Defending Critical Infrastructure From Cyberattacks
Alexandra Weaver
Solution ArchitectDefending Critical Infrastructure Against Cyber Attacks: A Comprehensive Guide
Protecting critical infrastructure from cyber threats is a matter of national security and societal function. With increasing reports of cyber attacks on important sectors of our society, the need for effective defense strategies is more apparent than ever. In this article, we discuss the recent trends in cyber crime, vulnerabilities in critical infrastructures, and effective measures to secure our environments against these threats.
Understanding the Importance of Critical Infrastructure
According to senior solution architect at SIS, Alexandra Weaver, there are 16 critical infrastructure sectors as defined by the government. In 2021, 14 out these sectors experienced ransomware attacks, underscoring the vital need for refined defense strategies. With identities being the 'keys to our kingdom,' it is crucial to guard these assets; the duty falls to directory administrators in various sectors of society and the economy.
Infamous Cyber Attacks on Critical Infrastructure
- Colonial Pipelines: This attack crippled the eastern seaboard, wreaking havoc on fuel and jet fuel prices.
- Ukraine's Power Grid: A significant part of a town’s power grid was shut off during winter months, leaving numerous households in the cold.
- Universal Health Services: Over 400 hospitals were severely impacted, which led to old school pen-paper methods being employed and services being rerouted.
The Existence of Vulnerabilities in our Systems
Most of our critical infrastructures are legacy environments, initially designed with levers or buttons and are now managed by third-party applications. The rapid internet advancements have made these environments vulnerable due to unforeseen attack vectors. Coupled with the fact that all data have value, these defense nuances require a more significant consideration.
Defense Strategies: Protections and Challenges
Implementing Data Classification
As we navigate through these challenges, implementing data classification is a crucial step in securing our environments. The process involves categorizing the information, reviewing who has access, and determining what protection policies are in place. It provides a strategic way of identifying what information is critical to the business.
Developing Tiered Structures
Implementing tiered structures allows us to prioritize systems based on their classification as critical. It aids in identifying what needs to be restored first in case of a breach, thereby allowing for quick incident resolution.
Deploying Zero Trust
The concept of "Zero Trust" is an integral part of security that involves constant checks and verifications of user authorizations and access. Despite the trust ultimately placed in either the user, service, or device during authentication, regular audits minimize system vulnerabilities.
Employing Defense-In-Depth And Layered Security Strategies
Defense-in-depth and layered security tactics are often employed to strengthen the protection of our environments. The former approach involves setting up multiple security mechanisms such as firewalls, strong passwords, and patch management at different points in the network. Conversely, the latter is about deploying redundant products to achieve a similar purpose. While the two are similar, they offer complementary and intertwined benefits.
The Continuity Of Cyber Crime
Cyber crime, specifically ransomware, has become a major concern in our digital ecosystem. It is easily deployable and increasingly sophisticated, with attackers demanding ransom at every stage. Social engineering, the most common form of cyber crime, is becoming more complex with more tools and techniques at the disposal of cyber criminals.
Conclusion
As the perimeters of our networks continue to evolve, our security measures must adapt to the new landscape. We have seen the damaging effects of unsecured infrastructures on our societies and economies. Thus, we need to deploy advanced defense mechanisms to outpace the attackers. Strategies involving people, process, and technology are a step in the right direction for a more secure infrastructure.
Keep in mind; this is a continuous effort. In the evolving world of cyber threats, we always need to stay a step ahead. To have any questions about active directory security answered or to delve more into defending critical infrastructure, feel free to reach out on Linkedin.
Video Transcription
Hi. So my name is Alexandra Weaver. I am a senior solution architect at SIS. Today. I'm gonna be talking about defending critical infrastructure against cyber attacks. We have 16 critical infrastructure sectors that have been defined by the government and I've listed them all here.
And if we had an impact to any one of these segments or sectors of society, this would be impactful and it can be negatively impactful to our national security and the function of society we can already see according to stats according to the FBI. In 2021 14, out of the 16 critical infrastructures were attacked with ransomware. So this is already a high number and something for us to be concerned about. And by us, I mean, a directory administrators, we all operate in one of these vertical uh sectors of the society or economy. We wanna make sure that we're able to protect our environment, protect our identities. That's really the key. That's what is the risk is the keys to our kingdom, the identities that we store within active directory. So today we're gonna talk about different infrastructures and different attacks that have happened. We have a lot of different attacks that have happened in the past and that continue to happen. Uh One of the most famous is colonial pipelines right that impacted and shut down the eastern seaboard and impacted fuel prices and jet fuel prices. We have the other one. big one is Ukraine's power grid where half of a town power grid was shut off during uh winter months.
