<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">
Alienvault USM Anywhere Logo
Skip to content

Insider Threats in Manufacturing: Cybersecurity Solutions for Detecting Credential-Based Attacks

Blog

February 28, 2023

Detecting insider threats in manufacturing environments is a complex problem that traditional security technologies aren’t equipped to solve. 

Industrial and manufacturing organizations present a unique target for cybercriminals.  

They usually have valuable intellectual property and sensitive customer data. They have complicated attack surfaces defined by third-party suppliers and vendors. Their operational technology (OT) deployments rarely have sophisticated security solutions built in. 

It’s easy to see why large manufacturers are a top target for ransomware attacks and data breaches. 

Many of these organizations take out extensive cybersecurity insurance policies instead of building resilience into their core operating technology. 

Unfortunately, cyberattack insurance doesn’t directly address the main problem. It protects organizations from catastrophic damage but also incentivizes cybercriminals to continue targeting those organizations. 

To break out of this cycle, manufacturers will have to adopt a new, stronger position against cyberattack threats. This means implementing new solutions for detecting and mitigating the risk of insider threats. 

Manufacturing Organizations Make Compelling Cybercrime Targets 

There are usually multiple ways to exploit sensitive data obtained from manufacturing organizations. Opportunistic cybercriminals can attempt to monetize stolen data by: 

  • Holding encrypted data for ransom. The average ransom payment in the manufacturing sector is more than $2 million. This is more than double the cross-sector average of $800,000. Fewer ransoms get paid, but the cost of a successful attack is higher than ever before. 
  • Threatening to publish sensitive data publicly. This is a key element of the double extortion tactic that can lead to catastrophic damage even if ransoms are paid. Sensitive customer data, trade secrets, and private financial information are susceptible to this kind of attack. 
  • Selling mission-critical intellectual properties to competitors. Aerospace, pharmaceutical, and energy manufacturers have lost trillions of dollars to state-sponsored cyber espionage campaigns for years. 
  • Selling compromised credentials on the Dark Web. Sometimes, cybercriminals are content to break into an organization and then sell the compromised credentials to the highest bidder. 

Enterprise-level manufacturing organizations have largely found effective ways to address the risk of pandemic-era ransomware attacks. However, they have not sufficiently addressed the risks of credential-based attacks. Malicious insiders are capable of encrypting, stealing, and selling sensitive data with greater sophistication than the previous generation of ransomware threats. 

How Insiders Bypass Manufacturing Cybersecurity Defenses 

Insider threats are committed by users who are entrusted to operate in the organization’s network. These are users who have already passed authentication and verification challenges, making them invisible to traditional detection and response technologies. 

Insider threats come in two broad categories: 

  • Compromised insiders are external actors who have stolen the credentials of a legitimate user. When undetected, compromised insiders become advanced persistent threats capable of causing significant long-term damage. They use a variety of techniques to maintain cover and move stealthily through the organization. 
  • Malicious insiders are employees, partners, and vendors who have been granted permission to access sensitive systems. They abuse this trust either to gain additional income, sabotage strategic goals, or steal intellectual properties for their own use. Laid-off employees may become malicious insiders if they feel like their termination was carried out unfairly. 

Since these two categories of users do not directly interact with perimeter-focused security technologies, they can operate free of scrutiny for long periods of time. Their actions do not typically trigger alerts because they already have permission to access internal files and systems. This is the defining characteristic of credential-based attacks, and it makes them incredibly difficult to detect. 

Manufacturers Need Visibility into Behavioral Threat Indicators 

Traditional SIEM solutions use a complex set of correlation rules to detect malicious activities. In a standard configuration, this means looking for an activity that fits known indicators published by threat intelligence services. As soon as a user or asset displays activity that matches the indicator, the SIEM triggers an alert and an analyst investigates it. 

This doesn’t work for insider threats because correlation rules do not generally apply to authenticated users in a trusted environment. By the time an insider triggers a known threat indicator, it’s too late to meaningfully remediate the attack. 

To do that, security leaders need deeper visibility into the behaviors of authenticated users and assets. This gives analysts earlier warning signs into potential insider threats. Some of the behavioral indicators to look out for include: 

  • Anomalous Privilege Escalation. Attackers may create new privileged or administrative accounts before switching to the newly created account to exploit vulnerabilities and access sensitive data. This kind of activity is only apparent through in-depth behavioral analysis of the activities of privileged accounts. 
  • C2 communication. The threat intelligence community keeps extensive lists of known command and control domains and IP addresses. It’s highly unlikely that any authenticated user would connect to these assets for a legitimate reason. Any connection to a known C2 location should trigger an alert and investigation. 
  • Data Exfiltration. Copying large amounts of sensitive data to removable devices, outgoing emails, or external storage solutions should trigger an immediate investigation. This also applies to authenticated users who launch large print orders to physical on-site printers. 
  • Rapid data encryption. Any privileged user or asset scanning and encrypting large numbers of files should be immediately investigated. This kind of activity should not be ignored simply because it comes from an authenticated account.  
  • Lateral movement. Attackers may switch user accounts, devices, or IP addresses as they search for valuable assets on your network. This kind of activity is difficult to detect because it is distributed across a wide array of assets, requiring analysts to trace it through minor, mostly non-threatening logs captured by multiple security tools. 

Simple rules-based SIEM solutions can’t perform this kind of behavioral detection. Exabeam is a New-Scale SIEM™️ solution that uses machine learning to power User Entity and Behavioral Analytics (UEBA) insights. It observes the behaviors of authenticated users and assets, assigning a dynamic risk score that reflects the likelihood of a compromised credential attack. 

Watch How Castra Leverages Exabeam’s UEBA Technology On-Demand

 Watch the demo now

Insider Threats Amplify Risks from OT Vulnerabilities 

Operational technology remains one of the leading factors contributing to manufacturing cybersecurity risks. As manufacturers connect their remote terminal units, engineering workstations, and industrial logic controllers to their internal networks, they expand the potential attack surface of the organization itself.  

Malicious insiders can and will exploit these connections to gain access to operating technology. This can provide opportunities to steal credentials, upload malicious firmware, or take devices offline entirely. The level of disruption is only limited by the objectives the cybercriminal in question wishes to achieve. 

Many of these devices do not have built-in security standards that correspond to modern best practices. Their vulnerabilities may be much harder to patch than a typical software-based system. Alarmingly, manufacturers may expose these devices to the public Internet – making them easily detectable to threat actors – without sufficiently protecting them first. 

This raises the stakes of an insider threat scenario. Attackers aren’t limited to using compromised credentials to steal customer data and intellectual property. They can also remotely manipulate core processes vital to the functioning of the organization itself. For conscientious security leaders, detecting and mitigating these threats early is a top priority. 

Build Cybersecurity Resilience with Castra SIEM Expertise 

Sophisticated behavioral analysis enables security leaders to proactively address the threat of compromised credentials and malicious insiders. Castra’s SIEM expertise gives analysts the tools they need to detect insider threats before they have a chance to cause catastrophic damage. 

It’s time to address manufacturing cybersecurity risks proactively. Schedule a demo to find out how Castra can leverage Exabeam to detect compromised credentials using custom rulesets enhanced by machine learning.