APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan - - PowerPoint PPT Presentation

apt style attacks on scada systems
SMART_READER_LITE
LIVE PREVIEW

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan - - PowerPoint PPT Presentation

Aug 26, 2023 147 likes •354 views

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan Pollet, CISSP, CAP, PCIP Started as a Control Systems Engineer

slide-1
SLIDE 1

APT-Style Attacks on SCADA Systems

Stuxnet … Night Dragon

1

Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA

slide-2
SLIDE 2

2

speaker

— Jonathan Pollet, CISSP, CAP, PCIP

— Started as a Control Systems Engineer for Chevron — 12 years in Electrical Engineering / SCADA — Began conducting research into Control Systems Security in 2001 — Performed over 150 field assessments of SCADA, DCS, and Control Systems since 2001 — Participant, developer, or reviewer of Control System Security Standards — SCADA Security Trainer / Instructor — Co-Developed the 5-day SCADA Security Advanced course

  • ffered through Red Tiger Security and the SANS Institute

— Co-Developed the 2-day course entitled “Building, Attacking and Defending SCADA Systems in the Age of Stuxnet” offered through Red Tiger Security and BlackHat

slide-3
SLIDE 3
  • utline (10 mins)

— Quick introduction to APT (Advanced Persistent Threat) style attacks — Initial Attack vector leverages Social Engineering and Social Networking sites — Malware still favorite initial attack vector — The role of C&C in these modern attacks — Night Dragon (staged over 18 to 24 months) — Stuxnet

— Q & A

3

slide-4
SLIDE 4

security is more than just passwords and locks

4

slide-5
SLIDE 5

APT – Techniques / Tradecraft

— OSINT — Social Engineering — Targeted “Spear Phishing” — Malicious Attachments — USB devices — Websites

5

slide-6
SLIDE 6

targeted spear phishing

— Require in-depth knowledge of target — Sophistication based on posted / known information — Used to leverage people / groups

6

slide-7
SLIDE 7

Malicious attachments (malware)

— PDF — MS Products

— Word, Excel, etc…

— The usual suffixes…

— mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs, js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe

7

slide-8
SLIDE 8

APT – Targeted Attacks

8

slide-9
SLIDE 9

malware (Con’t)

9

66,8% 7,7% 8,6% 3,1% 0,2% 11,8% 1,8%

General Attacks

Malware Other Phishing Physical Loss Denial of Service Unauthorized Access Attempt Inappropriate Use

hIp://www.f‐secure.com/weblog/archives/00001676.html

slide-10
SLIDE 10

Command and Control (C&C)

— Leverages communication systems to relay messages — Command Vectors

— Twitter — IRC — Facebook — Google Groups

10

slide-11
SLIDE 11

Staged attack

— Series of weeks/months to fully compromise a system — Incremental uploads/downloads/ xchanges — Results are fully “rooted” devices — Random “radio” silence

— Remain hidden,

11

slide-12
SLIDE 12

APT – Phased Compromise

12

Exfiltration / Propagation Command & Control Initiation First Contact Discovery Hosts / Devices Spread 0Day / Vuln Orders Radio Silence Infect Data Collect Transmit

slide-13
SLIDE 13

Stuxnet

Certificate

  • Jmicron
  • Realtek

USB

  • Initial infection

vector

  • USB

replication (x3)

Windows 0day

  • 4 unique Vulns
  • Each found on

most MS 2003

Rogue PLC logic

  • Discovers PLC

Device

  • Pushes new logic

13

slide-14
SLIDE 14

Stuxnet

— 2 Privileges Escalation Vulnerabilities

— SMB – MS08-067

— Print Spooler

— CVE-2010-2729 — MS10-061

— USB Proliferation Vulnerability

BID 41732 +

— ~WTR4141.tmp — ~WTR4132.tmp

14

slide-15
SLIDE 15

Stuxnet targeted a difficult protocol / system… > Modbus would be a walk in the park

15

slide-16
SLIDE 16

Mitigation Strategy

Real world solutions to combat the APT Threat

16

slide-17
SLIDE 17

Defence Strategy — Conduct External/Internal Security Assessments

— What you don’t know can STILL hurt you — Assessments from External / Internal perspective

— Education / Awareness

— Training — Regular Briefings — Foster environment of Security / Communication

— INTRA Departmental

— Security Bulletins

— Weekly reminders — Trends

— Advanced Persistent Diligence

— Continuous Security Monitoring

17

slide-18
SLIDE 18

Event Horizon

What do we see on the way

18

slide-19
SLIDE 19

The Horizon

— Mutating Bots / Command & Control

— Quiet installation — Obfuscated Exfiltration (HTTP, DNS, Masked)

— Directed Social Engineering

— Staggered Attack — Combined with other styles — Building relationships over time

— Leverage of Social Networks (SocNet)

— Facebook is not your friend — Twitter or Linkedin aren’t too fond of you either…

19

slide-20
SLIDE 20

questions/comments

— Speaker: Jonathan Pollet, CISSP, CAP, PCIP Red Tiger Security

  • ffice: +1.877.387.7733

Email: jpollet@redtigersecurity.com web: www.redtigersecurity.com

— Upcoming Training:

http://www.blackhat.com/html/bh-us-11/training/parker-scada.html

— Check out our Industry Briefings and News Feeds:

http://www.redtigersecurity.com/security-briefings/

20