Ransomware and other malware attacks are on the rise. Criminals are constantly probing online systems to discover their vulnerabilities and hold systems hostage. Meanwhile, U.S. foreign adversaries are increasingly targeting critical assets to achieve their political goals.
Both attackers and cyber security professionals use online research and tools, known as Open-Source Intelligence (OSINT) to find ways to exploit and defend critical systems and functions.
Often, attackers and defenders must use the same tools to search for pieces of publicly available information that, when combined, might provide keys into an organization’s systems.
OSINT is a powerful tool being re-engineered by 21st century cyber-security professionals to identify and disrupt vulnerabilities before they can be exploited.
Attackers are becoming more sophisticated, targeting specific entities for disruption rather than merely taking the “low-hanging fruit” approach to selecting targets. They are not only targeting systems but people using intelligence gathering techniques, or “social engineering,” to extract valuable pieces of information. Staff, vendors, and other human partners may not understand how vital the information they provide to attackers may be.
Critical infrastructure is of particular interest to both criminal and nation-state attackers. Because critical infrastructure elements make up the day-to-day operations and defense of a nation, they make for high-value targets. Some elements may also have weaker defenses against ransomware and other malware attacks.
Cyber security professionals at organizations involved in critical infrastructure must become more aware of basic security procedures to protect themselves. Because their organizations are such high-value targets, they must take extra steps to secure their most valuable resources against threats.
Table of Contents
What is OSINT?
OSINT is the use of Publicly Available Information (PAI) to develop actionable intelligence. Actionable intelligence is the information needed to achieve specific goals, such as covertly accessing a network and implanting malware there.
Ransomware attackers first perform online reconnaissance against an organization by researching their public information, including the personal information of key employees. The attacker uses OSINT techniques to find the best way to get into a target system.
When an organization researches their vulnerabilities and those of their vendors, the organization is using OSINT techniques.
A wide variety of tools and techniques can be used to research and develop OSINT. A variety of organizations develop OSINT tools, including curious amateurs, for-profit businesses, and national security programs.
These tools are constantly changing and evolving for a variety of reasons. Social media platforms change, new vulnerabilities are discovered, and new connections form between systems, users, and devices.
While some information that is being shared publicly by an organization can be controlled, once it has been released to the public, it can be found online forever. Knowing what information an organization has shared with the public in the past and how that information might be used is important.
What is critical infrastructure and why is it vulnerable?
Critical infrastructure is the collected systems and institutions needed to keep our nation operational and to defend it in an attack. The Cybersecurity and Infrastructure Agency (CISA) has defined sixteen areas of critical infrastructure:
- The chemical sector
- The commercial facilities sector, including sites that facilitate crowds, like open spaces, concert venues, and hotels
- The communications sector
- The critical manufacturing sector
- The dams sector, covering over 90,000 U.S. dams
- The defense industrial base sector
- The emergency services sector
- The energy sector
- The financial services sector
- The food and agricultural sector
- The government facilities sector
- The healthcare and public health sector
- The information technology sector
- The nuclear reactors, materials, and waste sector
- The transportation systems sector
- The water and wastewater systems sector
The economy and our lives depend on the various elements of these critical infrastructure systems. Ransomware and other malware attacks against them give attackers a disproportionate amount of leverage. Often, those organizations’ leaders, eager to halt the threats to people’s lives and welfare, can be more likely to cooperate with the attackers.
Some elements of our critical infrastructure are outdated and therefore particularly vulnerable to attack, making critical infrastructure even more tempting for attackers.
The designers of the outdated systems had no idea how their systems would be abused in the future. They certainly could not have anticipated the OSINT tools used to perform reconnaissance and exploitation against their systems.
Some sectors of our infrastructure are aware of the possibility of harm, such as the defense, information technology, and financial sectors. Other sectors may be less prepared to defend themselves from attack.
