposed online and there are botnets that are specialized into those devices. So if we talk about risk, not per asset, let's say, but per industry, again, the kind of critical infrastructure industries continue to be among the kind of the riskiest, not just the most exploited, but the riskiest that we see. Financial services is at the top there, followed by government, healthcare manufacturing, retail, and so on.

 

And it's quite interesting that we actually see financial services and government. This is, again, aggregating the data about device risk right across all our customers in a specific industry. It's quite interesting that we see financial services and government kind of so far ahead of other organizations, right?

 

When we go into more details, again, about why some of those devices are risky, the reasons have to do with vulnerabilities and so on. But it's even kind of the root cause, the reason behind the vulnerabilities and the exposures and things like that is when we start looking at things like operating systems, we see that nowadays special purpose operating systems, so those real time operating systems, those firmware specific versions of Linux, Android, and things like that that run in embedded devices, they are more prevalent than the traditional IT OSs in a vast number of organizations, right?

 

Specifically government, healthcare, and retail. And that's just because of the sheer number of IoT, OT, medical, and other types of devices that we see with these embedded OSs overtaking traditional IT in any case. Obviously, a lot of those devices are not upgradable or upgraded.

 

Even if they are upgradable, they're not always upgraded in organizations' networks, right? So even when we look at things like legacy Windows, and here the data is actually showing a large number of legacy Windows because Windows 10 support officially ended last year. Obviously, there's still the extended support program, but not every organization is into that and so on.

 

But we do see that across organizations, between 10 and even 40% of Windows devices are running versions 10 and before, so considered legacy. And when we look at specific firmware in devices that are end of life or end of support or unsupported, we see things like some of the network infrastructure that I mentioned before, like switches, but also IP phones, printers, and so on, having vast numbers of these unsupported firmwares, and that's why they end up being risky. When we talk about open ports, I'll go quickly on this one, but basically the traditional IT protocols that are still risky and should be taken a look at, like RDP and SMB, they have kind of stabilized or even declined as a proportion of the total number of exposed ports that we see across organizations.

 

Whereas SSH and Telnet, those remote management protocols traditionally for OT and IoT devices, continue to grow as a proportion of the total. So risk is kind of shifting between the management of IT devices and the remote access to OT, IoT, and those traditionally unmanaged devices. Same thing on vulnerabilities and default credentials and things like that.

 

Even if we look at computers that are still having the highest number of vulnerabilities, the vulnerabilities that are more critical, including criticality as in CVSS score, but also exploitability, the fact that we see them being exploited online, we see unmanaged devices like the routers, switches, wireless access points, and other types of IP cameras and so on, other types of specialized devices, popping ahead as the risk is here and having the vast majority of the exploited and critical vulnerabilities.

 

I will just close my part here really with saying that in terms of risk mitigation, you should look at risk and exposure management to identify devices, network security to contain these risky behaviors of devices, and threat detection and response to understand when something actually happens, when something goes wrong and what kind of automated response you can have to contain threats once they start with those kind of unmanaged devices.

 

All of that hopefully is supported by Threat Intel, and that is kind of the work that we do at Forescout for their lab. So thank you very much, and I'll pass it over to Sophie.

 

[Sophia Walker]

Awesome. Thank you, Daniel. I wanted to kind of go over the four main things that Forescout is trying to accomplish on your network.

 

The first one being discovery. It's trying to see all the devices on your network, anything with an IP address. Make sure to get into the nooks and crannies and the dark corners of your network.

 

Make sure that no device goes unseen because that can cause trouble. And then the second one, assess all of those devices that have been discovered. So you're assessing for, you know, critical risks, threats, and then also getting an idea of attack surface and your exposure.

 

Third one, putting you in control, right, at scale automation. It will prioritize those risks and then also give you some mitigations and insight to how to fix those risks and those threats. And then last but not least, govern.

 

Do all of this continuously to get a great picture of your network and kind of the risks that pose it. So first things first, like I said, we start off with discovery and the inventory of all of your cyber assets. So discovery, inventory, all of the assets.

 

We do this by 30 unique techniques, both active and passive. So with or without agents, this is important, especially if you're in an IoT environment. You would like passive scanning so that you don't take down your whole operations.

 

That would not be great. Right. So and then some, you know, in IT situations, you do want active scanning so you can choose between active and passive.

 

It gains and collects a whole bunch of context and information so that you have more information and can make more informed decisions on governance policies.

 

[Anthony Jimenez]

Thanks for listening. And thank you to our guests, Dr. Daniel Dos Santos and Sophie Walker. Don't forget to like, comment and subscribe to CarahCast and be sure to listen to our other discussions.

 

If you'd like more information on how Forescout can assist your organization, please visit www.Carahsoft.com or email us at forescout@Carahsoft.com. Have a great day.