Beachheads and Safe Havens: How Threat Actors Gain Access and Maintain Control

How focusing on three key building blocks can help improve OT security.

Industrial Cyber

Cyberattacks pose a significant threat to critical infrastructure. Common vulnerabilities and exposures (CVEs) in the manufacturing sector have been widely exploited and will continue to impact organizations in 2025 and beyond. Initial access, privilege escalation and persistence can all make use of legitimate system tools and processes, essentially enabling threat actors to hide in plain sight. 

The complexity of manufacturing environments makes securing these systems difficult. OT environments and industrial IoT devices tend to increase the attack surface while lacking the native capabilities needed to monitor and protect them. Ransomware and advanced persistent threats (APTs) have also increased in sophistication to target these vulnerable assets. 

According to recent research from Armis, 85 percent of global IT leaders confirm that offensive techniques regularly bypass their security tools. Unfortunately, if organizations are experiencing challenges with their cybersecurity, then they are likely facing similar challenges with their compliance programs. 

A more proactive approach to cybersecurity and compliance requires understanding the complexity of the attack surface and taking action. AI-enabled solutions can leverage behavioral analysis to detect unauthorized access and the suspicious use of legitimate tools, enabling organizations to shine a light on these beachheads and safe havens. 

Initial Access: The Path of Least Resistance 

Threat actors know that a chain is only as strong as its weakest link, so they tend to capitalize on zero-day exploits of previously unknown vulnerabilities to bypass defenses. If these devices are connected to the internet, bad actors may even be able to identify them for opportunistic attacks. 

In fact, many APTs specifically seek out networking devices, such as firewalls and routers to target their vulnerabilities. For example, CVE-2024-12856 is a vulnerability in Four-Faith industrial routers that enables attackers to execute OS commands. It is estimated that one in 10 manufacturing companies are exposed to this vulnerability, with approximately 15,000 internet-facing devices at risk. 

Supply chain vulnerabilities also present a major risk for organizations. CVE-2023-21554, for instance, is a vulnerability in Microsoft Messaging Queuing services that affects Mitsubishi Electric’s industrial equipment. It is estimated that more than half of organizations remain vulnerable to this CVE. 

Persistent Threats: A Pesky Problem 

Once threat actors establish a beachhead, they shift focus to maintaining control, most frequently by targeting legacy devices and system misconfigurations and leveraging living-off-the-land (LOTL) techniques. Lateral movement is the ability of threat actors to move across the network toward their goal. Privilege escalation can be accomplished by gaining administrative access to compromised systems. Persistence enables cybercriminals to maintain access even after system updates, reboots or password changes. 

LOTL techniques use legitimate admin tools to evade detection. For example, PowerShell and command-line execution enables threat actors to execute malicious commands without installing malware. All of these risks are much more challenging in OT environments since these devices are usually harder to monitor and patch. Standards-based compliance often requires organizations to address many of these fundamental risks.

Organizations must shift cybersecurity and compliance to a more proactive approach that prevents and detects initial access, privilege escalation and persistence to minimize the impact of a breach. And although there may be a map to guide this approach, this is a journey, not a destination. 

There are a series of fundamentals that build upon one another like bricks in a fort.

  • Visibility is the first of these fundamentals – both the ability to discover all enterprise assets as well as their device state, such as if they are running vulnerable software.
  • Context enables organizations to prioritize fixing their biggest risks first and continuously monitoring them enables organizations to detect indicators of compromise. AI-enabled solutions can bolster this behavioral analysis to detect suspicious use of legitimate enterprise resources.
  • Automation and orchestration can enforce response actions, such as isolating at-risk devices or requiring multi-factor authentication. Likewise, extending comprehensive visibility and continuous monitoring to compliance enables organizations to assess their gaps, implement compensating controls and ensure that new devices don’t create new risks. 

It should be noted that managing the complexity of IT and OT environments may also need to extend to the supply chain and cloud computing environments. Organizations should be careful not to overlook these assets and third-party risks. 

Don’t Wave the White Flag 

Armis research revealed that 81 percent of IT leaders say moving to a proactive cybersecurity posture is a top goal for their organization in the year ahead, yet 58 percent of organizations admit that they currently only respond to threats as they occur, or after the damage has already been done. 

It should be a critical concern that threat actors are targeting legacy devices since so many of these devices go undiscovered and unmanaged. The difficulty in detecting the malicious use of legitimate system processes also cannot be ignored. 

Adopting a proactive approach to cybersecurity and compliance is required to prevent and detect these threats before a data breach and to respond to them in real time. Organizations have become aware of these needs and need to act on their intentions.

More in Cybersecurity