Beachheads and Safe Havens: How Threat Actors Gain Access and Maintain Control

How focusing on three key building blocks can help improve OT security.

Carlos Buenano
May 8, 2025
Industrial Cyber

Cyberattacks pose a significant threat to critical infrastructure. Common vulnerabilities and exposures (CVEs) in the manufacturing sector have been widely exploited and will continue to impact organizations in 2025 and beyond. Initial access, privilege escalation and persistence can all make use of legitimate system tools and processes, essentially enabling threat actors to hide in plain sight. 

The complexity of manufacturing environments makes securing these systems difficult. OT environments and industrial IoT devices tend to increase the attack surface while lacking the native capabilities needed to monitor and protect them. Ransomware and advanced persistent threats (APTs) have also increased in sophistication to target these vulnerable assets. 

According to recent research from Armis, 85 percent of global IT leaders confirm that offensive techniques regularly bypass their security tools. Unfortunately, if organizations are experiencing challenges with their cybersecurity, then they are likely facing similar challenges with their compliance programs. 

A more proactive approach to cybersecurity and compliance requires understanding the complexity of the attack surface and taking action. AI-enabled solutions can leverage behavioral analysis to detect unauthorized access and the suspicious use of legitimate tools, enabling organizations to shine a light on these beachheads and safe havens. 

Initial Access: The Path of Least Resistance 

Threat actors know that a chain is only as strong as its weakest link, so they tend to capitalize on zero-day exploits of previously unknown vulnerabilities to bypass defenses. If these devices are connected to the internet, bad actors may even be able to identify them for opportunistic attacks. 

In fact, many APTs specifically seek out networking devices, such as firewalls and routers to target their vulnerabilities. For example, CVE-2024-12856 is a vulnerability in Four-Faith industrial routers that enables attackers to execute OS commands. It is estimated that one in 10 manufacturing companies are exposed to this vulnerability, with approximately 15,000 internet-facing devices at risk. 

Supply chain vulnerabilities also present a major risk for organizations. CVE-2023-21554, for instance, is a vulnerability in Microsoft Messaging Queuing services that affects Mitsubishi Electric’s industrial equipment. It is estimated that more than half of organizations remain vulnerable to this CVE. 

Persistent Threats: A Pesky Problem 

Once threat actors establish a beachhead, they shift focus to maintaining control, most frequently by targeting legacy devices and system misconfigurations and leveraging living-off-the-land (LOTL) techniques. Lateral movement is the ability of threat actors to move across the network toward their goal. Privilege escalation can be accomplished by gaining administrative access to compromised systems. Persistence enables cybercriminals to maintain access even after system updates, reboots or password changes. 

LOTL techniques use legitimate admin tools to evade detection. For example, PowerShell and command-line execution enables threat actors to execute malicious commands without installing malware. All of these risks are much more challenging in OT environments since these devices are usually harder to monitor and patch. Standards-based compliance often requires organizations to address many of these fundamental risks.

Organizations must shift cybersecurity and compliance to a more proactive approach that prevents and detects initial access, privilege escalation and persistence to minimize the impact of a breach. And although there may be a map to guide this approach, this is a journey, not a destination. 

There are a series of fundamentals that build upon one another like bricks in a fort.

  • Visibility is the first of these fundamentals – both the ability to discover all enterprise assets as well as their device state, such as if they are running vulnerable software.
  • Context enables organizations to prioritize fixing their biggest risks first and continuously monitoring them enables organizations to detect indicators of compromise. AI-enabled solutions can bolster this behavioral analysis to detect suspicious use of legitimate enterprise resources.
  • Automation and orchestration can enforce response actions, such as isolating at-risk devices or requiring multi-factor authentication. Likewise, extending comprehensive visibility and continuous monitoring to compliance enables organizations to assess their gaps, implement compensating controls and ensure that new devices don’t create new risks. 

It should be noted that managing the complexity of IT and OT environments may also need to extend to the supply chain and cloud computing environments. Organizations should be careful not to overlook these assets and third-party risks. 

