Press Release: Low-tech Attacks. Critical Infrastructure poorly secured – Attacks against Colonial Pipeline used Standard Access Tools

Sanna/ May 20, 2021/ Press, Training

 Registrierkasse, Fa. Anker, 1920s, photograph by Alpines Museum MuenchenIn May, the operator of the US Colonial Pipeline was the victim of a ransomware attack. After such reports, calls for better security and additional measures are always loud. In fact, analyzes of these attacks often reveal deficiencies in basic security. Often it is not even necessary to use complicated and sophisticated tools to attack critical infrastructure. Attackers like to use standard tools that are available everywhere so as not to attract attention. The lack of basic security makes it possible.

Custom camouflage

When defending your own systems and networks, it is necessary to know exactly what the infrastructure is like. Organized groups that attack companies research exactly what is being used at the target before the attack. According to this planning phase, only tools are used that are plausible to the victim and therefore do not attract attention. The approach works so well that the attackers have packed the procedure into processes and offer it commercially as a service (RaaS, Ransomware as a Service). The lesson from this behavior is to build up knowledge in the use and operation of your own systems. All manufacturers offer instructions for the safe operation of their products. There are also sample configurations and best practices to help you design your own implementations. In this process, it is essential to know the limits of the products used, as some systems and protocols have inherent design weaknesses.

One can only break the camouflage with the knowledge of one’s own weaknesses. Regular and automated monitoring of your own network is a prerequisite. The call for new technology and measures is unnecessary if your own resources are not adequately used. The detection of anomalies in networks and on computer systems has been the subject of research in computer science for decades. There are algorithms available and solutions that can be used for this problem.

Lack of knowledge as a security gap

Information security is based on the separation of areas, the allocation of minimum authorizations and protecting stored and transported data. This foundation seems very easy to implement. However, there are often gaps in implementation according to reports of security incidents. The reasons for this are diverse. They range from structures that have evolved over time, incompatibilities of software, incorrect use of budgets to a lack of knowledge about the capabilities and weaknesses of one’s own systems. You can start with the knowledge gap in order to improve your own defense in the long term. Security researchers routinely find starting points in security tests that consist exclusively of further training in order to better secure the products and systems that are already in place.

Besides the technical understanding, the strict separation between departments often leads to the concealment of evidence of attacks. Responsibility for everything digital is often shifted to the IT department. With malfunction reports, there is usually no context to identify unusual system malfunctions in good time. Technicians must always be fully informed in order to be able to correctly assess errors. Conversely, when operating IT and communicating with the outside world, it must always be questioned whether inquiries are plausible. Most attacks are still carried out through exchanged messages and visits to compromised websites, both paired with clever deception maneuvers (keyword social engineering).

November dedicated to further education

In November this year’s DeepSec conference would like to contribute again to closing the knowledge gaps in the field of information technology and security. Therefore, there are several two-day training courses in the program that specifically address security-related topics in depth.

The first workshop deals with attacks on modern desktops, which are the key to any business. The trainers show which applications are susceptible to which weak points and how they can be exploited. This knowledge is of fundamental importance for everyone who has to defend their organization. This is complemented by two further training courses that deal with the weak points of cellular networks and the analysis of network data traffic. Both workshops impart basic knowledge in the correct use of networks. The analysis of your own network traffic also provides the basis for the detection of anomalies and compromised systems.

The “Pentesting Industrial Control Systems (ICS)” training is about control and monitoring systems that are used in industry. The trainer is an experienced security researcher. He knows the weak points in the products used and can convey his knowledge about these weaknesses practically. We especially recommended this training for everyone who works with ICS components in companies.

So-called single sign-on (SSO) systems are also in the foreground. The IT of many companies often only requires a single login in order to have access to all systems used. In a two-day training, the implementations for these SSO functions are analyzed and broken. Knowledge about the vulnerabilities and attacks presented is fundamental for securing and protecting the company’s internal IT.

Programs and booking

The DeepSec 2021 conference days are on November 18th and 19th. The DeepSec trainings will take place on the two preceding days, November 16 and 17. All trainings (with a few exceptions) and lectures are intended as face-to-face events, but because of future COVID-19 measures they can take place partially or completely virtually.

The DeepINTEL Security Intelligence Conference will take place on November 17th. Since this is a closed event, we ask for direct inquiries about the program. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html

You can order tickets for the DeepSec conference and the trainings online at any time under the link https://deepsec.net/register.html. Sponsor discount codes are available. If you are interested, please contact deepsec@deepsec.net. Please note that we are dependent on timely ticket orders due to the security of planning.

Share this Post