Tackling Persistent Threats in Public Safety Systems

A new report from the Public Safety Threat Alliance (PSTA) threat intelligence team, titled “Public Safety Threat Report: How threat actors maintain access in public safety systems,” sheds crucial light on an often-overlooked phase of cyber attacks. The report examines the techniques cybercriminals use to maintain persistent access in public safety systems, such as 911 emergency call handling, radio networks, and computer-aided dispatch (CAD) systems, and looks at how public safety agencies can guard against these attacks.

Gaining initial access to mission-critical systems is often just the beginning for threat actors. For public safety agencies, understanding how these cyber attackers maintain access after they’ve breached defences is critical. If the attackers can remain inside the network, they can continue to pursue their malicious objectives, causing significant disruption and compromising the confidentiality, integrity, and availability of mission-critical systems.

What is persistent access?

After successfully breaching a network and gaining initial access, threat actors don’t want to be kicked out. This is where persistent access comes in, a crucial stage within the cyberattack lifecycle.

The primary goal for the attacker is to maintain access to the target network over an extended period. The threat actors’ goal is to establish multiple access points into the network. This ensures the attacker can return to the network even if defenders identify the initial intrusion and block it.

The PSTA report highlights just how prevalent this is with over 78% of adversaries that targeted public safety systems within the last year using at least one form of persistence to maintain their attacks.

Compromised environment – maximum disruption

Persistence enables threat actors to return to the network after reboots, patching, or even after defenders have removed malware. Successful persistence leads to prolonged dwell times, enabling attackers to locate high-value targets, such as domain controllers and sensitive data. It allows attackers to continue achieving their desired objectives within the compromised environment, ensuring maximum disruption.

Detecting and preventing persistence

Defending against persistence requires a focus on identification because it’s a post-exploitation technique, meaning the breach has already occurred. Early detection is critical to disrupting the attack chain before significant harm is done.

The report clearly shows that persistence is not just an optional step for threat actors but a fundamental technique used by the vast majority of attackers targeting public safety systems. By understanding how adversaries maintain access – through compromised credentials, new accounts and built-in system features – public safety organisations can better detect threat actors during the persistence phase, preventing progression to the final attack stages where data is stolen and systems are compromised or destroyed.

The Public Safety Threat Alliance (PSTA)

Motorola Solutions established the PSTA with Jay Kaine as Director. CISA recognises it and shares vital cybersecurity information and analysis with public safety agencies. The PSTA publishes threat reports that provide crucial intelligence and analysis, as well as hosts webinars featuring cybersecurity experts who share their insights and expertise. The PSTA offers its threat intelligence products and services for its members at no cost.