Continuous Asset Discovery, Risk Management & Threat Monitoring - - PowerPoint PPT Presentation

Phil Neray, VP of Industrial Cybersecurity

SANS Webinar on NIST Recommendations for IIoT & ICS Security With Behavioral Anomaly Detection (BAD)

February 28, 2019

Continuous Asset Discovery, Risk Management & Threat Monitoring for IIoT & ICS Networks

2

CyberX at a Glance

Only industrial platform built by blue-team experts with a track record defending critical national infrastructure

Founded in 201 013 Global al P Presenc nce

• Boston (HQ)
• Chicago
• Houston
• Florida
• London
• Paris
• Munich
• Tokyo
• Israel

Partnershi hips with leading security companies & MSSPs worldwide Sim Simplest, most st ma mature and mo most in interoperable solution

2

Only IIoT & ICS security firm with a pat atent f for it its ICS CS-awar are t threat ana nalytics

Unified IT/OT Security Monitoring & Governance

3

Partnered with Global Technology Leaders

4

Challenges We Address for Clients

• What devices do I have, how are they

connected — and how are they communicating with each other?

• What are the vulnerabilities and risks to our

most valuable assets — and how do I prioritize mitigation?

• Do we have any ICS threats in our network

— and how do we quickly respond to them?

• How can I leverage my existing IT

security investments — people, training & tools — to secure my OT infrastructure? Cont ntinu nuous Threat M Monitoring ng, Inciden ent Res espon

• nse

e & Threat Hunting Asset et Discov

• ver

ery Risk & Vulner erabilit lity M y Manage gemen ent Unif ifie ied I IT/O /OT Sec ecurit ity M Mon

• nit

itoring g & Governa nanc nce

5

Most Recognized ICS Threat Intelligence

Continuously Discovering New ICS Zero-Day Vulnerabilities

CyberX threat research featured in Chapter 7

ICSA-15-300-03A BUFFER OVERFLOW ICSA-15-351-01 BUFFER OVERFLOW ICSA-17-087-02 ARBITRARY FILE UPLOAD BUFFER OVERFLOW ICSA-18-228-01 UNCONTROLLED SEARCH PATH ELEMENT, RELATIVE PATH TRAVERSAL, IMPROPER PRIVALAGE MANAGEMENT, STACK-BASED BUFFER OVERFLOW ICSA-17-339-01D IMPROPER INPUT VALID (DDoS) ICSA-16-306-01 BUFFER OVERFLOW ICSA-16-026-02 BUFFER OVERFLOW ICSA-17-278-01A BUFFER OVERFLOW

6

Simple, Non-Invasive, Agentless — No Rules or Signatures

CMDB asset data, firewall rules, etc.

(OPTIO IONAL)

Propr prie ietary D Deep P p Packet I Inspection and N d Networ

• rk T

k Traf affic A Anal alys ysis ( (NTA) OT N Network Netwo work Traffic D Data SPAN p port o

• n

networ

• rk s

k switch

7

CyberX Platform Architecture

8

CORE CAPABILITIES

IP Network & Serial Device Dissectors Embedded Knowledge of ICS Devices & Protocols Proprietary ICS Threat Intelligence & Vulnerability Research ICS Malware Analysis Sandbox

CYBERX CENTRAL MANAGEMENT SELF-LEARNING ANALYTICS ENGINES

Network Traffic Analysis (NTS) Data Mining Infrastructure Behavioral Anomaly Detection Protocol Violation Detection IT & OT Malware Detection Unusual M2M Communication Detection Operational Incident Detection

CAPABILITIES & USE CASES

ICS Asset Management ICS Risk & Vulnerability Management with Threat Modeling ICS Threat Monitoring & Detection ICS Incident Response & Threat Hunting SOC Integration & REST APIs SIEM Ticketing & Orchestration Firewalls & NAC Secure Remote Access

Malware-Free Attacks Are Growing — Why BAD is Needed Now

9

Source: https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

“So the important question to ask is not, ‘Can you prevent the initial compromise?’ — that may be an impossibility. To be successful at stopping breaches, an or

• rganiza

zation

• n n

needs to

• detect, i

, investigate, , and remediate or

• r con
• ntain t

the threat a as quickly as pos

• ssible.”

