Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling
Phil Neray, VP of Industrial Cybersecurity Agenda
• NotPetya: How a Single Piece of Code Crashed the World (Wired)
• VPNFilter Update • What Happens When You Expose an ICS Honeypot
• Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling Why It Matters
SUPPORT BUSINESS NEED RANGE OF MOTIVATED “INSECURE BY DESIGN” FOR DIGITALIZATION ADVERSARIES NETWORKS
Image Credit: CyberScoop/Jolie Gender NotPetya: How a Single Piece of Code Crashed the World (WIRED)
“Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.” – Thomas Rid, Johns Hopkins’ School of Advanced International Studies. “Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco • Propelled by a combination EternalBlue and Mimikatz; spread via intranets • Spread within hours from a Ukrainian software firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ Update on VPNFilter Malware
• Multi-stage router malware – MODBUS packet sniffer – Wipes firmware of devices – Uses BE malware from 2015 Ukraine grid attack • Latest updates from Cisco Talos – Endpoint exploitation tool • Redirects and inspects content of HTTP traffic • Download binary payload & perform on-the-fly patching of Windows executables – Port scanning & network mapping tool • Identify additional devices for lateral movement/compromise – DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal) – New ways to obfuscate or encrypt malicious traffic; build distributed proxy network
https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html6 ICS Honeypot Experiment
• Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP, SSH & weak passwords – DNS names registered; internal names resembled “well-known” electric utility • In 2 days: compromised by xDedic RDP Patch tool • 10 days: access to back door from “new owner” – Presumed bought access to ICS via black market • Multipoint network reconnaissance to identify paths from IT to OT
https://www.cybereason.com/blog/industrial-control-system-specialized-hackers https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.html (1) Identify “Crown Jewel” Processes
• Functions whose failure would threaten your company’s very survival – Revenue – Lawsuits – Brand reputation – Theft of intellectual property – Major compliance violations • Requires conversations with business owners & OT • Examples – Safety systems – Critical manufacturing production lines – Transformers or gas compressor stations – Historians (pharma)
8 (2) Map Digital Terrain
• Asset discovery & network topology mapping • “How does information move through your network?” • “Who touches your equipment — and how do do they connect?” (3) Illuminate Most Likely Attack Paths
• Tabletop exercises • Pen testers • Automated threat modeling – Map ICS topology – Identify vulnerabilities – Calculate most likely attack paths Simulating Attack Paths to Critical Assets Automated ICS Threat Modeling
CyberX finds all potential attack paths, ranked by risk Choose your most critical “crown jewel” assets as targets
CyberX shows visual simulation of entire attack chain, enabling “what-if” scenarios for remediation and mitigation (e.g., zoning, patching) (4) Options for Mitigation & Protection
• Reduce # of digital pathways to a minimum – Unauthorized Internet connections – Segmentation – Privileged identity management & secure remote access • Address vulnerabilities – Weak passwords – Unused open ports – Patching where possible • Implement compensating controls – Continuous monitoring with behavioral anomaly detection – Integration with firewall infrastructures
13 Detect & Respond Faster Investigations & Threat Hunting CyberX Firewall Integration
Panoram SIEM a
3 Policy Approval & Push
SOC/DMZ Palo Alto NGFW 1 CyberX Automated NGFW Policy Creation Alert 2
Engineering Workstation
HMI Zone Zone Switch Switch
Cell Cell Cell Cell Cell Switch Switch Switch Switch Switch Controllers CyberX at a Glance
• Founded in 2013 by military cyber experts with nation-state expertise defending critical infrastructure • HQ in Boston with R&D and Threat Intelligence teams in Israel • Purpose-built OT security platform – Asset management, vulnerability & risk management, continuous threat monitoring – Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning – Integrates with existing SOC workflows & security stack for unified IT/OT monitoring • Partnerships & integrations with major security companies & MSSPs worldwide – IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, … – Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, … ICS Zero-Day Vulnerabilities Discovered by CyberX
• https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow CyberX researched • https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow featured in Chapter 7 • https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS) • https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element • Undisclosed RCE vulnerability in controller (vendor Y) Scalable Multi-Tier Architecture with Centralized Control
CyberX Central Manager Corporate SOC
SIEM
CyberX Global ICS
Threat Intelligence CyberX SOC Enablement Services
Ticketing System
CyberX Malware Analysis Sandbox Service “Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed a malware framework — which we call TRITON — designed to manipulate Triconex Safety Instrumented System (SIS) controllers.” FireEye, December 14 21Palo Alto Networks Proprietary and Confidential The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage the firm’s operations and trigger an explosion.” The New York Times
Goal: Disable plant safety systems? Campaign: Connected to Shamoon attacks? Who: Likely Iran with assistance from Russia or N. Korea?
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacksCONFIDENTIAL-cyberattacks.html TRITON Cyberattack on Petrochemical Facility
Deploy PC malware 1 2 3 4 Steal OT credentials Install RAT in safety PLC Disable safety PLC & launch TriStation nd Protocol 2 cyberattack
L4 L3 L1 L0
L2 22
CONFIDENTIAL For More Information
ICS & IIoT Security Knowledge Base • Threat & vulnerability research (Black Energy, etc.), transcripts from SANS webinars, CyberX “Global ICS & IIoT Risk Report”, research presentations from Black Hat Europe See Us at Upcoming Events • CS4CA Europe (Oct. 2-3, London) — NISD presentation • ICS Cyber Security Summit (Oct. 9-10, London) • Palo Alto Network IGNITE Europe (Oct. 8-10, Amsterdam) – Featuring joint session with CISO of leading manufacturer • MANUSEC (Oct. 9-10, Chicago) CyberX vulnerability research featured in Chapter 7 — free • ICS Cyber Security Conference (Oct. 22-25, Atlanta) download from CyberX – Free ½-day hands-on workshop with Palo Alto Networks & CyberX – Joint session with Emerson Automation Solutions: “ICS Security Researchers & Automation Vendors: Building Mutual Trust” • EU Utility Week (Nov. 6-8, Vienna) featuring CISO from EWZ Energy Thank You!