implementing consequence driven cybersecurity with
play

Implementing Consequence-Driven Cybersecurity with Continuous ICS - PowerPoint PPT Presentation

Aug 07, 2023 •357 likes •610 views

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling Phil Neray, VP of Industrial Cybersecurity Agenda NotPetya: How a Single Piece of Code Crashed the World (Wired) VPNFilter Update

  2. Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling Phil Neray, VP of Industrial Cybersecurity

  3. Agenda • NotPetya: How a Single Piece of Code Crashed the World (Wired) • VPNFilter Update • What Happens When You Expose an ICS Honeypot • Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

  4. Why It Matters SUPPORT BUSINESS NEED RANGE OF MOTIVATED “INSECURE BY DESIGN” FOR DIGITALIZATION ADVERSARIES NETWORKS Image Credit: CyberScoop/Jolie Gender

  5. NotPetya: How a Single Piece of Code Crashed the World (WIRED ) “Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.” – Thomas Rid, Johns Hopkins’ School of Advanced International Studies. “Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco • Propelled by a combination EternalBlue and Mimikatz; spread via intranets • Spread within hours from a Ukrainian software firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

  6. Update on VPNFilter Malware • Multi-stage router malware – MODBUS packet sniffer – Wipes firmware of devices – Uses BE malware from 2015 Ukraine grid attack • Latest updates from Cisco Talos – Endpoint exploitation tool • Redirects and inspects content of HTTP traffic • Download binary payload & perform on-the-fly patching of Windows executables – Port scanning & network mapping tool • Identify additional devices for lateral movement/compromise – DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal) – New ways to obfuscate or encrypt malicious traffic; build distributed proxy network https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/ https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html 6

  7. ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP, SSH & weak passwords – DNS names registered; internal names resembled “well-known” electric utility • In 2 days: compromised by xDedic RDP Patch tool • 10 days: access to back door from “new owner” – Presumed bought access to ICS via black market • Multipoint network reconnaissance to identify paths from IT to OT https://www.cybereason.com/blog/industrial-control-system-specialized-hackers https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.html

  8. (1) Identify “Crown Jewel” Processes • Functions whose failure would threaten your company’s very survival – Revenue – Lawsuits – Brand reputation – Theft of intellectual property – Major compliance violations • Requires conversations with business owners & OT • Examples – Safety systems – Critical manufacturing production lines – Transformers or gas compressor stations – Historians (pharma) 8

  9. (2) Map Digital Terrain • Asset discovery & network topology mapping • “How does information move through your network?” • “Who touches your equipment — and how do do they connect?”

  10. (3) Illuminate Most Likely Attack Paths • Tabletop exercises • Pen testers • Automated threat modeling – Map ICS topology – Identify vulnerabilities – Calculate most likely attack paths

  11. Simulating Attack Paths to Critical Assets

  12. Automated ICS Threat Modeling CyberX finds all potential attack paths, ranked by risk Choose your most critical “crown jewel” assets as targets CyberX shows visual simulation of entire attack chain, enabling “what-if” scenarios for remediation and mitigation (e.g., zoning, patching)

  13. (4) Options for Mitigation & Protection • Reduce # of digital pathways to a minimum – Unauthorized Internet connections – Segmentation – Privileged identity management & secure remote access • Address vulnerabilities – Weak passwords – Unused open ports – Patching where possible • Implement compensating controls – Continuous monitoring with behavioral anomaly detection – Integration with firewall infrastructures 13

  14. Detect & Respond Faster

  15. Investigations & Threat Hunting

  16. CyberX Firewall Integration Panoram SIEM a 3 Policy Approval & Push SOC/DMZ Palo Alto NGFW 1 CyberX 2 Automated NGFW Policy Creation Alert Engineering Workstation Zone Zone HMI Switch Switch Cell Cell Cell Cell Cell Switch Switch Switch Switch Switch Controllers

  17. CyberX at a Glance • Founded in 2013 by military cyber experts with nation-state expertise defending critical infrastructure • HQ in Boston with R&D and Threat Intelligence teams in Israel • Purpose-built OT security platform – Asset management, vulnerability & risk management, continuous threat monitoring – Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning – Integrates with existing SOC workflows & security stack for unified IT/OT monitoring • Partnerships & integrations with major security companies & MSSPs worldwide – IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, … – Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, …

  18. ICS Zero-Day Vulnerabilities Discovered by CyberX • https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow • https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow CyberX researched • https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow featured in Chapter 7 • https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS) • https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element • Undisclosed RCE vulnerability in controller (vendor Y)