Malware-Free Examples

• Stolen credentials
• PowerShell
• Router compromises

CyberX Global ICS & IIoT Risk Report — Top Data Points

Based on traffic data collected from 850+ production ICS networks across 6 continents and all sectors (Energy & Utilities, Oil & Gas, Pharmaceuticals, Chemicals, Manufacturing, Mining)

Download full report: cyberx-labs.com/risk-report-2019

Anti-Anti-Virus Mythical Air-Gap Broken Windows Hiding in Plain Sight

43% 43% 57 57%

Automatic updates detected No automatic updates detected

60% 60% 40% 40%

No internet connections Internet connections detected

47 47% 53% 53%

Only modern Windows versions Sites with unsupported Windows boxes

31 31% 69% 69%

Encrypted passwords Plain-text passwords

10

The TRITON attack on a petrochemical facility “had a deadly goal … it was not designed to simply destroy data or shut down the plant … it was meant to sabotage the firm’s operations and trigger an explosion.” The New York Times

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

11

L4 L3 L2 L1 L0

12

TRITON Kill Chain

Steal OT credentials 1 Deploy PC malware 2 3 Install RAT in safety PLC 4 Disable safety PLC & launch 2nd cyberattack

TriStation Protocol

CyberX Threat Intelligence: Reverse-Engineering TRITON

GetMPStatus packet structure:

https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/

3 Install RAT in safety PLC

New TRITON Information from S4x19 Conference

• First incident actually 2 months earlier — in June 2017
• Plant shutdown for 1 week when safety controller tripped
• Automation vendor concluded it was mechanical failure
• 2nd incident affected (6) safety controllers — not just two
• Caused another 1-week shutdown — hundreds of $ million from downtime & cleanup
• Danger from toxic hydrogen sulfide gases
• Incident response uncovered multiple red flags
• Misconfigured firewalls enabled attackers to move from IT network to DMZ to OT network
• AV alerts on workstations about Mimikatz credential stealing malware were ignored
• Ongoing alerts about RUN/PROGRAM key in unsafe position were also ignored — enabled

attackers to upload malicious backdoor into safety controller

• Suspicious RDP sessions to plant's engineering workstations from IT network
• True lesson = lack of clear roles: Who is responsible for ensuring security controls are

properly implemented & effective — IT, OT, integrator, or automation vendor?

https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-widespread-than-publicly-known/d/d-id/1333661 https://www.cyberscoop.com/trisis-investigator-saudi-aramco-schneider-electric-s4x19/ https://www.eenews.net/energywire/stories/1060115423

14

Threat Anomaly Scenarios Detected by CyberX in NIST Report

• Unauthorized Device Is Connected to the Network
• Unencrypted HTTP Credentials
• Unauthorized Ethernet/IP Scan of the Network
• Unauthorized SSH Session Is Established with Internet-Based Server
• Data Exfiltration to the Internet via DNS Tunneling
• Unauthorized PLC Logic Download
• Undefined Modbus TCP Function Codes Transmitted to PLC
• Data Exfiltration to the Internet via Secure Copy Protocol
• Virus Test File Is Detected on the Network
• Denial-of-Service Attack Is Executed Against the ICS Network
• Data Exfiltration Between ICS Devices via UDP
• Invalid Credentials Are Used to Access a Networking Device
• Brute-Force Password Attack Against a Networking Device
• Unauthorized PLC Logic Update — Robotics System
• Unauthorized PLC Logic Update – Process Control System

15

CyberX Event Timeline

16

Unauthorized Device Is Connected to the Network

17

This anomaly was executed on the PCS. The engineering laptop (Windows 7) was removed from the network during the baseline analysis phase of the product and was later connected to VLAN-2 to execute the anomaly. After the initial connection, background traffic was automatically generated onto the network by the laptop.

Unencrypted Credentials

18

This anomaly was executed on the CRS. An Apache HTTP server was configured on Machining Station 1 and contained a directory that was protected by HTTP basic

• authentication. The web pages hosted in the protected directory enabled an operator to

remotely view machine status information. The connection was initiated from the Firefox browser on the engineering workstation.

