Dragos, Inc. | May 2019 Student Student Officer Student Officer - - PowerPoint PPT Presentation

dragos inc may 2019 student student officer student
SMART_READER_LITE
LIVE PREVIEW

Dragos, Inc. | May 2019 Student Student Officer Student Officer - - PowerPoint PPT Presentation

Oct 19, 2022 247 likes •732 views

Joe Slowik / @jfslowik Dragos, Inc. | May 2019 Student Student Officer Student Officer Network Defender Student Officer Network Defender ICS Defender

slide-1
SLIDE 1

Joe Slowik / @jfslowik Dragos, Inc. | May 2019

slide-2
SLIDE 2

Student

slide-3
SLIDE 3

Student Officer

slide-4
SLIDE 4

Student Officer Network Defender

slide-5
SLIDE 5

Student Officer Network Defender ICS Defender

slide-6
SLIDE 6

➢ ➢ ➢ ➢

slide-7
SLIDE 7

https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS- Cybersecurity.pdf

slide-8
SLIDE 8

http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png

slide-9
SLIDE 9

Increasing Adoption of IT Technology in ICS Environments Perimeter Extension and Greater Connectivity Increased Vendor Interest in ICS Security

slide-10
SLIDE 10

Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities

slide-11
SLIDE 11

Traditional ICS Perimeter

Vendor and Contractor Access Increased Remote Work and Administration Cloud and Off-Prem Products

slide-12
SLIDE 12

Increased vendor interest in ICS space Attempt to leverage “IT-ification” as justification to extend existing IT products to industrial Fails to recognize operational and technical differences in how IT technologies are deployed for industrial use

slide-13
SLIDE 13

Breach victim IT network Identify points

  • f contact with

ICS Enumerate and categorize control system environment Deliver effects

  • n objective
slide-14
SLIDE 14
slide-15
SLIDE 15

Preparatory Actions

Deny Degrade Destroy

slide-16
SLIDE 16
slide-17
SLIDE 17

Recon & Initial Access

Many Attempts

Deny, Degrade, Destroy

Few Examples

slide-18
SLIDE 18

ICS-Focused Malware

  • STUXNET
  • HAVEX
  • BLACKENERGY2
  • CRASHOVERRIDE
  • TRISIS

ICS Disruptive Events

  • 2005-2010 (?): STUXNET
  • 2014: German Steel Mill

Attack

  • 2015: Ukraine

BLACKENERGY3

  • 2016: Ukraine

CRASHOVERIDE

  • 2017: Saudi Arabia TRISIS

Disruptive/Destructive Malware

  • STUXNET
  • CRASHOVERRIDE
  • TRISIS
slide-19
SLIDE 19

More Aggressive Attacks Greater Adversary Risk Tolerance Pursuit of Physical ICS Attacks Heightened Danger to Asset Owners

slide-20
SLIDE 20
  • Custom Malware and Specific Tools
  • Exploit Use for Movement and Access
  • Manual Operations for ICS Impact

Legacy (pre-2016)

  • “Commodity” Techniques until ICS Attack
  • Credential Theft and System Tool Use to Spread
  • ICS Effects and Manipulation Codified in

Software

Current

slide-21
SLIDE 21

Initial Intrusion & Lateral Movement

  • Leverage “Commodity”

Tools

  • Deploy “Living off the

Land” Techniques

  • Avoid Custom Tools and

Tradecraft ICS-Specific Disruption

  • Attacks are Unique to

Target, Environment

  • Requires Building

Custom Attack Software

  • Little Scope for Direct

Replay

slide-22
SLIDE 22
slide-23
SLIDE 23
slide-24
SLIDE 24

ICS Environments are “Brittle”

  • Little scope for direct testing
  • Asset owners are conservative

ICS Attacks have Pre-Requisites

  • Focus on enabling factors for testing
  • Imperfect for complete security, but valuable for defense in depth

Multiple Paths to Security Testing

  • Notional/Logical testing has value
  • Direct penetration testing may be least valuable option
slide-25
SLIDE 25
  • Clear communication and requirements necessary
  • Be prepared for extensive discussion on ROE
  • What experience, certifications, and training do you need to enter

environment?

Asset Owner Trust

  • Determine scope and direction of test
  • ICS tools vs. IT tools – depends on type and extent of assessment
  • Are custom tools/capabilities required?