Some of the coldest times then we had universal health services with over four 100 hospitals negatively impacted where they had to go back to old school pen and paper and uh had to reroute services. So you can see that this is impactful to many different sectors of our economy and that it can be impactful to all of us, right? Whether we're on the east coast and we're buying gas or we're flying out of the east coast, whether it's uh J BS foods, uh meat packing facility, whether uh you know, you're taking the light rail and Stanford Cisco or covered by uh one of these 400 hospitals. There's also a proliferation in uh the educational field as well that are targeting attacks to uh school boards and schools, educational institutions. We know that critical infrastructure has vulnerabilities that exist a lot of these are legacy environments, right? That at one point where a lever or a button and now they're managed with a third party app, this explosion, uh advancement of the internet and the internet of things and third party devices has made it uh incredibly difficult to uh prevent attacks because these attack vectors didn't even previously exist when some of these uh systems were designed.
Uh And then these attacks, these cyber attacks to take out critical segments of our infrastructure, they're really nothing new. We know that uh this has been go going on since wartime, right? Uh This is the way to uh cripple an environment. And you can see this especially with the geopolitical landscape today between Ukraine and Russia. So we know that this is now part of our ecosystem, this cyber attacks, these ransomware, uh malware and protecting our infrastructure from the outside and then factors that we wanna look at is that uh that impact our infrastructure is that all data have value, all data has value.
Everything is important. We need to classify that we need a way to make sure that our data is guarded and is protected. We know that out of the box, security solutions are no longer enough and usually one product isn't even enough. You know, most folks now are running at least two anti virus software products. We know that compliance regulations are not always consistent across the board, not even within the States. But then we're, you know, talk about globally and the impact there. There's a lot of crossover and a lot of confusion and not necessarily uh legislation that has caught up with today's practices. We know that regulations and reporting around beaches are also evolving. So we're trying to get up to speed right where we have really been a little behind the times with uh our environments and our infrastructure sometimes that's due to having legacy systems and sometimes that's due to uh not having the necessary head count. And it can also be due to not having the correct monitoring tools and products in place, right? That allow us to be proactive in order to, you know, find it, fix it fast and mitigate risks. Now, we have different protection methodologies, we can look at data classification. That's where we can uh make sure we have buy in from stakeholders of what we classify as critical. We can also look at hearing our infrastructures.
So domain controllers, we want to look at what is critical in our environment and classify those systems and perhaps in those sites, you know the heaviest usage uh application dependencies, if there's any latency between these sites we wanna have buy in. So when we know what we need to restore and what is critical, we have management agreement. So we know what we need to restore first and then we need to define that order, right? We also wanna make sure that we have different security strategies in play that can complement each other, so we can best protect our environment. One of them is defense in depth, the other is a layered security strategy. There's also zero trust, we can do one network segmentation and we can protect our email that way we can also do role based access control. And there's a couple of those things like just in time and just enough administration and that we can also put into place to protect our system. And I'm also when I'm talking about some of these, this speaks to M FA and VPN and strong passwords, all of those things combined. This is more from an architecture standpoint right now.
So the data classification, we really wanna make sure that we categorize our information and this allows agreement and buy in. It's hard to do once we are in an environment that is established. So one way we can do that is to work with server owners to identify that information, you almost reverse engineering. And this is more on a large scale or per server trying to identify this information, you know, as we go forward net new, it's obviously easier. But if you're coming into a situation, try and work with the application owner of the server owner to determine the criticality of that, that data, right? We wanna review who has access, what protection policies are in place and then privacy classifications, right? Such things as digital rights management that comes into play uh with more media and live streaming. But it's something to think about uh in our space and how we classify data, we know that we wanna follow, you know, the N framework, the low to moderate to high impact. Uh One of the ways we can do that, like I said is going forward, we also wanna have tiered structure so we can have data center tier models. We can talk about n tiered where we separate the application, right? And then Microsoft active directory tier model, if you haven't read Daniel Petris or Petrie Apologies on the mispronunciation on name, but if you haven't read his articles on tier model, it is a really excellent, it outlines a great way to organize uh the administrative model within active directory.
And that's something we should all look at for our protected groups or our privileged groups, right? Those are two things that we really wanna make sure we do is define our infrastructure in our tier zero. And then also follow that with our groups. What is critical, what has access because really at the core of this is keeping our environment safe and protecting our environment, the critical infrastructure we wanna protect and we can do that through a couple of different ways that we're talking about. Now, one of the ways that is discussed a lot and the term that you'll hear is zero. Trust. I like the term, I think it's a catchy phrase, but there really is trust at some point involved, right? Because there isn't a way to not trust anything during an authentication and an authorization, you're either trusting your user, the identity or the service, right? Or you're trusting a device. So somewhere in there, there actually is trust, what we wanna do is check and verify consistently uh and then review that access. So that's really what zero trust is about and that is a mandate for federal institutions. But businesses in the private sector have been a little slow to respond to that. But what we wanna do is put in those checks and balances.
