Tuesday, June 13, 2017

CRASHOVERRIDE guidance from NCCIC is confusing at best

After reviewing the awesome Dragos Inc report on CRASHOVERRIDE, Rendition analysts received a similar alert from US Cert and NCCIC.  After reviewing the guidance from NCCIC, we were less than thrilled.  The second recommendation from NCCIC (take measures to avoid watering hole attacks) is impossible by its very definition.  A watering hole attack first compromises a remote site that you would already be visiting in an attempt to compromise your network.  The fact is that the victim is not being tricked into visiting a rogue site as is the case in phishing.  There is frankly no way for an organization to do this.  Unfortunately, the fact that this "mission impossible" is set as recommendation #2 means that many will stop trying to implement anything further down the stack, assuming that the rest may also be impossible by definition.

Read the full post here.

Monday, June 12, 2017

CRASHOVERRIDE – monitor your IT networks (and OT too)

Last week Rendition Infosec founder Jake Williams contributed an article for next month’s issue of Power Grid International magazine.  The article highlights the need for utilities to monitor their IT networks in order to protect their OT networks from compromise.  Today’s release of the excellent CRASHOVERRIDE report by Dragos Inc only reinforces the points Williams’ made in his article.

While a simple Shodan search will show many ICS devices directly connected to the Internet, these organizations obviously aren’t following best practices in the first place. Monitoring would certainly help these organizations to detect threats as well, but they honestly have bigger problems that start with segmenting their networks.

For those utilities that have already segmented IT from OT (operational technology), monitoring the IT network is absolutely critical.  Most attackers enter the OT network from the IT side of the network through phishing emails or other commodity exploits.  They then noisily stumble through the network looking for the bridge between IT and OT.  Even if the networks are completely airgapped (few truly are in our experience), attackers will eventually find a way to get malware to the OT side.  But along the way, attackers usually make a ridiculous amount of noise trying to find the places where the IT and OT networks are joined.

Read the full story here.