Gaining initial access to mission critical systems is often just the beginning for threat actors. For public safety agencies, understanding how these cyber attackers maintain access after they’ve breached defenses is absolutely critical. If the attackers can stay inside the network they can continue to pursue their malicious goals, causing significant disruption and putting the confidentiality, integrity and availability of mission critical systems at risk.
A new report from the Public Safety Threat Alliance (PSTA) threat intelligence team, titled “Public Safety Threat Report: How threat actors maintain access in public safety systems,” sheds crucial light on this often-overlooked phase of cyberattacks. The report examines the techniques cyber criminals use to maintain persistent access in public safety systems such as 911 emergency call handling, radio networks and computer aided dispatch (CAD) systems and looks at how public safety agencies can guard against these attacks.
What is persistent access?
After successfully breaching a network and gaining initial access, threat actors don’t want to be kicked out. This is where persistent access comes in, a key stage within the cyberattack lifecycle.
The primary goal for the attacker is to maintain access to the target network over an extended period. The threat actors aim is to set up multiple access points into the network. This ensures the attacker can return to the network even if defenders identify the initial intrusion and block it.
The PSTA report highlights just how prevalent this is with over 78% of adversaries that targeted public safety systems within the last year using at least one form of persistence to maintain their attacks.
Why is stopping persistent access so important?
Persistence enables threat actors to return to the network after reboots, patching, or even after defenders have removed malware. Successful persistence leads to prolonged dwell time, enabling attackers to locate high-value targets like domain controllers and sensitive data. It allows the attackers to continue to achieve their desired objectives within the compromised environment, ensuring maximum disruption.
Detecting and Preventing Persistence
Defending against persistence requires a focus on identification because it’s a post-exploitation technique – meaning the breach has already occurred. Early detection is critical to disrupting the attack chain before significant harm is done.
The report clearly shows that persistence is not just an optional step for threat actors, but a fundamental technique used by the vast majority of attackers targeting public safety systems. By understanding how adversaries maintain access – through compromised credentials, new accounts and built-in system features – public safety organizations can better detect threat actors during the persistence phase, preventing progression to the final attack stages where data is stolen and systems are compromised or destroyed.
Join the PSTA today to access the full report and get crucial insight into the strategies and techniques you can use to safeguard your mission critical systems from persistent access attacks.
About the PSTA
The PSTA, established by Motorola Solutions and recognized by CISA, shares vital cybersecurity information and analysis with public safety agencies. The PSTA publishes threat reports providing crucial intelligence and analysis as well as hosting webinars with cybersecurity experts who share their insights and expertise. The PSTA offers its threat intelligence products and services for its members at no cost.