Don’t Wave the White Flag 

Armis research revealed that 81 percent of IT leaders say moving to a proactive cybersecurity posture is a top goal for their organization in the year ahead, yet 58 percent of organizations admit that they currently only respond to threats as they occur, or after the damage has already been done. 

It should be a critical concern that threat actors are targeting legacy devices since so many of these devices go undiscovered and unmanaged. The difficulty in detecting the malicious use of legitimate system processes also cannot be ignored. 

Adopting a proactive approach to cybersecurity and compliance is required to prevent and detect these threats before a data breach and to respond to them in real time. Organizations have become aware of these needs and need to act on their intentions.

Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
May 1, 2025
General Cyberattack
Huntress Debuts Managed SIEM to Simplify Cybersecurity
May 8, 2025
Ai Safety Image
AI in Manufacturing: Balancing Benefits, Risks, Security and Compliance
May 8, 2025
Ransomware
Report Links Infostealer Logs to Ransomware Surge
May 8, 2025
Related Stories
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
MCP Server Could Revolutionize API Security
General Cyberattack
Cybersecurity
Huntress Debuts Managed SIEM to Simplify Cybersecurity
Ai Safety Image
Cybersecurity
AI in Manufacturing: Balancing Benefits, Risks, Security and Compliance
Today in Manufacturing Podcast
Sponsor Content
Today in Manufacturing Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
May 1, 2025
General Cyberattack
Cybersecurity
Huntress Debuts Managed SIEM to Simplify Cybersecurity
The platform offers compliance support, investigation, detection, response and threat hunting.
May 8, 2025
Ai Safety Image
Cybersecurity
AI in Manufacturing: Balancing Benefits, Risks, Security and Compliance
Hasty implementations of AI will create regulatory penalties, cyberattacks, and operational disruption.
May 8, 2025
Ransomware
Cybersecurity
Report Links Infostealer Logs to Ransomware Surge
The malware is fueling new attacks and helping bad actors evolve the complexity of their operations.
May 8, 2025
Peach Istock Ai Cyber
Cybersecurity
Future-Proofing the ICS
Using machine learning to advance AI and redefine OT cyber defense.
May 8, 2025
Oil Refinery At Night 000064533213 Medium
Cybersecurity
CISA Warns of Unsophisticated Cyber Actors Targeting OT
'A simple script, when aimed at an unprotected valve, sensor or controller, can have very real consequences.'
May 8, 2025
Peach Istock Ai Cyber
Artificial Intelligence
AI Data Centers: Securing the Future
As industries race to leverage AI's potential, a sophisticated and evolving threat landscape is rising.
May 1, 2025
Coding
Cybersecurity
Email Remains Primary Gateway for Disinformation and Cyberattacks
Many adopt email authentication but half lack effective protection against spoofing.
May 1, 2025
People Cyber Metamorworks
Cybersecurity
Preparing for a Cybersecurity Audit
It may appear daunting, but this four-step process can help streamline your efforts.
May 1, 2025
Encryption
Cybersecurity
Kellogg, Hertz Victims in Cyber Breach of HR Files
The vulnerability has been identified as a file transfer software program.
May 1, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
Threat Report Reveals Record Surge in Automated Cyberattacks
Cybercrime-as-a-Service continues to grow as threat actors weaponize AI and expand credential harvesting.
May 1, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
Research Flags Resurgence of Older Cybersecurity Vulnerabilities
Examining how resurgent flaws are strategically positioned to pose ongoing critical threats.
April 24, 2025
Cybersecurity In A Bubble
Cybersecurity
One Billion AI Agents Are Expanding the Attack Surface
A new platform is using real-time vulnerability detection and mitigation tools to combat non-human threat actors.
April 24, 2025
Soc
Cybersecurity
AI-Driven SOC Platform Looks to Transform Threat Management Strategies
More threat analysis support could free-up resources for other security needs.
April 24, 2025
Hacking Alarm
Cybersecurity
Securing the Future of Manufacturing
A 257% spike in DDoS attacks represent an existential threat to operational continuity.
April 24, 2025