Technical Capability

  • Delineate goals in advance relative to ICS operations:
  • Improve security
  • Enhance recovery
  • Minimize downtime

Identifying End- State

slide-26
SLIDE 26
slide-27
SLIDE 27

Initial Intrusion

Enterprise IT access Enumerate and scope environment Identify and gather information of interest to ICS operations

IT-ICS Pivot

Identify mechanisms to migrate to ICS Requires continuous connectivity to adversary infrastructure

ICS Impact

Two mechanisms:

  • Manual manipulation (legacy)
  • Automated interaction

(current)

Goal is to manipulate physical processes via logical means

slide-28
SLIDE 28
  • Essentially a standard penetration test
  • For industrial organizations, may need to assign “special attention” to
  • perationally-significant groups

IT Intrusion

  • Identify and assess IT-ICS links
  • Still represents an IT-centric test, but determines ICS environment

external risk

IT-ICS Boundary

  • Options include Windows-centric lateral movement testing, or process-

specific assessment

  • Identify tools and techniques needed in advance in light of ROE

ICS Penetration

  • Notional/logical only
  • Demonstrate mechanisms through which impact could occur – rather

than creating such an impact

ICS Impact

slide-29
SLIDE 29

Confidentiality Integrity Availability

slide-30
SLIDE 30

ICS Operations

Process Safety

Process Reliability

Process Integrity

slide-31
SLIDE 31

Physical-process nature of ICS limits ability to directly assess impacts Focus instead on pathways to ICS impact When desired, leverage notional testing through table tops and walk-throughs for direct impact assessment

slide-32
SLIDE 32
  • Essentially the same as a “normal” penetration test
  • Identify ingress points to the organization

Initial Intrusion

  • Identify and map routes to reach control systems
  • What pathways exist enabling ICS access

Lateral Movement

  • Once ICS accessed, what options are available to an

adversary

  • Test visibility, response, and monitoring

ICS Breach

slide-33
SLIDE 33

Recognize limitations in ICS environments for direct testing Leverage whole-of-kill chain approach for comprehensive assessment Build off of known ICS attacks to develop methodologies

slide-34
SLIDE 34

Table Top Exercise

  • Walk through

plans and responses

  • Least invasive,

also likely to have least value* Attack Surface Assessment

  • Logical and

interactive probing of ICS- facing assets

  • Determine and

evaluate risk with minimally- invasive techniques Interactive Pen Test

  • Risky in the

sense of possible “unforeseen consequences”

  • Most valuable in

accurately gauging defense

slide-35
SLIDE 35

Opportunistic IT Infections spreading to ICS Direct Disruptive ICS Events ICS Integrity Attacks

slide-36
SLIDE 36
slide-37
SLIDE 37

Identify IT- ICS Links

  • Assess monitoring and access controls
  • Identify work-arounds

Lateral Movement in ICS

  • How can additional systems in ICS be reached
  • What is the scope of spread from IT

ICS Recovery

  • Table top or discussion only
  • Plans and procedures for

restoring operation

slide-38
SLIDE 38
slide-39
SLIDE 39

Launcher Start

  • Select Payload
  • Initiate ICS Impact

Payload Execution

  • Connect to Control Systems
  • Manipulate State

Wiper

  • Wait for Timer
  • Delete Files, Remap Services, Reboot

System

Post- Attack

  • Leave behind “Backup”

Backdoor

  • SIPROTEC DDoS (Fail)
slide-40
SLIDE 40

Test C2 capability from ICS Interactive lateral movement within ICS environment Determine accessibility of critical systems (DCS, RTU, Historian, etc.) Table top or walk- through of possible impacts enabled by access

slide-41
SLIDE 41
slide-42
SLIDE 42

Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’) Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools) Utilize remote access to OT network via stolen credentials Continue pivoting through network via credential capture Gain sufficient access to SIS to deploy TRISIS

slide-43
SLIDE 43

Map out critical systems for ICS

  • perational

safety and integrity Determine access and communication possibilities to these systems Evaluate monitoring and auditing mechanisms Walk through integrity attack scenarios based

  • n access

findings

slide-44
SLIDE 44

IT Skills have a Role in ICS Testing

  • Audit and test links and communication
  • “IT-ification” means production networks feature similarities to IT

Scope Needs and Purpose

  • What is actually being tested?
  • How will the actions better the organization?

Identify Core Interests and Values

  • Safety, Reliability, and Integrity are critical
  • Ensure methodologies respect and aim to secure these values!
slide-45
SLIDE 45
  • Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp-

content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)

  • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos

(https://dragos.com/whitepapers/CrashOverride2018.html)

  • TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)
  • Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)
  • TRITON – FireEye (https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-

triton.html)

  • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-

ISAC_SANS_Ukraine_DUC_5.pdf)

slide-46
SLIDE 46