Unauthorized Ethernet/IP Scan

19

During the reconnaissance phase, an attacker may attempt to locate vulnerable services in an ICS network and will likely include probing for ICS-specific services (e.g., Ethernet/IP). Once a vulnerable service, host, or device is discovered, an attacker may attempt to exploit that entity.

Unauthorized SSH Session

20

This anomaly was executed on the PCS. The OpenSSH suite was installed and configured

• n a server with an internally routed public IP address (129.6.1.2). The open-source SSH

client PuTTY was used to establish a connection with the SSH service from the engineering workstation to the internet-based server.

Data Exfiltration to Internet via DNS Tunneling

21

Attacks against ICS with the goal of information gathering, must (at some point) attempt to exfiltrate sensitive or proprietary data from the ICS network, potentially utilizing the internet as a transport

• mechanism. Monitoring for ICS devices communicating to other devices over the internet can help detect

data exfiltration events, especially if the affected device does not normally communicate over the internet.

Unauthorized PLC Logic Download

22

Many ICS devices provide services to remotely update control logic over the network. These network services can also provide a mechanism for attackers to replace valid control logic with malicious logic if the device is not protected. The Allen-Bradley software Studio 5000 was used to download the logic from the PCS PLC to the engineering workstation. Physical access to the PLC was required in order to change the operation mode from RUN to REMOTE RUN.

Undefined Modbus TCP Function Codes Are Transmitted to PLC

23

Communications that do not conform to the defined specifications of the industrial protocol may cause an ICS device to act in an undefined or unsafe manner. Depending on the manufacturing process and the ICS device, the nonconforming communications may or may not be impactful, but investigation into the cause is warranted. Python was used to create a Modbus TCP message with the undefined function code value of 49 (0x31). The message was generated by the CybersecVM and was transmitted to the PLC Modbus server.

Brute-Force Password Attack

24

Compiled lists containing default user credentials are freely available on the internet. Given enough time, an attacker may be able to access vulnerable systems by using a brute-force password attack. The software Nmap was used to generate the brute-force password attack by using the script telnet-brute. The attack was pointed at the PCS router, which has a Telnet service for remote configuration and is protected by a password. The service was not configured to limit the number of authentication attempts.

Full Alert Flow

25

26

27

How CyberX Supports the NIST Cybersecurity Framework

28

Threat Insight Threat Prevention Threat Detection Threat Response Threat Recovery Identify Pr Prevent nt Detect Re Respond Recover

Automated ICS threat modeling ICS vulnerability management & mitigation Integration with NGFWs Continuous monitoring with patented analytics & self-learning for anomaly detection Deep forensic & threat hunting tools Native apps for IBM QRadar & Splunk Integration with ArcSight, RSA, LogRhythm, McAfee Asset discovery Network topology mapping Automated reporting to stakeholders ServiceNow integration IBM Resilient integration

CyberX Integration with Palo Alto Networks

• Accelerate time between threat detection & prevention
• Automatically generate firewall policies to block sources of malicious traffic

identified by CyberX — use cases:

• Unau

authoriz ized PL PLC chan anges

• Prot
• tocol
• col violation
• ns — can indicate malicious attempt

to compromise device vulnerabilities (e.g., buffer overflow)

• PLC S

Stop c comm mmands ds — can break production

• Mal

Malwar are — e.g., programs using EternalBlue exploits

• Scanni

nning ng malw lware — can indicate cyber reconnaissance in early stages of breach

• Implement granular network segmentation based on asset profiles
• CyberX tags discovered assets with ICS properties (protocols, type, authorized, etc.)
• Rapidly create asset-based segmentation policies & Dynamic Access Groups (DAGs)

29

CyberX Integration with Palo Alto App Framework (Cortex)

• Analyze data collected by Palo Alto appliances already deployed in network
• Native CyberX app now available from App Framework portal
• https://apps.paloaltonetworks.com/marketplace/cyberx

30

Applying INL’s CCE Methodology to Securing ICS

CCE = Consequence-Driven Cyber-informed Engineering

• 1. Identify Your Crown Jewel Processes
• 2. Map the Digital Terrain
• 3. Illuminate the Likely Attack Paths
• 4. Generate Options for Mitigation and Protection

“If you’re in in critical in infrastructure y you sh should pl plan an t to b be tar argeted. d. And d if if you’re t tar argeted, y you wil will b be compr

• promised. I

It’s t that sim simple.”

