The majority of cyberattacks against energy companies occur inside enterprise IT networks. This is according to a new report published by the security firm Vectra.
The 2018 Black Hat Conference Edition of the Attacker Behaviour Industry Report provided valuable data for Vectra’s report. These observations revealed attack behaviours and trends in networks from over 250 enterprise organisations in the energy and utilities sector.
Orchestrated inside attacks
Cybercriminals are not targeting the critical infrastructure, but are instead infiltrating inside networks. According to Vectra, these attacks also take several months and involve observing operator behaviours.
“When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration,” Branndon Kelley, CIO of American Municipal Power said. As a result, it is “imperative to monitor all network traffic to detect these and other attacker behaviours early and consistently.”
Vectra also highlighted the importance of “detecting hidden threat behaviours inside enterprise IT networks before cyberattackers have a chance to spy, spread and steal.” The analysis of this data also enables Vectra customers to “avoid catastrophic data breaches.”
Malware and spear-phishing
David Monahan, managing research director of security and risk management at Enterprise Management Associates commented on the nature of the attack. “The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” he stated.
According to Monahan, this is one of the “most crucial risk areas” in the cyberattack lifecycle. In this particular area, cyberattackers tend to use malware and spear-phishing to steal admin credentials.
As a result, attacks can perform reconnaissance exercises and easily spread across networks. This allows criminals to search for sensitive data about industrial control systems.
Other key findings
The report revealed a number of other key findings in the energy and utilities sector. During the “command-and-control” phase, Vectra detected 194 external remote access behaviours per 10,000 host devices and workloads.
The research also detected 314 lateral movement attack behaviours per 10,000 host devices and workloads. A further 293 data smuggler behaviours were detected in the exfiltration phase per 10,000 host devices and workloads.
Looking to improve your company’s cybersecurity? Take a look at the Top 10 Tips cybersecurity experts want you to know