Tackling Persistent Threats in Public Safety Systems

A new report from the Public Safety Threat Alliance (PSTA) threat intelligence team, titled “Public Safety Threat Report: How threat actors maintain access in public safety systems,” sheds crucial light on an often-overlooked phase of cyber attacks. The report examines the techniques cyber criminals use to maintain persistent access in public safety systems such as 911 emergency call handling, radio networks and computer aided dispatch (CAD) systems and looks at how public safety agencies can guard against these attacks.

Gaining initial access to mission critical systems is often just the beginning for threat actors. For public safety agencies, understanding how these cyber attackers maintain access after they’ve breached defences is absolutely critical. If the attackers can stay inside the network they can continue to pursue their malicious goals, causing significant disruption and putting the confidentiality, integrity and availability of mission critical systems at risk.

What is persistent access?

After successfully breaching a network and gaining initial access, threat actors don’t want to be kicked out. This is where persistent access comes in, a key stage within the cyber attack lifecycle.

The primary goal for the attacker is to maintain access to the target network over an extended period. The threat actors aim is to set up multiple access points into the network. This ensures the attacker can return to the network even if defenders identify the initial intrusion and block it.

The PSTA report highlights just how prevalent this is with over 78% of adversaries that targeted public safety systems within the last year using at least one form of persistence to maintain their attacks.

Compromised environment – maximum disruption

Persistence enables threat actors to return to the network after reboots, patching, or even after defenders have removed malware. Successful persistence leads to prolonged dwell time, enabling attackers to locate high-value targets like domain controllers and sensitive data. It allows the attackers to continue to achieve their desired objectives within the compromised environment, ensuring maximum disruption.

Detecting and preventing persistence

Defending against persistence requires a focus on identification because it’s a post-exploitation technique – meaning the breach has already occurred. Early detection is critical to disrupting the attack chain before significant harm is done.

The report clearly shows that persistence is not just an optional step for threat actors, but a fundamental technique used by the vast majority of attackers targeting public safety systems. By understanding how adversaries maintain access – through compromised credentials, new accounts and built-in system features – public safety organisations can better detect threat actors during the persistence phase, preventing progression to the final attack stages where data is stolen and systems are compromised or destroyed.

The Public Safety Threat Alliance (PSTA)

The PSTA was established by Motorola Solutions with Jay Kaine as Director, it is recognised by CISA, and shares vital cyber security information and analysis with public safety agencies. The PSTA publishes threat reports providing crucial intelligence and analysis as well as hosting webinars with cybersecurity experts who share their insights and expertise. The PSTA offers its threat intelligence products and services for its members at no cost.