Cyberattacks against public safety organizations are a daily threat and once an attacker gains a foothold, it’s a race against the clock to stop them. The latest threat report from Public Safety Threat Alliance (PSTA) details how cyber threat actors achieve their post-compromise objectives after gaining initial access to public safety networks.
Post-compromise activity is the malicious actions a threat actor conducts following the initial access, execution and persistence stage of an attack. The report ‘How cyber attackers achieve post-compromise objectives’ reveals some critical insights for public safety agencies to protect their radio communications networks, 9-1-1 emergency call handling and Computer Aided Dispatch (CAD) systems, as well as their enterprise networks.
How attackers stay hidden
The majority of techniques used in public safety compromises are fileless ‘living off the land’ tradecraft. These techniques, which use tools and services already present on a target network, allow adversaries to stay under the radar. This below-the-radar approach is a significant reason why stolen credentials and other credential abuse tactics are so common and effective. Using valid user accounts and brute-forcing access are among the most common methods for adversaries to advance their attacks and maintain persistence over the long term.
Domain controllers are the crown jewels
Domain controllers are servers that manage and authenticate users and devices in a computer network, enforcing security policies and centralizing administration. They are the “crown jewels” for attackers. Nearly 80 percent of global cyberattacks across all sectors abused domain controllers in some way, primarily to spread and execute ransomware. By gaining control of these servers, attackers can escalate privileges and move freely through a network.
The impact of post-compromise attacks – ransomware and extortion
The report highlights some alarming statistics from data collected so far this year. Nearly half of all public safety cyber attacks, approximately 43 percent, involved ransomware and data extortion. Extortion syndicates were responsible for 46 percent of public safety compromises and 100 percent of attacks that disrupted mission-critical public safety systems this year.
Top threat groups
The most disruptive threat groups observed this year are INC Ransomware, Interlock and Qilin. These groups have attacked mission-critical networks and employ standard tradecraft, such as credential abuse and remote access tools, to elevate privileges and spread across systems.
Detecting post-compromise activity
To detect potential compromise activity, defenders should monitor for common attacker behaviors, tactics, techniques and procedures (TTPs). The PSTA report advises that organizations focus on specific actions, such as:
- Tracking access to common password storage locations.
- Setting alerts for repeated failed login attempts.
- Monitoring for the creation of new administrative accounts.
Beyond these, security teams should look for other indicators of compromise (IOCs). Unusual network traffic, an increase in database read volume or logins from unexpected geographical locations are just a few examples. Monitoring these behavioral abnormalities helps defenders identify threats that have already bypassed initial access controls. It’s crucial for a strong incident response plan.
What can defenders do to prevent malicious activity?
To prevent attackers from being successful, you need a comprehensive cybersecurity strategy. The PSTA report offers several actionable steps to help defenders identify and halt malicious activity.
- Implement a Managed Detection and Response (MDR) plan: For understaffed or under-resourced organizations, third-party managed service and detection services are highly recommended. With MDR services in place, security analysts can identify malicious activity in real-time and take action to contain threats before they reach the impact stage.
- Strengthen defenses: You can significantly reduce the risk of compromise by implementing strategies like enforcing multi-factor authentication (MFA), patching regularly and turning off unused services. Training employees to spot phishing attacks is also crucial.
- Monitor for post-compromise activity: Focus on detecting common post-compromise tactics. This includes establishing a command and control system to monitor the creation of new administrative accounts and track access to sensitive data.
Ready to take action? Join the PSTA
Cybersecurity is a team effort, and with October being the 22nd annual Cybersecurity Awareness Month, it is the perfect time to reinforce your organization’s defenses and raise awareness. The Public Safety Threat Alliance (PSTA) is dedicated to helping public safety organizations improve their cybersecurity posture and resilience by providing actionable, no-cost threat intelligence.
By joining the PSTA, you’ll gain access to our 2000+ member community that shares intelligence, enabling you to better protect your mission-critical systems and the communities you serve.
There is no cost to join and becoming a member gives you access to the full “How Cyber Attackers Achieve Post-Compromise Objectives” report and other valuable resources.
