In June 2010, a cyberattack called Stuxnet managed to bring an Iranian nuclear plant to a standstill. It did this by destroying the IT system of the centrifuges used to separate enriched uranium. This attack has been attributed to the US and Israeli governments. The attack, which managed to delay Iranian nuclear plans, confirmed one thing, and raised questions about another.

What it confirmed was the fact that cybercriminals no longer necessarily have to be isolated groups seeking notoriety or profit; they can belong to national governments. This is why Stuxnet is the first large attack in the cyberwar age, where states participate directly or indirectly in this kind of activity. What’s more, this activity has increased in the last few months. But the question is this: how were the cyberattackers able to pull it off?

Nine years down the line, we finally have an answer to this question. As Yahoo News reports, both governments had help. More specifically, the Dutch intelligence agency, AIVD, and the mole that managed to bring down the system. The AIVD recruited a man who posed as a mechanic in the Natanz power plant and, for a time, gathered information on the internal workings of the centrifuges. Once they had been analyzed, he was given a USB flash-drive to plug into a computer in the power plant, thus kicking off the operation known as “Olympic Games”.

When the flash-drive came into contact with the first device, it launched Stuxnet, a worm that leveraged as many as four zero-day Windows vulnerabilities to infect the centrifuges’ systems. When Stuxnet took over, it executed a command for these centrifuges to self-destruct. And the experts were unable to use the emergency shutdown: it had also been spied on and taken out of action.

Removable device control: a must_

Apart from the clear malicious intent of the cybercriminals, the existence of an insider, and the zero-day vulnerabilities, there is one factor that is essential for this kind of cyberattack to succeed: removable devices. Without the flash-drive, Stuxnet would not have been able to get onto any infrastructure the way it did. In this sense, removable device control needs to follow a series of security protocols:

1.- Access control. The progressive redistribution of many connected jobs has meant that organizations have less and less control over the devices that are outside their security perimeter. Any company that has control over critical infrastructure must be able to limit which devices can access their systems and which cannot. An example of this is Comply to Connect (C2C), a Pentagon system to secure endpoints. This system includes identification, validation and continuous monitoring of all devices and equipment that can access the network.

2.- Computer control. If external devices can’t be monitored, internal devices must be. That is, companies must choose a zero trust approach and block any external devices from connecting to computers if they have not been authenticated or exhaustively checked.

How to avoid attacks like Stuxnet_

To stop cyberattacks that get in via removable devices, organizations must also be aware that, in an environment where advanced cyberwar activities are becoming more prevalent, their cybersecurity cannot be based purely on known risks. These organizations must be on the lookout, must discover new vulnerabilities and threats before anyone else, and must protect themselves against all of them. On the other hand, they must also automate processes to detect anomalous behaviors before they can cause any damage.

As well as continuously classifying applications based on their behavior Cytomic’s AI and Deep Learning algorithms also search for any kind of suspicious activity by applying scaled data analysis on the cloud.

And that’s not to mention the fact that, in addition to this automation, we have the Hunting service to get where even AI can’t. This is an additional layer of monitoring and analysis to complement existing security systems. It offers Cytomic customers a duality of solutions that make the network impenetrable.

What’s more, the baselines of the advanced endpoint protection solutions include centralized visibility of the health of applied protections, discovery of unprotected endpoints in the IT system, and immediate installation. They also provide visibility of applications and versions installed, along with other information in order to reduce the attack surface.

In short, it is necessary to have complete visibility of all active processes in order to control everything that happens in your environment and thus reduce the attack surface. In this context, Cytomic Orion, our threat hunting and incident response solution is a great ally of SOCs. Using artificial intelligence technology, it is able to stop any kind of attack that uses malicious applications, whether they are known or unknown, generic or zero-day. To do this, it automatically analyzes all open processes on an IT system in real time, searching for behavioral patterns and possible anomalies. If it comes across any of these, it will act before the damage is done, thus mitigating the cyberattack.

The idea is, in other words, to have the security perimeter completely under control. Because it may not always be possible to stop a mole from plugging in a flash-drive containing malware, but it is possible to stop this malware from affecting the company’s systems.