In this instance, while the unnamed water utility company was fortunately using analytics tools to help detect this cryptojacking attack, this does highlight the need to bridge the gap between information, cyber and operational technology (OT) security systems.
Using advanced analytics with machine learning and AI, while making use of network traffic and behaviour analytics (NTBA) would detect beaconing-like behaviour when the crypto miner endpoint attempts to check in with the mining pool hosts.
Gaining endpoint visibility with advanced capturing of process, network, file and registry monitoring would also help in this instance to detect applications or processes consuming higher than normal CPU.
It isn’t however just a simple case of having the latest and greatest tools at your disposal. Having concrete baselines, particularly in an OT environment, should be first and foremost.
Using advanced features as previously mentioned will only get you so far: you still need skilled people to understand the infrastructure, traffic and data flows. As well as understanding what’s considered normal on the defender’s network compared to abnormal behaviours.
Kfir explained that Radiflow is still in the early stages of the investigation, but so far has been able to determine that the cryptocurrency mining software was on the water utility's network for approximately three weeks before it was detected