What to do with Legacy Devices and Piss-Poor Security?
Patch your legacy devices and stuff already.
CyBeer of The Week: Brewdog O-G Hazy
Metal Artist of The Week: Cradle of Filth
I’ve been lazy. You’ve been refreshing like mad, haven’t you the last few weeks? Well, truth be told dear reader I didn’t want to write for the sake of it, and I was running low on inspiration. I’m also considering moving this away from Medium to a dedicated site I own. If I do, I’d rather not have a tonne of content to shift over, so I’m sure you can understand. (Note: I did move)
That said, I’ve been working this lovely weekend (no sun or beer for me at the time of writing. I will rectify that later though!) and been doing a lot of discussion regarding legacy systems in ‘infrastructure’. It’s a topic I’ve not touched on much before, but having done some research and putting thoughts together for my employer, I also thought it would make a decent blog post and may inspire some conversation and useful learning points.
Before we begin, though, we have to set ourselves up with beer and some high-quality metal. For this post, I’m suggesting you try drinking Brewdog’s O-G Hazy, it’s another Brewdog beer I’m suggesting, but frankly, it’s my blog, and I love a lot of their beer, so best get used to it! This NEIPA though would be a worthy inclusion regardless, At 7.2% it packs a punch, but it’s an incredibly well balanced fruity explosion that will leave you yearning for more. At least it did for me, and I had a headache the next day, so you can understand I’ve been thorough on this one.
My band this week is Black Metal pioneers Cradle of Filth. I saw them live in London three thousand years ago in 2019, and they were incredible. Their re-mastered Cruelty & The Beast album (originally released in 1998) is also a magnum opus of an album. It’s a concept album telling the story of Elizabeth Bathory across some absolute epic headbangers. The re-mastered (or re-mistressed as they called it) version also includes a re-mastered cover of the bands’ interpretation of Iron Maiden’s ‘Hallowed Be Thy Name’. It absolutely rocks and is up there with the original for me and gives me goosebumps every time.
Anyway, I’ve waffled on enough. This post is about legacy devices which by their nature have piss-poor security, and understanding risks and thinking about OpSec from both a user and business perspective. There are a few examples of whoopsie-daisies and people getting blown up; this cyber lark can be a wild ride. Please do get in touch with your thoughts if anything resonates or you have things you disagree with or want to add! You can catch me on Twitter and LinkedIn as always. Anyway, to the business at hand!!
ICS/SCADA/IoT Legacy Devices & Legacy Software
Numerous problems are associated with device security when it comes to ICS and SCADA systems, particularly in the energy sector. When a lot of systems in use today were initially conceived and designed, cybersecurity was not an area of concern for the developers or the companies utilising the products, as the internet was yet to evolve into the phenom that we all understand and use daily.
For the energy sector, a lot of the control mechanisms used are, therefore, reliant on accessibility and automation to enable things to keep working, rather than preventing malicious actors from disrupting or destroying operations.
A large number of legacy devices are inherent on ancient protocols and operating systems, making ICS devices a prime target for hackers who view these devices as trivial to access and gain control over. Of course, the aim for most of these individuals is curiosity or annoyance of the victim. However, in the case of Saudi Aramco in 2012, the company was targeted by a wiper malware named Shamoon, that affected 30,000 workstations. Causing mass disruption and affecting oil production. The attack, likely conducted by actors linked to the Iranian state, has reappeared in new version a few times over the intervening years.
Do You Even Shodan?
Looking at the UK, the below result from the IoT search engine Shodan, shows 979 internet-facing legacy devices in the UK alone who are operating Windows XP. This OS has not received support from Microsoft since 2014, and specific Point-of-Sale device support (cash machines, registers etc. Devices which had a very barebones and specific function that ran on XP) reached end-of-life in April 2019.
The risk to these devices is pronounced. A large number of Windows vulnerabilities identified since XP likely reached its end-of-life will also be present in these legacy devices, which anyone with an internet connection could theoretically connect to. Should some of these devices be connected to systems that hold sensitive data or are responsible for running core parts of a business, the effect could be catastrophic for any victim organisation targeted by a competent adversary.
This is not Petya
In the example of Maersk, in September 2017, they suffered a ransomware attack that very nearly crippled their entire business. As the world’s largest shipping company, the ramifications of that would likely still be felt even today.
In just 17 minutes, the NotPetya ransomware encrypted their entire network. The attack could have cost the company everything if it wasn’t for a large piece of luck. The attack had spread to every backup the company had except one. This one backup was the victim of an unscheduled power outage when the incident happened; thus, the ransomware didn’t affect it. From this one backup, the company slowly restored back to normal, although the business was affected for months after.
Legacy Devices – OpSec Risks
To apply some context to the subject, if for example, a critical power station was targeted by nation-state actors, the first thing they would consider is the entry point for their operation. It’s (hopefully) safe to assume that most core systems for power stations are air-gapped and would require a combination of skill and luck to exploit remotely.
An attacker is likely then to consider the weakest part of any supply chain, which of course is the human. Society, as a whole, gets bombarded with social engineering daily from phishing emails, advertising, neuro-linguistic programming etc. With comprehensive research and utilisation of skills such as OSINT (Open-source Intelligence), an actor can identify individuals likely involved with the support or operation of their target, and they can subsequently use those individuals to help achieve their aims. Particularly when combined with legacy devices within the network.
