Full Report
Honeywell’s Advanced Monitoring and Incident Response (AMIR) service, part of its broader Managed Security Services (MSS) offering, emphasized... The post Honeywell AMIR service finds over 1000 security incidents on reviewing 90 billion logs, amid rising OT threats appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Analysis of 107 Unique Security Incidents via Honeywell AMIR
## Executive Summary
Honeywell’s Advanced Monitoring and Incident Response (AMIR) service detected 107 unique security incidents over Q4 last year and Q1 this year, highlighting persistent and diverse threats against industrial, operational technology (OT) environments. The primary vectors involved unauthorized removable media usage (USB plug-and-play) and configuration changes leading to privilege escalation within security groups. Response emphasized immediate policy enforcement, system hardening, and leveraging specialized tools like Secure Media Exchange (SMX) to contain malware proliferation, particularly Trojans and worms.
## Incident Details
- **Discovery Date:** Over Q4 of last year and Q1 of this year (based on report period analysis).
- **Incident Date:** Occurred throughout the reporting period.
- **Affected Organization:** Various industrial/custodian organizations utilizing Honeywell MSS.
- **Sector:** Industrial Control Systems (ICS) / Operational Technology (OT).
- **Geography:** Global installations (implied by "global installations" for SMX).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout Q4/Q1 reporting period.
- **Vector:** Unauthorized USB plug-and-play activity (25% of top 10 incidents), introduction of malware (Trojans/worms) via removable media.
- **Details:** Employee unknowingly inserting an infected USB stick (e.g., promotional item) into a corporate computer, leading to automatic malware execution, including keyloggers.
### Lateral Movement
- **Details:** Implied through the successful installation of malware like W32[dot]Worm[dot]Ramnit, which is known to steal credentials and potentially extract control system credentials.
### Data Exfiltration/Impact
- **Details:** Data theft via keyloggers or credential harvesting (W32[dot]Worm[dot]Ramnit targeting banking credentials, potentially repurposed for OT credentials).
### Detection & Response
- **How it was discovered:** Detected by Honeywell AMIR service analyzing 89.9 billion logs, triaging 1,008 alerts resulting in 107 unique incidents. Threats on removable media were identified by SMX scanning 31.4 million files and blocking 4,984 files containing 1,826 unique threats.
- **Response actions taken:** Organizations were advised to implement strong endpoint security, disable unnecessary USB ports, enforce device control policies, and utilize secure media scanning kiosks.
## Attack Methodology
- **Initial Access:** Removable media (USB plug-and-play), automated execution of malware/scripts.
- **Persistence:** Implied by malware infection (W32[dot]Worm[dot]Ramnit).
- **Privilege Escalation:** Addition of unauthorized accounts to local security groups (16% of top incidents) or domain controller security groups.
- **Defense Evasion:** Malware bypassing traditional defenses via removable media; changes in enforcement levels (CB-AppControl downgraded from high to low).
- **Credential Access:** W32[dot]Worm[dot]Ramnit (banking Trojan) used for stealing credentials.
- **Discovery:** Not explicitly detailed, but implied through post-compromise reconnaissance.
- **Lateral Movement:** Worm functionality and potential use of elevated access from compromised security groups.
- **Collection:** Keylogging, credential harvesting.
- **Exfiltration:** Exfiltration of sensitive data and credentials.
- **Impact:** Compromise of system integrity, potential data theft, and introduction of malware (Trojans/Worms).
## Impact Assessment
- **Financial:** Not quantified, but implied risk due to required remediation and potential data loss.
- **Data Breach:** Theft of sensitive data and system credentials (banking/control system credentials).
- **Operational:** Significant risk to industrial operations due to persistent malware and configuration drifts.
- **Reputational:** Not explicitly detailed, tied to the impact on Honeywell's client organizations.
## Indicators of Compromise
- **Network indicators:** (None explicitly defanged in the text, focus was on endpoint/media threats.)
- **File indicators:** W32[dot]Worm[dot]Ramnit (37% of blocked files).
- **Behavioral indicators:** Unauthorized USB plug-and-play activity, adding accounts to local/domain security groups, modification of Application Control enforcement levels (High to Low).
## Response Actions
- **Containment measures:** Disabling USB ports when not in use, enforcing strict device control policies, and implementing secure media scanning kiosks via SMX. Quarantine/blocking of malicious files detected by SMX.
- **Eradication steps:** Updating automated tools and scripts to counter persistent Trojans and worms. Restoring baseline configurations and addressing configuration drift.
- **Recovery actions:** Implementing technical and physical controls, strong endpoint security, network controls (segmentation, firewalls), and applying application allowlisting.
## Lessons Learned
- **Key takeaways:** Removable media (USB) remains a highly effective and common delivery mechanism for sophisticated malware targeting OT environments. Consistent policy enforcement and ongoing system hardening are critical for risk management.
- **What could have been done better:** Organizations must proactively enforce baseline configurations programmatically and avoid security policy downgrades (e.g., AppControl from High to Low).
## Recommendations
- Implement layered controls, including technical and physical measures, to support strict policy enforcement regarding removable media.
- Deploy secure media scanning kiosks (e.g., Honeywell SMX) integrated into workflows.
- Continuously monitor and programmatically manage configuration changes to prevent configuration drift.
- Enforce least privilege principles and use network segmentation (VLANs/firewalls) to isolate vulnerable OT assets.
- Maintain vendor-approved security tools with frequently updated threat signatures, especially for OT-specific threats.
- Ensure a tested, OT-specific incident response plan is in place.