Ransomware and other malware attacks are on the rise. Criminals are constantly probing online systems to discover their vulnerabilities to hold systems hostage. Meanwhile, U.S. foreign adversaries are increasingly targeting assets in digitally accessible spaces to achieve their political goals.
Open-Source Intelligence (OSINT) is being used by both attackers and cyber security professionals to find ways to exploit critical systems and functions. Often, attackers and cyber security experts must use the same tools to search accessible online spaces for pieces of publicly available information that, when combined, might provide keys into an organization’s systems.
OSINT is a powerful tool being re-engineered by 21st century cyber-security professionals to identify and disrupt vulnerabilities before they can be exploited.
Attackers are becoming more sophisticated, targeting specific entities for disruption rather than merely taking the “low-hanging fruit” approach to selecting targets. They are not only targeting systems but people, using Human Intelligence (HUMINT) techniques—also known as “social engineering”—to extract valuable pieces of information from staff, vendors, and other human partners—people who may not understand how vital the information they provide may be.
Of particular interest to both criminal and nation-state attackers are organizations that serve as critical infrastructure for the U.S. and allied nations. Because these organizations are important pieces of the day-to-day operations and defense of a nation, they make for high-value targets. In addition, some organizations involved in critical infrastructure tend to have weaker defenses against ransomware and other malware attacks due to the nature of their industry and the fast pace of technological innovation used during malware attacks.
In other words, what was not understood to be a point of vulnerability yesterday is now known to be vulnerable today.
Cyber security professionals of organizations involved in critical infrastructure must become more aware of basic security procedures to protect themselves. Further, because their organizations are such high-value targets, they must take extra steps to secure their most valuable resources against threats.
Organizations must learn to integrate OSINT into their security plans. They must assess what resources, people, and systems are most vulnerable and most valuable to attackers, then prioritize plans to ensure that their most critical resources are the best defended and most resilient to attack.
- What is OSINT?
Open-Source Information (OSINT) is the use of Publicly Available Information (PAI) to develop actionable intelligence—that is, the information needed to achieve specific goals, such as covertly accessing a network and implanting malware there.
Ransomware attackers first performs reconnaissance against an organization by researching their public information, including the personal information of key employees, online. In order to find the best way to get into a target system and plan what to attack once they get in, the attacker uses OSINT techniques.
When an organization researches their own vulnerabilities to malware attack—and whether their vendors are vulnerable to that type of attack—the organization is using OSINT techniques.
There are a wide variety of tools and techniques that can be used to research and develop OSINT, from tools developed by curious amateurs researching how systems work, to for-profit businesses that develop business analytics tools to determine what their customers are saying about them, to national security programs that develop malware to spy on, and sabotage, other nations’ systems.
These tools are constantly changing and evolving for a variety of reasons. As social media platforms change, as new operating system exploits are discovered, and as recent technologies connect systems, users, and devices, OSINT tools evolve to best discover what information is available to be used.
While some information that is being shared publicly by an organization can be controlled, once it has been released to the public, it can be found online forever. Even after controlling what information is available in the future, it is important to know what information an organization has shared with the public in the past and how that information might be used.
- What is critical infrastructure and why is it vulnerable?
Critical infrastructure is the collected systems and institutions needed to keep our nation operational and to defend it in an attack. The Cybersecurity and Infrastructure Agency (CISA) has defined sixteen areas of critical infrastructure:
- The chemical sector
- The commercial facilities sector, including sites that facilitate crowds, like open spaces, concert venues, and hotels
- The communications sector
- The critical manufacturing sector
- The dams sector, covering over 90,000 U.S. dams
- The defense industrial base sector
- The emergency services sector
- The energy sector
- The financial services sector
- The food and agricultural sector
- The government facilities sector
- The healthcare and public health sector
- The information technology sector
- The nuclear reactors, materials, and waste sector
- The transportation systems sector
- The water and wastewater systems sector
Our economy and lives depend on the various elements of these critical infrastructure systems. Ransomware and other malware attacks against them give attackers a disproportionate amount of leverage. Often, those organizations’ leaders, eager to halt the threats to people’s lives and welfare, can be more likely to cooperate with the attackers.
Making critical infrastructure even more tempting for attackers, some elements of our critical infrastructure are outdated and therefore particularly vulnerable to attack.
The designers of the outdated systems had no idea how their systems would be abused in the future. They certainly could not have anticipated the OSINT tools used to perform reconnaissance and exploitation against their systems.
While some sectors of our infrastructure are aware of the possibility of harm—such as the defense, information technology, and financial sectors—other sectors may be less prepared to defend themselves from attack.