Individuals working in sensitive posts or with an organisations’ “crown jewels” must be acutely aware of the risks to them as individuals from these kinds of actors. It isn’t just nation-state actors that are behind this kind of activity either. Terrorists, Activists, Hacktivists would all be interested in finding out information on power station personnel to either try and compromise/attack them or achieve some kind of political goal.
Users should be wary of what they post on social media, what they allow geolocation to show, who can view their postings, who they befriend etc. The same goes for ensuring systems in the organisation receive patches and updates regularly. It can only take one vulnerable system to give an adversary enough of a foothold to spread through a core network that could cause chaos for the victim. Practicing sound OpSec principles ensures that the enemies life is that much harder when trying to achieve their aims.
Turning OpSec around on to the enemy
The above link shows how poor OpSec can lead to hackers being identified with just one mistake. Using OSINT and carefully considered research, you can understand the threat to your organisation. If you think of this as ‘active defence’, I think it makes the picture clearer. Understanding the enemy and how they operate is paramount to ensuring you make it hard for them. Of course, you can’t investigate every suspected member of a threat group — You’ll never find their names in public (mostly), or you won’t have enough clues to go on. Still, if you start to understand your risk profile from the view of the enemy, you can adapt your defences as necessary.
In cybersecurity, the idea of ‘red team’ and ‘blue team’ is well acknowledged. Still, a good organisation should always be questioning itself, and those tasked with protecting the organisation should have a blend of skills. The team should have a mix of viewpoints and appreciation for how an attacker would think, and how a defence can optimise its chances of preventing compromise.
This approach is fundamental for protecting systems in critical infrastructure. The defenders usually already start with one hand tied behind their back due to the outdated systems and legacy infrastructure they protect. Maximising and capitalising on any intelligence you can gather will be paramount to preventing an attacker from achieving their goals. In 2020, using intelligence looks typically like a combination of the following:
- Long-form reporting to provide context and understanding of the risks in a specific sector/technology/geography/political context.
- Understanding the latest vulnerability notifications relevant to systems and software in-use in your organisation
- Indicators of Compromise (IOCs) from previously identified attack activity for blocking and prevention.
- Applying Tactics, Techniques & Procedures (TTPs) to the Lockheed Martin Cyber Kill Chain/Extended Kill Chain or Mitre ATT&CK Framework (including the recently released ATT&CK for ICS).
- Identifying the gaps from the above to understand where to focus and prioritise resources (assuming you have any — People/Money/Tooling).
- Using all of the above to hunt for things that already exist within the network and take the steps needed to remediate them and remove them.
- Continually re-evaluating and assessing the status quo.
The sources for intelligence are found anywhere and everywhere. Free feeds, paid-for feeds, blogs, news articles, Twitter, private groups, public groups, your previous incident response etc. It can take a long time to comb through and understand data on specific topics; thus, you should have some level of intelligence team to assist in the process. A good intel team will have a range of skills and understanding of the threat to the business and will be able to respond quickly and effectively to emerging situations. Using this knowledge can help expose the enemies OpSec failures, and in turn, help you enumerate the threat landscape and the real risks to you.
Kinetic Strikes from Cyber Activity
Arguably the first sign of kinetic strikes happening in response to cyberattacks occurred in May 2019. Israeli actors conducted an airstrike on a building where Hamas cyber operatives worked. The attack is widely understood to take place in retaliation for Hamas-led cyber attacks against Israel.
This activity helps to demonstrate how the line between cyber and real-world is starting to become more and more blurred. Future conflicts will see a lot more in the cyber domain in addition to the traditional land, sea and air. Indeed, kinetic strikes against cyber actors probably occurred in Syria and Iraq during the height of Daesh in 2015/2016 as the allied forces targeted the terror organisation in co-ordinated strikes and attacks. However, this example of combating terrorism differs from the case of Hamas. ISIS’ online operations were mostly in propaganda and recruitment rather than sophisticated cyber attacks.
Critical Steps for Protecting Systems from Complex Actors
Taking all of the above into consideration, any organisation that utilises ICS systems or systems likely to be based on legacy/end-of-life technology should consider implementing at least the following remediations:
- You should implement all available patches. Ideally upgrade to a supported OS, if this is not possible, you should at least make sure that you install all patches available.
- Any technologies connected to core systems should be air-gapped if possible or protected by the use of appropriate technologies — Firewalls, DMZs, AV etc. If you can’t supply the relevant patches, you should at least endeavour to have up to date alerting so you know when you have an issue that needs fixing.
- Ensure staff are aware of their own OpSec for their personal lives and conduct themselves appropriately online. It’s great that they use things like Strava to map a run, but if that run outlines the sensitive areas of a site, then a skilled adversary could use this information to their advantage.
- Implement Cyber Threat Intelligence. You can’t keep pace with your adversary if you don’t understand their abilities, tools or methods. If you don’t learn from the experiences of others (previous attacks), then you only have yourself to blame when you become the victim yourself. A good CTI practice will enable you to understand where the risks are and what the consequences could be.
Cybersecurity is a complex, multi-faceted world. However, the basic principles of it are the most effective. Using the principles of basic cyber hygiene across technologies. The individuals using them will enable any organisation to give itself the most substantial chance of preventing a catastrophic cyber attack. You know you want to.
This concludes this weeks post. I hope there are things in the above which resonate or can start some conversation. I prefaced this post by saying this is a new area to me, so everything I’ve written is based on research, discussion and anecdotes. However, I think they hold across all aspects of cybersecurity. If you have thoughts, arguments or beer/music suggestions, hit me up on Twitter!