  19. Scalable Multi-Tier Architecture with Centralized Control CyberX Central Manager Corporate SOC SIEM CyberX Global ICS Threat Intelligence CyberX SOC Enablement Services Ticketing System CyberX Malware Analysis Sandbox Service

  20. “Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed a malware framework — which we call TRITON — designed to manipulate Triconex Safety Instrumented System (SIS) controllers.” FireEye, December 14

  21. 21 Palo Alto Networks Proprietary and Confidential The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage the firm’s operations and trigger an explosion.” The New York Times Goal : Disable plant safety systems? Campaign : Connected to Shamoon attacks? Who : Likely Iran with assistance from Russia or N. Korea? https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html CONFIDENTIAL

  22. TRITON Cyberattack on Petrochemical Facility Deploy PC malware 4 1 2 3 Install RAT in safety PLC Steal OT credentials Disable safety PLC & launch 2 nd cyberattack TriStation Protocol L4 L3 L1 L0 L2 22 CONFIDENTIAL

  23. For More Information ICS & IIoT Security Knowledge Base • Threat & vulnerability research (Black Energy, etc.), transcripts from SANS webinars, CyberX “Global ICS & IIoT Risk Report”, research presentations from Black Hat Europe See Us at Upcoming Events • CS4CA Europe (Oct. 2-3, London) — NISD presentation • ICS Cyber Security Summit (Oct. 9-10, London) • Palo Alto Network IGNITE Europe (Oct. 8-10, Amsterdam) – Featuring joint session with CISO of leading manufacturer CyberX vulnerability research • MANUSEC (Oct. 9-10, Chicago) featured in Chapter 7 — free • ICS Cyber Security Conference (Oct. 22-25, Atlanta) download from CyberX – Free ½-day hands-on workshop with Palo Alto Networks & CyberX – Joint session with Emerson Automation Solutions: “ICS Security Researchers & Automation Vendors: Building Mutual Trust” • EU Utility Week (Nov. 6-8, Vienna) featuring CISO from EWZ Energy

  24. Thank You! phil@cyberx-labs.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
As a consequence of armed conflicts in As a consequence of armed conflicts in the 1990s, over 3

As a consequence of armed conflicts in As a consequence of armed conflicts in the 1990s, over 3

J OINT R EGIONAL P ROGRAMME ON D URABLE S OLUTIONS FOR R EFUGEES AND D ISPLACED P ERSONS D S R D P P ROGRAMME B ACKGROUND As a consequence of armed conflicts in As a consequence of armed conflicts in the 1990s, over 3 million people were

132 views • 9 slides
The Modern Cybersecurity Stack Data-Driven Network Monitoring with Bro Robin Sommer Corelight,

The Modern Cybersecurity Stack Data-Driven Network Monitoring with Bro Robin Sommer Corelight,

The Modern Cybersecurity Stack Data-Driven Network Monitoring with Bro Robin Sommer Corelight, Inc. / International Computer Science Institute / Lawrence Berkeley National Lab robin@icsi.berkeley.edu https://www.icir.org/robin Network

565 views • 40 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Dissemination and Implementation: Putting Evidence into Practice Implementing Peer-Driven Care to

Dissemination and Implementation: Putting Evidence into Practice Implementing Peer-Driven Care to

Dissemination and Implementation: Putting Evidence into Practice Implementing Peer-Driven Care to Patients with Sleep Apnea Sairam Parthasarathy, MD Chief, Division of Pulmonary, Allergy, Critical Care & Sleep Medicine @sai_sparthamd

507 views • 25 slides
Success and Failure of Implementing Data-driven Upscaling Using Flux Networks and Remote Sensing

Success and Failure of Implementing Data-driven Upscaling Using Flux Networks and Remote Sensing

Success and Failure of Implementing Data-driven Upscaling Using Flux Networks and Remote Sensing Jingfeng Xiao Complex Systems Research Center, University of New Hampshire FLUXNET and Remote Sensing Open Workshop June 7-9, 2011, Berkeley, CA

917 views • 27 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
Admissibility for multi-conclusion consequence relations and universal classes Micha l

Admissibility for multi-conclusion consequence relations and universal classes Micha l

Admissibility for multi-conclusion consequence relations and universal classes Micha l Stronkowski Warsaw University of Technology TACL, Prague, June 2017 plan single-conclusion consequence relations and quasivarieties

362 views • 23 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Propositional Logic: Tautological Consequence and Translations Alice Gao Lecture 6 CS 245

