Threat Hunting as a Proactive Security Measure in the Energy Sector

The situation in the European energy sector is tense: there is uncertainty about the supply, winter is just around the corner and the sector is being strategically and repeatedly attacked both in physical terms (e.g. Nord Stream or Ukrainian energy supply), through disinformation campaigns and cyber attacks by actors close to Russia. Cyber ​​attacks in particular could increasingly hit Europe's energy sector in the coming months in order to further aggravate the supply situation, fuel fears of a loss of control in Europe and thereby maintain credible deniability. It is warned that critical systems such as the energy sector may already be compromised. Proactive "threat hunting" is therefore repeatedly brought into play by different parties as an additional necessary security measure. But what exactly is behind the concept, which preconditions must be met and how can an effective "threat hunting" program be set up even by less mature IT security teams.

The energy sector is at the heart of all critical infrastructure sectors

The energy sector plays a central role in critical infrastructure because all other sectors are directly or indirectly dependent on it. The interest of attackers is therefore great. With 8.2% of all cyber attacks in 2021, the energy sector was the third most affected sector according to IBM. Publicly known ransomware attacks, which increased by 125% between 2020 and 2021 based on data from Recorded Future, accounted for 25%.

In addition to financially motivated attacks, the energy sector is also the target of espionage and geopolitically motivated and sometimes destructive attacks: for years, for example, a group called Berserk Bear (also known as DragonFly), attributed to the Russian Domestic Intelligence Service (FSB) by the US Department of Justice, is targeting Europe's energy sector. It is unclear how many European companies have actually fallen victim to this and other espionage groups affiliated with Russia. In an operation by Berserk Bear lasting several months, 150 companies in Germany alone, many of them from the critical infrastructure, are said to have been compromised. It is also unclear whether the compromises could actually be completely eliminated or whether it must be assumed that attackers still have access to (individual) systems.

In contrast, destructive attacks, such as those using wiper malware, have so far been observed in Europe almost exclusively in Ukraine, where at least nine different wiper variants have been used since the Russian invasion. Except for DDoS attacks or spillover effects, which meant, for example, that 5,800 Enercon wind turbines in northern Germany were no longer accessible for a period of time, the rest of Europe has so far been largely spared.

Is the energy sector already infiltrated by cyber actors?

Due to the escalating threat situation, which was already apparent before the Russian invasion and as the recently published BSI threat report 2022 emphasizes again, IT security is high on the agenda of critical infrastructure sectors and governments. However, many of the proposed measures are preventative and intended to protect against future attacks. They only provide limited protection if systems are already compromised.

The suspicion that IT infrastructures in the energy sector could already be infiltrated is not unfounded: On the one hand, state authorities such as CISA have been warning of possible compromises for years and refer to private and public sources and patterns of known cases without going into detail . On the other hand, the suspicion is based on an improved understanding of how attackers proceed, because state and financially motivated groups have optimized their operations, with certain subgroups specializing in mere access procurement (e.g. XENOTIME as part of Russia's state "cyber network") or accesses are purchased on initial access markets. This is also reflected in the dwell time of attackers (“dwell time”) in affected networks, which is sometimes several months or longer. Forensic analysis, for example, indicates that the SolarWinds breach actually began in 2019 and that the attackers had been on the networks unnoticed for almost a year.

Threat hunting helps as a proactive measure, but comes with challenges

Against this background, the relevance of "threat hunting" becomes apparent: This means the proactive detection of cyber threats that lurk undetected in a network and remain undetected by existing security systems. There is no waiting for concrete signs of an attack, instead it is assumed that a compromise by certain attackers could already exist (e.g. due to the increased threat situation or incidents at comparable organizations). The systems are searched through with a focus on IOCs (“Indicators of Compromise”), i.e. technical artefacts that indicate a compromise, and knowledge of the TTPs (“Tactics, Techniques, Procedures”) and the attacker is thus “hunted”, so to speak ”.

But threat hunting is often only feasible for organizations with mature and resourceful security programs, and for good reason. In addition to time resources and technical expertise, there are three essential prerequisites without which an effective threat hunting program is not possible:

First of all, detailed attacker knowledge is necessary and should ideally cover the entire "Pyramid of Pain": This means that in addition to historical indicators (e.g. IPs) used in past attacks, strategic information such as tool decisions (e.g. use of specific attacker Frameworks such as Havex) or non-technical aspects such as attacker motivation (e.g. espionage) can be used as the basis for threat hunting. This also includes proactive identification of attacker infrastructure that has not yet been deployed (e.g. SOLARDEFLECTION). There are plenty of sources for this, ranging from open source sources such as ThreatFox, industry associations (e.g. EE-ISAC) to threat intelligence providers.

However, knowing how attackers proceed is of little use if there is no data that can be checked for potential attacks. High visibility into the network (e.g. firewall logs), end devices (e.g. event logs) and other sub-areas (e.g. email gateways) is therefore essential. The data should be complete, historically viewable and queryable in real time, which in itself is a major challenge for many organizations. This often raises further architectural and strategic questions and forces, for example, a trade-off between performance and completeness.

Finally, specific organizational knowledge makes it possible to identify critical technologies, services or other key resources that are particularly worth protecting for an organization - the "crown jewels of the company". Depending on the organization, these can be very different (e.g. business continuity at energy suppliers) and should be determined by different stakeholders. The aim is to prioritize the use of limited resources with the help of organizational knowledge.

Effective threat hunting is a process

However, the fulfillment of the three preconditions alone is not sufficient. Threat hunting is not a one-off activity, but a process that turns existing attacker knowledge, visibility and organizational knowledge into testable queries with the goal of identifying signs of compromise. A clearly defined process can not only prevent potential inefficiencies, it also prevents less mature organizations from being overwhelmed and serves as a guideline and acceleration when setting up a threat hunting program.

The process starts with the development of a plausible hypothesis. To do this, the threat hunting team must assess which attackers and associated activities are particularly relevant to an organization, how and where these activities can impact the organization, and which data sources help identify such activities. A hypothesis could be, for example, that a certain malware such as CRASHOVERRIDE has been used by attackers focused on the energy sector in the past and interacts in a certain way with the attacked system, leaving traces. The hypothesis must consequently be abstracted and translated into a testable format such as a detection rule (e.g. Yara, Sigma or Snort rules) that can be tested against network and endpoint data.

Ideally, the results of the tests should not only uncover potential compromises, but also gradually refine the knowledge about attackers, help to identify blind spots in the system and improve the tests themselves. Threat hunting insights can also support other teams, for example they can be considered by detection engineering teams as a source for the development of long-term detections and alerts. In summary, it can be said that threat hunting generates various added values ​​for the IT security of organizations.

Threat hunting is an important building block to ensure Europe's energy security in the coming months

How the threat situation in the energy sector will develop in the coming months depends on numerous factors. Not least of the progress of the war in Ukraine. It is clear, however, that state-sponsored groups do not behave opportunistically, but pursue goals and engage in planning. The energy sector is one of the most sensitive points in Europe's critical infrastructure and therefore a lucrative target for attacks. Consequently, possible compromises should be assumed. To protect against this threat, proactive measures such as threat hunting should be implemented despite the challenges involved. Structured processes and data- and hypothesis-based approaches can help less mature organizations in setting up a threat hunting program.

(A shortened version of this article was published in German in Tagesspiegel Background Cybersecurity on November 18, 2022: Threat-Hunting als proaktive Sicherheitsmaßnahme im Energiesektor)


Popular posts from this blog

The Rise of LNK Files (T1547.009) and Ways To Detect Them

Trust is good, testing is better: How to pentest Flutter apps