TRITON Critical Infrastructure Attacks: Overview and Actions
image credit: source: pexels.com
- Apr 26, 2019 12:20 pm GMT
- 475 views
Threat research analysts from the cybersecurity firm FireEye recently announced another detected intrusion into a second critical infrastructure facility by TRITON, an advanced attack framework targeting operational technology (OT) safety systems. This news is particularly concerning for facilities like refineries, petrochemical plants, nuclear power reactors and other critical process control facilities because worker and public safety can potentially be threatened by a security-compromised facility.
In their report, FireEye also revealed the intruders had been operational since 2014. This indicates the attacker’s willingness to patiently wait for an attack opportunity, rather than attack randomly once access is gained. This also indicates an unfortunate likelihood that additional facilities have already been compromised without detection.
TRITON reinforces the mounting priority and need for detection, defense and recovery activities without disproportionately focusing on preventative measures such as anti-malware protection. These attacks don’t typically employ malware – instead they rely on “conduit” systems such as Windows, Linux and other information technology (IT) focused systems traditionally used for administration or remote access to OT devices. These conduit systems are either poorly configured or have known, but unpatched, vulnerabilities.
I encourage all OT security and network engineers and administrators to read the FireEye report and apply the tools, techniques and procedures (TTP) identified in the report to detect and recover from TRITON framework attacks.