They may not understand the dangers posed by outdated software and equipment being used. They may not be aware of how recent technology can cause unexpected disruption throughout critical technologies and may not be structurally prepared to address those threats. And even the best prepared organizations may struggle to educate and prepare their workforce on the shielding of critical personal information that can be used to guess passwords or to send emails, texts, or voice messages from a seemingly legitimate source.
For example, some farms do not necessarily have a standalone IT department with an OSINT expert on hand, available to anticipate and respond to malware attacks, even as they add sensors to their equipment that may open their networks to outside attack.
Some industries tend to respond quickly to public perception of having insecure technology, if only because the loss of customers due to lack of confidence can quickly spiral out of control. Other critical infrastructure sectors that are not as sensitive to public opinion may be understandably more conservative about adopting recent technology—and its associated growing pains and expenses.
However, ransomware and other high-tech attackers do not wait for the bugs to be worked out of critical infrastructure systems before they attack.
- Who targets critical infrastructure?
Critical infrastructure is targeted by two main groups: criminals and nation-state actors. Both will use the same types of OSINT tools to research and exploit their victims, but the two groups have different purposes, and therefore target different elements of the systems they infiltrate.
Criminals attempt to take down critical infrastructure for money. Their primary goal—generally via ransomware—is to make normal operations difficult to pursue. They halt critical functions to put pressure on an organization to pay their ransom.
Their goals are to encrypt information to prevent it from being used, to destroy or encrypt backups, and to halt systems long enough to collect payment. They wish to cause inconvenience and disruption to make a profit. Recently, attackers have begun to export, or “exfiltrate,” substantial amounts of data that can be used later as blackmail material or sold for additional profit on the dark web’s black markets.
Nation-state actors often have more insidious goals.
When a nation-state uses malware to attack critical infrastructure, often the goal is not to gain a profit, but to collect information that is otherwise difficult to obtain, to embarrass the target nation, or to prevent it from using critical infrastructure to achieve its own goals. Nation-state malware has or may have been used to collect sensitive information of other nations, disrupt energy grids, disrupt oil pipelines, close schools, and more.
But organizations cannot assume that they will not be targeted by nation-state attackers; critical infrastructure is always of interest, and the malware used by nation-state actors has been known to spread outside the attackers’ original intent.
Nation-states have also been known to purchase the exploits found by malicious actors, the source code of viruses, and the information exfiltrated by criminals on the black market. Often the most dangerous time for an element of critical infrastructure is after they have been hacked, as nation-states leverage information obtained by criminals to cause further damage.
- How can OSINT be used to protect critical infrastructure?
With critical infrastructure both uniquely vital and uniquely vulnerable to attack, it is important to prioritize protection. Organizations should seek out experts in OSINT to partner with their own IT, security, and leadership representatives to assess the organization’s vulnerability to attack.
Identifying which systems and information are critical is a key step of choosing which defenses to prioritize.
Plans for protecting critical systems and information should start with the most vital functions and communications of the organization. Teams should review systems and information to determine which systems would be considered most critical, in light of both criminal and nation-state attacks. A criminal attacker may target different vulnerabilities and capabilities than a nation-state attacker.
Plans should include:
- Removing or mitigating vulnerabilities as possible.
- Backing up data in a location not vulnerable to spreading attacks.
- Creating procedures and methods to identify reconnaissance and attacks in real-time.
- Training for staff on how to handle suspected reconnaissance and attacks.
- Investigation of third-party partners and vendors as potential routes for attack.
- Responding during an attack, including reporting the attack to the FBI.
- Returning critical systems to operation in case of an attack.
- Preserving data about the attack.
- Researching the attackers to assess how the attacked occurred, who the attackers are, and how to prevent further attack.
- Prevent any stolen information from being used against your organization.
Organizations must take the attitude that discovering that they have been the victim of an attack means that they are at immediate and long-term risk of follow-on attacks and reinforce their use of OSINT tools to monitor for follow-on indicators of reconnaissance, release of their data, and attack.
In the past, many elements of critical infrastructure have been slow to change and adopt modern technology. This slowness can happen for multiple reasons, including avoiding public perception of waste. Resistance to change is understandable, but it can result in a less robust level of security as organizations attempt to modernize.
Organizations can help safeguard critical systems from ransomware and other malware attacks by adding OSINT expertise to their incident response teams. OSINT experts have a fundamental understanding of how malicious actors identify and leverage publicly available information to infiltrate systems and accomplish their goals.
Because of the public trust that is put into organizations providing critical infrastructure, it is essential to fully protect those systems as soon as possible. Criminals and nation-state actors will certainly not wait for securing critical systems becomes more convenient.
Interested in our expertise? Read more about Quiet Professionals’ services here. Interested in working with us as one of our experts? Check out our careers here.