CERT for ATM – Communication Between CERT Constituents

Supporting European Aviation

CERT for ATM – Communication between CERT constituents

IFE

Patrick MANA EATM-CERT Manager Regional sectorial (ATM) CERT:

combine cyber and domain expertise Thematic CERTs Cyber EACCC intelligenceCyber Cyber Providerintelligence Providerintelligence EASA Provider ECCSA Alerts/Incidents ATM CI Provider EATM-CERT (US & other Regions National CERTs Cyber ATM CERT) National CERTs - intelligence Intelligence National CERTs EE-ISAC

Alerts/ Intelligence A-ISAC Incidents /services EUROPOL EUROCONTROL/NM SOC Significant Incidents Alerts/other Incidents CERT-EU - intelligence - intelligence/services EUROCONTROL/MUAC SOC ENISA

NATO/EDA Logs Recommendations ATM ManufacturerATM ATM StakeholderSOC ATM StakeholderSOC ManufacturerATM SOC (1) ATMSOC Stakeholder (1)SOC Manufacturer ATM Stakeholder (1) System ATM StakeholderATM StakeholderATM Stakeholder EUROCONTROL 2 ISAC & CERT & SOC

ISAC ISAC CERT CERT

SOC

EUROCONTROL 3 EATM-CERT and European National CERTs

National National National National National National CERT CERT CERT CERT CERT CERT State A State B State C State D State E State X

Energy Pan-European sectorial CERT

ATM Pan-European sectorial CERT => EATM-CERT

… Health Pan-European sectorial CERT care …

Finance Pan-European sectorial CERT

…

EATM-CERT 4 MISP

National CERT CERT-AT – Austria Aviation PARTNERS CERT-EE – Estonia CERT-EU – EU institutions CERT-AIRBUS A/C CERT-Bund – Germany CERT-IST – Thales CERT-LV – Latvia DLH-DE –Lufthansa Group CIRL.LU – Luxembourg CERT-THY – Turkish Airlines NCSC-NL – Netherlands AeroMexico CERT-PL – Poland rd IATA (by 3 party CTI platform) CERT-PT – Portugal Amadeus SI.CERT – Slovenia ECCSA (test) CERT.IL – Israel CAA-RO - Romanian CAA CERT.BE – Belgium Airport 1 CSIRT-IE – Ireland Heathrow airport CERT-CY-Cyprus Schiphol Airport CERT-INCIBE – Spain Prague Airport CERT-CCN – Spain Hungarocontrol BULATSA DHMI Israel

EUROCONTROL/EATM-CERT MISP - Integration SIEM

EUROCONTROL 6 Quarterly cyber threat landscape report TLP:WHITE CTI tools – raising awareness

8 Sharing cyber-information Report is TLP:GREEN

[email protected] [email protected]

EUROCONTROL/EATM-CERT 10 Context and limitations

Our dataset

No detection means (e.g. SOC) Legal framework to share

Misuse of TLP Lack of maturity

Company sharing culture National regulation

De-identification Trust

EUROCONTROL/EATM-CERT 11 How to build trust ?

EACCC - CYBER18

Sharing experience with constituents

Workshops Delivering cost-effective services

EUROCONTROL 12 Capture The Flag

EUROCONTROL 13 MITRE ATT&CK : Techniques most commonly used to attack

aviation Command And Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact Control System Network Spearphishing Command-Line Registry Run Keys / Obfuscated Files or Data Encrypted for Scheduled Task Credential Dumping Configuration Remote Desktop Protocol Input Capture Remote File Copy Data Compressed Attachment Interface Startup Folder Information Impact Discovery Data from Local Valid Accounts Scripting Scheduled Task Valid Accounts Scripting Input Capture Process Discovery Remote File Copy Commonly Used Port Data Encrypted Disk Structure Wipe System Standard Application Data Transfer Size Drive-by Compromise PowerShell Valid Accounts Process Injection Valid Accounts Brute Force Account Discovery Pass the Ticket Data Staged Resource Hijacking Layer Protocol Limits Exfiltration Over File and Directory System External Remote Services Scheduled Task New Service New Service Code Signing Credentials in Files Remote Services Email Collection Connection Proxy Command and Discovery Shutdown/Reboot Control Channel

Exploitation for External Remote Deobfuscate/Decode Credentials from Web Network Service Exfiltration Over Spearphishing Link Accessibility Features Windows Admin Shares Audio Capture Web Service Client Execution Services Files or Information Browsers Scanning Alternative Protocol

Exploit Public-Facing Bypass User Account Remote System Custom Command and User Execution Create Account File Deletion Network Sniffing Windows Remote Management Automated Collection Application Control Discovery Control Protocol Windows Supply Chain System Information Component Object Model and Data from Information Management Redundant Access Web Shell Masquerading Account Manipulation Multi-Stage Channels Compromise Discovery Distributed COM Repositories Instrumentation Standard Non- Dynamic Data Exploitation for Privilege System Network Trusted Relationship Web Shell Process Injection Exploitation of Remote Services Video Capture Application Layer Exchange Escalation Connections Discovery Protocol Accessibility DLL Search Order System Owner/User Rundll32 Connection Proxy Pass the Hash Screen Capture Uncommonly Used Port Features Hijacking Discovery Network Share Data from Network Service Execution Bootkit Application Shimming Redundant Access Fallback Channels Discovery Shared Drive Graphical User Permission Groups Component Firmware Rundll32 Multi-hop Proxy Interface Discovery Security Software Mshta BITS Jobs Software Packing Data Obfuscation Discovery Regsvr32 Modify Existing Service Web Service System Service Discovery Domain Fronting DLL Search Order Bypass User Account Virtualization/Sandbox Execution through API Data Encoding Hijacking Control Evasion Component Object Domain Generation Model and Distributed Shortcut Modification DLL Side-Loading Query Registry Algorithms COM Windows Management Windows Remote DLL Search Order Standard Cryptographic Instrumentation Event Network Sniffing Management Hijacking Protocol Subscription Hidden Files and Peripheral Device CMSTP Winlogon Helper DLL Directories Discovery Compiled HTML File Account Manipulation Hidden Window Indicator Removal from Application Shimming Tools Hidden Files and Indicator Removal on Directories Host Modify Registry Mshta Network Share Connection Removal Process Hollowing Regsvr32 Rootkit Template Injection Virtualization/Sandbox Evasion Binary Padding BITS Jobs Disabling Security Tools Execution Guardrails Compiled HTML File Component Firmware CMSTP EUROCONTROL/EATM-CERT Clear Command History 14 Compile After Delivery Call for cooperation

2020 report dataset

Thanks to you ! 2021 report dataset

Aviation stakeholders = THE source of cyber info … not CTI vendors

THANK YOU [email protected]