Outdated software and equipment can leave critical systems vulnerable to attack. New technologies have caused unexpected disruptions in how the different parts of a system connect. Many organizations may not be prepared to address emerging threats. Even the best prepared organizations struggle to educate their workforce on protecting their personal information.
Some industries, such as banking, tend to respond quickly to public perception of having insecure technology. They can lose customers quickly due to lack of confidence. Other critical infrastructure sectors, such as the wastewater sector, may be slower about adopting new technology and its associated growing pains and expenses.
However, ransomware and other high-tech attackers do not wait for the bugs to be worked out of outdated critical infrastructure systems before they attack.
Who targets critical infrastructure?
Critical infrastructure is targeted by two main groups: criminals and nation-state actors. Both will use the same types of OSINT tools to research and exploit their victims, but the two groups have different purposes. They target different elements of the systems they infiltrate.
Criminals attempt to take down critical infrastructure for money. Their primary goal, generally via ransomware, is to make normal operations difficult to pursue. They halt critical functions to put pressure on an organization to pay their ransom.
Their goals are to encrypt information to prevent it from being used, to destroy or encrypt backups, and to halt systems long enough to collect payment. They wish to cause inconvenience and disruption to make a profit. Recently, attackers have begun to export, or “exfiltrate,” substantial amounts of data for blackmail or to sell for profit on the dark web’s black markets.
Nation-state actors often have more insidious goals.
When a nation-state uses malware to attack critical infrastructure, often the goal is not to gain a profit. They use malware to collect information, embarrass a target nation, or to prevent it from achieving its own goals. Nation-state malware has been used to disrupt energy grids, disrupt oil pipelines, close schools, and more.
Commercial organizations dealing with critical infrastructure must assume they are targets for nation-state attackers. Not only is critical infrastructure of interest, and the malware used by nation-state actors has been known to spread outside the attackers’ original intent.
Nation-states have also been known to purchase the exploits found by malicious, for-profit actors looking for extra profit after a ransomware attack.
How can OSINT be used to protect critical infrastructure?
With critical infrastructure both uniquely vital and uniquely vulnerable to attack, it is important to prioritize protection. Organizations should seek out OSINT experts to partner with their own IT, security, and leadership representatives to assess the organization’s vulnerability to attack.
Identifying which systems and information are critical is a key step of choosing which defenses to prioritize.
Plans for protecting critical systems and information should start with the most vital functions and communications of the organization. Teams should review systems and information to determine which systems would be considered most critical in light of both criminal and nation-state attacks. A criminal attacker may target different vulnerabilities and capabilities than a nation-state attacker.
Plans should include:
- Removing or mitigating vulnerabilities as possible.
- Backing up data in a location not vulnerable to spreading attacks.
- Creating procedures and methods to identify reconnaissance and attacks in real-time.
- Training for staff on how to handle suspected reconnaissance and attacks.
- Investigation of third-party partners and vendors as potential routes for attack.
- Responding during an attack, including reporting the attack to the FBI.
- Returning critical systems to operation in case of an attack.
- Preserving data about the attack.
- Researching how the attacked occurred, who the attackers are, and how to prevent further attack.
- Prevent any stolen information from being used against your organization.
Any organization that discovers they have been the victim of an attack must prepare for follow-on attacks. They must reinforce their use of OSINT tools to monitor indicators of reconnaissance, release of their stolen data, or further attack.
In the past, many elements of critical infrastructure have been slow to change and adopt modern technology. This can happen for multiple reasons, including avoiding public perception of waste. Resistance to change is natural, but it can result in a less robust level of security.
Organizations can help safeguard critical systems from ransomware and other malware attacks by adding OSINT expertise to their incident response teams. OSINT experts have a fundamental understanding of how malicious actors identify and leverage publicly available information to infiltrate systems and accomplish their goals.
Because of the public trust that is put into organizations providing critical infrastructure, it is essential to fully protect those systems as soon as possible.