We want to have that constant check and verification that security throughout our architecture, it's becoming more and more important with the rise of remote workforce, right? As our identities, what is truly at core here, uh Our network perimeter becomes flat, right? We have remote users, we have cloud based applications, really the internet of things, any device anywhere at any time. The only thing that we can control is that identity, that our uh access point, that's what we're allowing and that's where we want or what we want to keep safe, right? And so zero trust, what we can do is trust our identity and we can do that a couple of different ways, you know, M fa and device registration and that constant authorization and text of access and the reviewing of those access logging and behavioral analytics. So we wanna do this and have that maintained as a continuous action in our environment because zero trust is really a security strategy. It's not an actual technology, but that's our ultimate goal, right. Is to get to the point where we have those checks and balances continuously throughout our environment. We know that the zero trust security strategy like I spoke to is access controls and it's reviewing those. It needs to be that continual process.
We also wanna review folks that have the high level of access because that is critical to our environment. That's what we have control of is the access. We wanna be able to have products in place that allow us to have real time monitoring. We need to be able to find it, fix it fast. What do we have that's listening at the A B replication stream layer level, right? This is not only going to allow us to proactively hunt for threats, the indicators of exposure, but it's going to be able to alert or notify us and in cases the ability to undo some actions and that's really what we're after is a way to protect our environment, a way to, you know, find it, fix it fast and then also allow for instant remediation 24 by seven, right?
Even activity that mimics legitimate activity such as building up a domain controller. We wanna make sure we have the ability to spot that activity and identify it, right? And we will have that in real time monitoring in our space. Uh endpoint security protection is important.
We wanna make sure we have that on our devices and the utmost of importance I think is user training and education. It's not easy, but it takes a team effort to involve our employees in this strategy because I want to be clear to, you know, our team because we all are working together is that we have to be chasing that same carrot on the end of the stick. We ultimately want keep our environment safe. And one way in which we can do that is use your training and education. We wanna make them part of our team and aware that they are part of our security strategy. We have to have them involved and it's not that we don't trust them, we don't trust the cyber criminals that are looking out there that are trying to take advantage of our users, right? And we know that in this space, we face a number of challenges, right? The internet of things with anywhere, any time on any device. And then we now have cloud services uh offered and we're sometimes counting on our cloud service providers to offer, offer us security measures and we have to make sure that we agree or know that those cloud service providers security measures match our own.
So the defense in depth the D ID security strategy, this is another security approach. Uh It's security mechanisms that protect an organization at our end points, our applications and our networks. This is different security mechanisms such as firewalls, strong passwords, patch management, different gateways, DMZF, uh M SAS and network segmentation and our back. So all of this is at play. So you have multiple uh different mechanisms uh at each corner of your network, so to speak.
And what it really is saying is that if one fails, there's another in place. So that's where I spoke to earlier. Some folks don't just run one antivirus anymore. It too. And this is really why their approach is if this fails, what is my backup? So it's basically having a Plan B in place every step along the way. And I think it's a good strategy and if you can, that's a great way to do it. I realize we don't always have the luxury of having two antivirus Softwares, but we and do things um in multiple steps that will protect our environment, right? And some of that is, you know, definitely the strong and complex passwords and following just in time and just enough administration uh and network segmentation, those kind of things we can do uh without having to maybe purchase additional software or duplicate software. The layered security strategy, this is the multiple or redundant products that we spoke to earlier. And then we have examples of, you know, layering security into a traditional network model. And these are at different levels here. The system, the network, the application and transmission is really about redundancy.
Some folks speak to uh D ID, the defense in depth and layered security strategy as the same. I see them different but tightly intertwined and complementary. Ultimately, uh protecting our critical infrastructure, the defense in depth and the layered security strategy being intertwined.
This is where multiple mechanisms are increasing our security, keeping the keys to our kingdom safe. So, firewalls and DMZ, you know, network segmentation are back and then multi dimensional security framework that we spoke of putting those all in place, they're so tightly intertwined.
But this is a way in which we can keep our infrastructure secure. Another way in which we can do this is network segmentation. A lot of folks will keep their email uh network segmented or they'll keep, you know, East west north south network segment segmented out for increase of security, the ability to shut down tax faster. Uh they can look at traffic. So things of that nature will also increase security and role based access control uh that's used at all levels within all strategies. And this is really an essential part of security that should be constantly reviewed and constantly monitored. The evolution of the corporate network, we know that originally we had on Prem and traditional data centers and we've advanced into the hybrid model. The most common is active directory on Prem and then Azure ad. And now we have, I wouldn't say the advent, but the plethora of cloud services, right? And that has definitely changed our network perimeter, right? And how we support our network and our environment. So that's growth has been exponential pushed on by uh the pandemic and cloud services and cloud security. We need to make sure that we catch up to the security that is provided. It's a little different, right? It's not quite as uh controllable as it once was.
