USCG released its annual Cyber Trends and Insights in the Marine Environment (ME) report. This report aims to provide relevant information about best practices to secure critical systems.
Since December 2020, CGCYBER rapidly developed resources, capabilities, and partnerships to protect the ME from increasing cyber threats.
The observations and findings in this report provide Coast Guard units and port partners with relevant information to identify and address cyber risks. Coast Guard Cyber Protection Teams (CPTs) and the Maritime Cyber Readiness Branch (MCRB) identified these findings through technical engagements conducted with ME partners throughout 2023.
As U.S. Coast Guard missions expand into the cyberspace domain and across the global maritime commons, CGCYBER remains strategically postured to protect maritime critical infrastructure from advanced cyber threat actors.
…Rear Admiral Jay Vann, Commander, Coast Guard Cyber Command said.
Four Key Takeaways from the report:
- Many of the same findings/recommendations discussed in the CTIME 2021 and 2022 reports were observed again in 2023.
- Emerging technologies create new attack paths into the ME.
- Ransomware attacks and Advanced Persistent Threats (APTs) continue to target the ME.
- Timely information sharing is the most effective way to increase defenses against adversaries.
What’s New in 2023?
In 2023, the ME saw an increase in industry reporting of Nation-State actors targeting U.S. Critical Infrastructure. In response, CGCYBER focused CPT resources towards finding these actors and focused on incorporating OT in CPT missions. 2023’s CTIME report reflects the change in priority with the added sections for Hunt & Incident Response RECAP and Securing OT. CGCYBER continued to build capacity to support the growing demand from partners in the ME seeking CPT assistance. The 2003 CPT reached Initial Operating Capability in August of 2023 and is expected to reach Full Operating Capability in 2024. Additionally, CGCYBER established a Reserve Component CPT, 1941 CPT, which will supplement the Active Duty CPTs and provide specialized expertise to support and augment operations.
In 2023, MCRB and local Coast Guard units conducted 46 investigations on reports of cyber incidents. This included several incidents which significantly affected large-scale international organizations. Though the overall number of reported incidents has decreased since 2022, MCRB believes many incidents go undetected or unreported by organizations who are fearful of the public’s perception as a result of a cyber incident. NationState actors and opportunistic cybercriminals consistently target the ME, given more than 90% of U.S. imports and exports flow through U.S. maritime ports annually.
MCRB categorizes reported cyber incidents into three categories.
- Ransomware: A type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.
- Phishing/Spoofing: Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, or access to a larger computerized system through a fraudulent solicitation in email or on a web site. The perpetrator typically masquerades as a legitimate business or reputable person. Spoofing is a technique for faking the sending address of a transmission to gain illegal/unauthorized entry into a secure system.
- Other Cyber Incidents: Any incident that does not fall into the above categories such as: Business Email Compromise, Structured Query Language (SQL) Injection, etc.
Findings
- Phishing for Information: Phishing for Information is related to the Phishing Technique (T1566); however, instead of attempting to use the email for malicious code execution, Phishing for Information is used to gain useful information, such as a username and password, from the phished user. During assessments, CPTs sent emails masquerading as various agents from the partner’s organization (generally from the IT Department) with a link that would send users to a simulated malicious login portal created by the CPTs to capture user credentials. 10.8% of all phishing emails sent during threat emulation resulted in a click by a user. Additionally, of those who clicked the link, 6.7% of users provided credentials when requested.
- Valid Accounts: The most common initial access technique used during Assess missions was Valid Accounts. On CPT missions, Valid Accounts were gathered from publicly available sources, Gather Victim Identity Information: Credentials (T1589.001), or from using related techniques such as Phishing for Information, Adversary-in-theMiddle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), or Steal or Forge Kerberos Tickets: Kerberoasting (T1558).
- Adversary-in-the-Middle: CPTs found that organizations remain vulnerable to LLMNR/NBT-NS Poisoning and SMB Relay attacks. These attacks leverage legacy protocols used for host identification to harvest credentials from within a network. LLMNR/ NBT-NS Poisoning consists of an attacker inside the network responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) and directing traffic to an adversary-controlled system. Then, once a legitimate user attempts to access the portion of the network that is redirected to the adversary-controlled system, the adversary can use a myriad of techniques to directly obtain hashed or even sometimes plaintext credentials.
- Brute Force: Password Cracking: The National Institute of Standards and Technology (NIST) Special Publication 800-63 Digital Identity Guidelines20 recommends password policies include password length and password complexity requirements. Additionally, the NIST 800-63 provides suggestions for enforcement and consequences when not followed. Across the CY23 CPT missions, CPTs had little to no difficultly cracking passwords with a length of 12 characters or less.
- Patch Management: Vendors regularly release patches and updates to address existing and emerging security threats. These patches address various levels of risk, which are evaluated using the Common Vulnerability Scoring System (CVSS). The CVSS assigns vulnerabilities a score based on their severity. Failure to apply the latest patches can leave the system open to attack from publicly available exploits. The risk presented by missing patches and updates can vary; however, the most critical of vulnerabilities are those that are proven to be exploitable. These vulnerabilities are listed in CISA’s KEV Catalog.
EXPLORE MORE AT USCG’S CYBER TRENDS REPORT