Propositional Logic: Tautological Consequence and Translations Alice Gao Lecture 6 CS 245

Propositional Logic: Tautological Consequence and Translations Alice Gao Lecture 6 CS 245 Logic and Computation Fall 2019 Alice Gao 1 / 25 Outline Learning goals Satisfaction of a Set of Formulas Tautological Consequence

394 views • 25 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU Cybersecurity European policy overview e-IRG e-IRG 4 December 2019 Brussels Anni Hellman, Senior Expert, Permanent Representation of Finland to the European Union Seconded for the Finnish Presidency from the Directorate General

320 views • 28 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
Beyond the Hype Liability and AI What do these have in common? Why might there be an issue?

Beyond the Hype Liability and AI What do these have in common? Why might there be an issue?

Beyond the Hype Liability and AI What do these have in common? Why might there be an issue? Complexity and black boxed-ness Lots of code, from different sources Combination of code and training data Opacity of the

526 views • 19 slides
BHP 2018 Projected Net Revenue Requirement Meeting October 25, 2017 10:00 AM MPT Black Hills

BHP 2018 Projected Net Revenue Requirement Meeting October 25, 2017 10:00 AM MPT Black Hills

BHP 2018 Projected Net Revenue Requirement Meeting October 25, 2017 10:00 AM MPT Black Hills Energy 409 Deadwood Ave Training Room Rapid City, SD 57702 Agenda Introductions CUS Transmission System Overview Black Hills Powers

163 views • 12 slides
Dress Code and Personal Presentation Policy Endorsed by P&C on 26/11/19 To be signed at

Dress Code and Personal Presentation Policy Endorsed by P&C on 26/11/19 To be signed at

Dress Code and Personal Presentation Policy Endorsed by P&C on 26/11/19 To be signed at February 2020 P&C meeting Rationale At Fortitude Valley State Secondary College our vision is ' To create a community of agile learners who are bold,

243 views • 8 slides
Huron Medical Center 2012 Annual Mandatory Review Emergency Preparedness/NIMS Thank you for

Huron Medical Center 2012 Annual Mandatory Review Emergency Preparedness/NIMS Thank you for

December 2012 Huron Medical Center 2012 Annual Mandatory Review Emergency Preparedness/NIMS Thank you for reading this information! Your participation in the Annual Mandatory Safety Education is important for your safety and the safety of

300 views • 7 slides
SCHOOL SAFETY MEETING COOPER CITY HIGH SCHOOL AUGUST 20, 2015 District Emergency/Security

SCHOOL SAFETY MEETING COOPER CITY HIGH SCHOOL AUGUST 20, 2015 District Emergency/Security

SCHOOL SAFETY MEETING COOPER CITY HIGH SCHOOL AUGUST 20, 2015 District Emergency/Security Codes CODE RED: Full Lockdown No movement in the building other than by Police/Fire Personnel and persons designated by them. CODE YELLOW: Lockdown

725 views • 18 slides
AMENDED BROAD -BASED BLACK ECONOMIC EMPOWERMENT CODES OF GOOD PRACTICE OCTOBER 2012

AMENDED BROAD -BASED BLACK ECONOMIC EMPOWERMENT CODES OF GOOD PRACTICE OCTOBER 2012

AMENDED BROAD -BASED BLACK ECONOMIC EMPOWERMENT CODES OF GOOD PRACTICE OCTOBER 2012 CONSTITUTIONAL MANDATE Section 9 of the Bill of Rights Equality includes the full and equal enjoyment of all rights and freedoms. To promote the

603 views • 41 slides
COLOR (or colour) Color Perception Visible color Gamut RGB color Gamut Pantone color Gamut

COLOR (or colour) Color Perception Visible color Gamut RGB color Gamut Pantone color Gamut

COLOR (or colour) Color Perception Visible color Gamut RGB color Gamut Pantone color Gamut CMYK color Gamut The perception of color is very subjective. Color Perception RGB fmow Digital printing small numbers standard sizes

332 views • 18 slides
Grey & the improved Management of Clinical Aggression (MOCA) DATE: 18/10/16 Presenters:

Grey & the improved Management of Clinical Aggression (MOCA) DATE: 18/10/16 Presenters:

Journey to a Clinically Led Code Grey & the improved Management of Clinical Aggression (MOCA) DATE: 18/10/16 Presenters: Alisha Bedggood Marcus Hovey 10/10/2016 Acknowledgements Melbourne Health Vikki Dearie and Nigel Toomey

469 views • 20 slides

More recommend