The greatest threat to our critical infrastructure: Fortune 1000 employees

A new SpyCloud report finds critical infrastructure companies struggle with password hygiene and rampant malware infections.

By Joel Bagnal, Director, Federal – SpyCloud

Global cyber threats are on the rise, making our critical infrastructure increasingly vulnerable to attack. Amid warnings from key cyber officials and guidance from the Cybersecurity Infrastructure Security Agency’s Shields Up campaign to harden defenses, companies’ largest source of vulnerability remains the user.

As organizations race to secure their software supply chains and implement endpoint protection and cloud service controls, criminals are still most likely to succeed by walking through the front door. Account takeover using stolen credentials and other data siphoned from malware delivered via one accidental click to a work computer or smartphone could easily lead to attacks that disrupt the basic functioning of our society.

While problematic user behavior such as bad password hygiene is an obvious source of vulnerability, malware can lead to ransomware attacks that bring entire systems to a standstill while remaining nearly undetectable throughout the attack lifecycle. To secure critical infrastructure, companies must prioritize mitigating exposure from risky user behaviors around both password hygiene and the growing prevalence of malware infections.

Employee exposure among Fortune 1000 infrastructure companies

According to a recent SpyCloud report analyzing identity exposure among employees of Fortune 1000 companies, industrial giants still face an alarmingly high degree of user vulnerability.

One major trend was poor password hygiene. Company names were included in the top 3-5 most used passwords among Fortune 1000 companies in the aerospace and defense, chemical, industrial and energy sectors. The report also found a 75% password reuse rate among aerospace and defense companies, a 66% reuse rate among industrials, and a 63% reuse rate among energy providers.

Finally, across Fortune 1000 companies in key infrastructure sectors such as health care, engineering and construction, telecommunications and transportation, 17,516 employee devices were found to be infected with malware.

Exposed credentials are most valuable immediately after they are harvested, and cybercriminals closely guard fresh logins to launch targeted account takeover attacks against high-value targets like critical infrastructure. Undiscovered bad actors using stolen data can exploit vulnerabilities and remain stealthy for a long time with a high rate of success.

There are clear best practices for remediating bad password hygiene. Implementing multi-factor authentication and requiring the use of password managers to generate and store complex passphrases can help mitigate the risk of account takeover. Robust password hygiene helps ensure credentials are harder to steal or guess or steal. Monitoring for stolen credentials against data recaptured from breaches and malware-infected device logs shortens the window during which stolen credentials can be used for ATO.

Malware, however, can be extremely dangerous when a threat actor is targeting a specific victim such as a power grid or a hospital system – and is incredibly difficult to detect. Using stolen cookies siphoned by infostealer malware, criminals can mimic legitimate users’ browser footprints and hijack open sessions, giving them access to corporate networks without logging in. With anti-detect browsers and stolen cookies, an attacker can bypass protections like MFA entirely because they appear exactly as a trusted device would.

Once they have gained access, criminals can easily move laterally across IT networks to impact internet-enabled OT networks with ransomware. Worse, organizations could be at risk of wiperware, a form of malware attack intended to destroy systems rather than offer companies the opportunity to decrypt them for a ransom. Wiperware has increasingly been used in politically motivated attacks such as cyber warfare against critical infrastructure in Ukraine.

Proactively protecting critical infrastructure against malware attacks

The widespread incidence of elementary cyber mistakes in SpyCloud’s report findings points to a higher degree of critical infrastructure vulnerability than leaders in government and the private sector may have anticipated.

CISA Director Jen Easterly and National Cyber Director Chris Inglis indicated in a June op-ed directed at cyber defenders and industry that heightened security postures will need to remain in place for the foreseeable future. However, they also warn against vigilance fatigue: burnout resulting from maintaining maximum alert over a sustained period that can allow reduced risks to creep back up.

For critical infrastructure companies struggling to implement strong password hygiene, vigilance fatigue presents a major challenge. Bracing for a sophisticated malware attack emanating from targeted employees, customers, vendors and software supply chains could place a major strain on cybersecurity resources, particularly if companies are relying on users to exercise caution.

In this challenging environment, public and private defenders alike must prioritize a proactive defense against the threat of malware. A successful strategy should deploy tools and tactics geared toward detecting malware infected devices and preventing them from threatening the systems that support our fundamental way of life.

Refreshing outdated training programs that focus only on phishing and suspicious email attachments can prepare users for new and sophisticated malware delivery mechanisms such as open-source web applications and free mods used in online gaming platforms. Educating users about the risks of leaving sessions open for extended periods, encouraging them to log out and clear cookies frequently and monitoring for anomalous account activity can help prevent session hijacking.

In the fight to protect critical infrastructure against criminals and adversaries, legitimate points of access are our weakest point. Closing them off to bad actors is the clearest path to stopping attacks before they begin.

About the Author

Joel Bagnal is SpyCloud’s Director of Federal. He leads the expansion of SpyCloud’s government practice by connecting its leading-edge solutions and intelligence to support the intel community, defense agencies and law enforcement. Previously, Joel Bagnal has served in a wide range of cybersecurity and leadership positions, which includes acting as a senior advisor to the President of the United States during the Bush administration. Over his career, Bagnal has also been the Principal Homeland Security and Counterterrorism Advisor, Chairman of the Homeland Security Council Deputies Committee, and Co-Chair of the Counterterrorism Security Group.

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud.

Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world.

Joel can be reached on LinkedIn at https://www.linkedin.com/in/joelbagnal/.