It's now in a way outsourced to our cloud service providers and we need to make sure that, that aligns with our security strategy. Uh We wanna make sure that we don't over sign or over delegate permission. So we need to review this architecture and review security uh governments and compliancy uh can definitely be difficult in this space, right? And we have to be aware that cyber crime also exists and can exist in that cloud space. So cyber attacks are the reason we are concerned with our environment, our infrastructure, our identities and ransomware as a service has unfortunately involved and is now part of our ecosystem. You can download ransomware and people can make money from this, not just the cyber criminals, but they have like a subscription based model. Now it's very easy. There's youtube videos, their tutorials, it's so easy and you can share in profits in a myriad of ways. So the cyber attacks are intentional ways to cripple an environment breach information. This can come about in a bunch of different ways with social engineering, they have uh new, new ways at getting information or ascertaining pieces of data they can use to exploit system vulnerabilities uh and put implant, malware and ransomware uh in our environment.
It's unfortunately a business model and it's expanding, they're uh they're getting better at it, which is incredibly unfortunate. Uh It's easy to deploy. Anyone can do it, the ransomware, they don't have to be an expert and there's different levels of extortion. So it's a easy start up with a low technical threshold. And like I said before, there's also different based subscription models. We know that social engineering is prevalent and evolving. They're now taking advantages of A I and using uh fishing the voice right to uh in one instance, approve a wire transfer of a sizable amount. But fishing and fishing and the business email compromise malware, the pretexting all of that is a way to gather bits and pieces of information that make it easier for an attack or a cyber criminal to take advantage of our information and get a bit more information. And they keep building upon that until they're able to get what they need. And it's all with criminal intent, it's all to breach your identity. That's really the first step of cyber attack is getting that information is getting that identity once they have the identity, that's the foothold, they need to have. What is the most common form of social engineering and it is fishing.
I think we're well aware of that with all the emails we get with the embedded links. Uh It's, it's very frustrating and unfortunately, incredibly common so to combat cyber, criminal, social engineering tactics, security needs to be a part of our corporate culture. We need to be doing tabletop exercises. We need to be educating our users. We need to be monitoring our critical infrastructure. 24 by seven, we have to have proactive tools in our environment that allow us to find those indicators of exposure and that proactively alert us to nefarious activity that could mimic legitimate activity. We wanna have something that's listening uh on the wire. And by that, I mean, what is listening at the active directory replication, stream layer level? That's what we need in our environment. We want to be seeing everything that our D CCS, our domain controllers, we want all that data recorded. We wanna educate our employees and we wanna think about ways that we can protect our environment. What can we do? M fa is a must we know we need to have data back up. We know we need to have B CD R business continuity, disaster recovery drills. And most importantly, we need to practice from those right? We need to look at the way in which our environments are backed up and if we updated our backups, so they account for today's cyber security attacks.
We no longer wanna be back on up the operating system because we don't wanna reintroduce malware. We wanna reduce that risk. We wanna talk about restoring our environment to a trusted state, not just restoring it. The other thing is uh privileged access workstations. That's one thing that we can do as well. I didn't put in here uh just in time and just enough administration, I think that's important and also keeping our operator groups and uh empty. So the cyber crime emerging trends, we know that attacks are getting more sophisticated. We know that ransomware demands are happening at every stage. So they're blackmailing the company and now the end users, they're going to our competitors. We know there's additional malware V. There were three new ones in Q one and 2022. They're trying to disrupt our services.
That's truly the way uh cyber criminals want money and they will do anything to get it. They are expanding their portfolios and expanding their services. So we wanna make sure we secure our environment and that's the PPT, the people, the process and the technology. We wanna make sure we have incident response in place. We wanna have proper products in place that protect our environment and we wanna have cross team coordinations and preparation. And with the process is we wanna have buy in on our tiered model, right? And sl a service level agreements, we wanna make sure that our security controls meet company requirements. We need to constantly be reviewing this data and reviewing our role based access control. We wanna implement tabletop exercises and we wanna make sure in the tech space that we are putting in to play those security strategies. We discussed the multi layered, the proactive monitoring and alerting tools. We have to have uh perimeter knowledge, which means we need to constantly look at our network because it really has become flat in this new world order. And we wanna make sure we have our backups and that we've tested our backups. I know I'm running out of time. So I wanna make sure that I just quickly say backup and recovery, please test those, define your RT OS, your recovery time objectives, your RP OS. Make sure you get these questions asked and answered and I have some steps for more secure ad environment.
You know, please feel free to reach out. I am on linkedin and would love to hear any active directory questions you have. I thank you very much for your time today and I hope everyone has had a great conference.