Andy Bochman, Senior Grid Strategist for National & Homeland Security, INL

https://cyberx-labs.com/resources/sans-webinar-cce-inl-new-approach-securing-critical-industrial-infrastructure/

Simulating Attack Paths to Crown Jewel Assets

CyberX shows visual simulation

• f entire attack chain, enabling

“what-if” scenarios for remediation and mitigation (e.g., zoning, patching) Choose your most critical “crown jewel” assets as targets CyberX finds all potential attack paths, ranked by risk

Industry Unique — Automated ICS Threat Modeling

More than 1,200 Installations Worldwide

• 2 of the top 5 US energy utilities
• Top 5 global pharmaceutical company
• Top 5 US chemical company
• National energy pipeline & distribution company
• Top 3 UK gas distribution utility
• National electric utilities across EMEA & Asia-Pacific
• Largest water desalination plant in western hemisphere
• …and more

1

Ariel Litvin | CISO

First Quality Enterprises Consumer goods manufacturer with nearly 5,000 employees

What Manufacturing Clients are Saying About CyberX “Reducing risk to our production operations is smart business. CyberX gives us deep visibility into our OT environment and continuous OT risk management, while enabling unified security monitoring and governance across both IT and OT.”

35

Manufacturing Case Study

• CyberX ICS asset/vulnerability management

& threat monitoring platform

• Deployed in multiple plants with 8,000+ devices monitored
• Centralized management provides global command-and-

control across all facilities

• CyberX integrated with SOC workflows and security stack
• IBM QRadar (SIEM)
• Siemplify (security automation and orchestration)
• PAN NGFW infrastructure (prevention)

36

37

CyberX Services + Support Portfolio

Technical suppo pport t via p a phone/ e/em emai ail Onli line h help lp & knowl wled edge ge b bas ase Cas ase e man anagem agement Monthl hly “tips ps- an and-tricks” we webinar Hardware s suppo pport t via D Dell & ll & Arrow Optional s servi vices

• Online & onsite training
• Onboarding & Deployment Support
• Network Architecture Planning
• Onsite Incident Response
• Forensic Analysis
• SOC Enablement for ICS
• 24x7 coverage & dedicated TAM

Most Mature & Interoperable Solution

STRATEGIC

Reduce Risk

Prevent costly production

• utages, safety & environmental

failures, theft of corporate IP TACTICAL

Gain Visibility

Auto-discover all OT assets & how they communicate

Seamless Integration

Integrate with all OT protocols and equipment, SOC workflows & existing security stacks

Prioritize Mitigations

Identify critical vulnerabilities & attack vectors

Detect & Respond to Threats Quickly

Continuously monitor for malware, targeted attacks & equipment failures OPERATIONAL

Zero Impact

Non-intrusive & agentless

21

38

For More Information

IC ICS & & IIo IIoT S Security K Knowledge Ba Base

• Threat & vulnerability research
• Black Hat research presentations
• Transcripts & recordings from past SANS webinars
• CyberX “Global ICS & IIoT Risk Report”
• Presenting OT Risk to the Board
• NISD Executive Guide

See U e Us a at Up Upcomin ming E Events ts

• SANS ICS Security Summit & Training (Mar 18-19, Orlando)
• Cyber Security for Critical Assets (CS4CA) (Mar 26-27, Houston)
• ICS-JWG 2019 Spring Meeting (April 23-25, Kansas City)
• ICS Cyber Security (April 24-26, London)
• Public Safety Canada, ICS Security Symposium (May 29-30, Charlottetown)
• Palo Alto Network IGNITE US (June 3-6, Austin)
• API-IOG Cybersecurity Europe (June 19-20, London)

CyberX vulnerability research featured in Chapter 7 — free download from CyberX

THANK YOU

info@cyberx-labs.com

Append endix ix

41

What Clients are Saying About CyberX "As a UK gas distribution network, SGN relies on CyberX to deliver 24/7 visibility into our OT assets, vulnerabilities, and threats -- across thousands of distributed networks -- with zero impact on operations."

Mo Ahddoud, CISO

SGN

42