PT Industrial Security Incident Manager detects attempts at data exfiltration and connection tunneling

A new expertise pack for PT Industrial Security Incident Manager (PT ISIM), the hardware and software suite for deep ICS traffic analysis, allows security engineers to detect attacks that employ hidden tunneling and exfiltration of data from ICS networks.

In particular, the expertise pack1 contains a set of rules for detecting Command and Control techniques, using which attackers can establish a connection between the attacked system and their C2 server disguising such communications as trusted traffic. The system can detect data obfuscation and connection attempts at the application level and trace malicious connections even in encrypted traffic. PT ISIM can also detect Exfiltration techniques which allow data transfer from the victim's ICS network to attacker-controlled resources.

Roman Krasnov, ICS Security Expert at Positive Technologies, said:
"Successful penetration into the ICS infrastructure may remain unnoticed: for instance, if the antivirus software on the ICS network host overlooks the launch of a malicious object. After successful penetration, the attackers' primary goal is to establish a communication channel between the victim and the C2 server for further attack development. At this point, PT ISIM helps to detect and eliminate hidden threats before any destructive actions might be performed."

According to Positive Technologies data, about three-quarters of APT groups (77%) exchange information with the C2 server via standard application layer protocols. Most encrypt the communication channel with C2 servers to hide malicious traffic. For this purpose, around a half of criminal groups (46%) use standard cryptographic protocols, such as RC4 or simple XOR summation, while 38 percent of groups use custom cryptographic protocols.

Denis Sukhanov, Director of ICS Security at Positive Technologies, said:
"Today, effective detection of hidden tunneling and data exfiltration is an essential part of industrial cybersecurity."

Among other things, the PT ISIM expertise pack enhances detection of vulnerability exploitation in Microsoft Windows and Linux components, as well as in their third-party versions. It also improves detection of attempted attacks on CENTUM, the distributed control system designed by Yokogawa, which is widely used by over 10,000 enterprises in various industries, including oil and gas, chemicals, energy and water services.

 1 Starting from the summer of 2020, the PT ISIM database of industrial threat indicators can be updated with the IS expertise packs. The first PT ISIM expertise pack was released in early August; it contains rules for detecting threats for the systems and equipment made by B&R Automation (Austria). These products are used in various industries, including oil and gas, mining, and processing.