The US Dept. of Homeland Security's Computer Emergency Readiness Team (CERT) issued the Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors on Friday 10/20/17, warning CNI firms (esp. nuclear power and other energy providers, water, aviation, and critical manufacturing sectors) that they are at increased risk of "highly targeted" staged attacks by the Dragonfly APT group, which may attempt to gain operational control for data exfiltration. Two senior Virsec Systems experts offer perspective on the threat and CERT response:
Satya Gupta, Founder and CTO, Virsec Systems comments: "While the DHS warnings are warranted, their specific security recommendations are inadequate. The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted. Perimeters are inevitably porous, and the air-gaps that many ICS systems were designed around have disappeared. Our security focus needs to shift from the network perimeter to the applications themselves. By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads.
Atiq Raza, CEO, Virsec Systems says: "These threats highlight an increasing risk. Rather than directly attacking high security networks, hackers are doing careful reconnaissance of connect third-parties, staging servers or watering holes for insiders. Once hackers steal credentials, or finds a less secure backdoors they can quickly pivot to more secure servers, bypassing traditional network perimeter security. IT security needs to assume the perimeter is porous and focus more directly on guarding sensitive applications and data."