Supporting European Aviation
CERT for ATM – Communication between CERT constituents
IFE
Patrick MANA EATM-CERT Manager Regional sectorial (ATM) CERT:
combine cyber and domain expertise Thematic CERTs Cyber EACCC intelligenceCyber Cyber Providerintelligence Providerintelligence EASA Provider ECCSA Alerts/Incidents ATM CI Provider EATM-CERT (US & other Regions National CERTs Cyber ATM CERT) National CERTs - intelligence Intelligence National CERTs EE-ISAC
Alerts/ Intelligence A-ISAC Incidents /services EUROPOL EUROCONTROL/NM SOC Significant Incidents Alerts/other Incidents CERT-EU - intelligence - intelligence/services EUROCONTROL/MUAC SOC ENISA
NATO/EDA Logs Recommendations ATM ManufacturerATM ATM StakeholderSOC ATM StakeholderSOC ManufacturerATM SOC (1) ATMSOC Stakeholder (1)SOC Manufacturer ATM Stakeholder (1) System ATM StakeholderATM StakeholderATM Stakeholder EUROCONTROL 2 ISAC & CERT & SOC
ISAC ISAC CERT CERT
SOC
EUROCONTROL 3 EATM-CERT and European National CERTs
National National National National National National CERT CERT CERT CERT CERT CERT State A State B State C State D State E State X
Energy Pan-European sectorial CERT
ATM Pan-European sectorial CERT => EATM-CERT
… Health Pan-European sectorial CERT care …
Finance Pan-European sectorial CERT
…
EATM-CERT 4 MISP
National CERT CERT-AT – Austria Aviation PARTNERS CERT-EE – Estonia CERT-EU – EU institutions CERT-AIRBUS A/C CERT-Bund – Germany CERT-IST – Thales CERT-LV – Latvia DLH-DE –Lufthansa Group CIRL.LU – Luxembourg CERT-THY – Turkish Airlines NCSC-NL – Netherlands AeroMexico CERT-PL – Poland rd IATA (by 3 party CTI platform) CERT-PT – Portugal Amadeus SI.CERT – Slovenia ECCSA (test) CERT.IL – Israel CAA-RO - Romanian CAA CERT.BE – Belgium Airport 1 CSIRT-IE – Ireland Heathrow airport CERT-CY-Cyprus Schiphol Airport CERT-INCIBE – Spain Prague Airport CERT-CCN – Spain Hungarocontrol BULATSA DHMI Israel
EUROCONTROL/EATM-CERT MISP - Integration SIEM
EUROCONTROL 6 Quarterly cyber threat landscape report TLP:WHITE CTI tools – raising awareness
8 Sharing cyber-information Report is TLP:GREEN
[email protected] [email protected]
EUROCONTROL/EATM-CERT 10 Context and limitations
Our dataset
No detection means (e.g. SOC) Legal framework to share
Misuse of TLP Lack of maturity
Company sharing culture National regulation
De-identification Trust
EUROCONTROL/EATM-CERT 11 How to build trust ?
EACCC - CYBER18
Sharing experience with constituents
Workshops Delivering cost-effective services
EUROCONTROL 12 Capture The Flag
EUROCONTROL 13 MITRE ATT&CK : Techniques most commonly used to attack
aviation Command And Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact Control System Network Spearphishing Command-Line Registry Run Keys / Obfuscated Files or Data Encrypted for Scheduled Task Credential Dumping Configuration Remote Desktop Protocol Input Capture Remote File Copy Data Compressed Attachment Interface Startup Folder Information Impact Discovery Data from Local Valid Accounts Scripting Scheduled Task Valid Accounts Scripting Input Capture Process Discovery Remote File Copy Commonly Used Port Data Encrypted Disk Structure Wipe System Standard Application Data Transfer Size Drive-by Compromise PowerShell Valid Accounts Process Injection Valid Accounts Brute Force Account Discovery Pass the Ticket Data Staged Resource Hijacking Layer Protocol Limits Exfiltration Over File and Directory System External Remote Services Scheduled Task New Service New Service Code Signing Credentials in Files Remote Services Email Collection Connection Proxy Command and Discovery Shutdown/Reboot Control Channel
Exploitation for External Remote Deobfuscate/Decode Credentials from Web Network Service Exfiltration Over Spearphishing Link Accessibility Features Windows Admin Shares Audio Capture Web Service Client Execution Services Files or Information Browsers Scanning Alternative Protocol
Exploit Public-Facing Bypass User Account Remote System Custom Command and User Execution Create Account File Deletion Network Sniffing Windows Remote Management Automated Collection Application Control Discovery Control Protocol Windows Supply Chain System Information Component Object Model and Data from Information Management Redundant Access Web Shell Masquerading Account Manipulation Multi-Stage Channels Compromise Discovery Distributed COM Repositories Instrumentation Standard Non- Dynamic Data Exploitation for Privilege System Network Trusted Relationship Web Shell Process Injection Exploitation of Remote Services Video Capture Application Layer Exchange Escalation Connections Discovery Protocol Accessibility DLL Search Order System Owner/User Rundll32 Connection Proxy Pass the Hash Screen Capture Uncommonly Used Port Features Hijacking Discovery Network Share Data from Network Service Execution Bootkit Application Shimming Redundant Access Fallback Channels Discovery Shared Drive Graphical User Permission Groups Component Firmware Rundll32 Multi-hop Proxy Interface Discovery Security Software Mshta BITS Jobs Software Packing Data Obfuscation Discovery Regsvr32 Modify Existing Service Web Service System Service Discovery Domain Fronting DLL Search Order Bypass User Account Virtualization/Sandbox Execution through API Data Encoding Hijacking Control Evasion Component Object Domain Generation Model and Distributed Shortcut Modification DLL Side-Loading Query Registry Algorithms COM Windows Management Windows Remote DLL Search Order Standard Cryptographic Instrumentation Event Network Sniffing Management Hijacking Protocol Subscription Hidden Files and Peripheral Device CMSTP Winlogon Helper DLL Directories Discovery Compiled HTML File Account Manipulation Hidden Window Indicator Removal from Application Shimming Tools Hidden Files and Indicator Removal on Directories Host Modify Registry Mshta Network Share Connection Removal Process Hollowing Regsvr32 Rootkit Template Injection Virtualization/Sandbox Evasion Binary Padding BITS Jobs Disabling Security Tools Execution Guardrails Compiled HTML File Component Firmware CMSTP EUROCONTROL/EATM-CERT Clear Command History 14 Compile After Delivery Call for cooperation
2020 report dataset
Thanks to you ! 2021 report dataset
Aviation stakeholders = THE source of cyber info … not CTI vendors
15
THANK YOU [email protected]
17