[PPT] - Implementing Consequence-Driven Cybersecurity with Continuous ICS PowerPoint Presentation

SLIDE 1

SLIDE 2

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Phil Neray, VP of Industrial Cybersecurity

SLIDE 3

Agenda

NotPetya: How a Single Piece of

Code Crashed the World (Wired)

VPNFilter Update
What Happens When You Expose

an ICS Honeypot

Implementing Consequence-Driven

Cybersecurity with Continuous ICS Monitoring & Threat Modeling

SLIDE 4

Why It Matters

“INSECURE BY DESIGN” NETWORKS SUPPORT BUSINESS NEED FOR DIGITALIZATION RANGE OF MOTIVATED ADVERSARIES

Image Credit: CyberScoop/Jolie Gender

SLIDE 5

NotPetya: How a Single Piece of Code Crashed the World (WIRED)

“Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.”

– Thomas Rid, Johns Hopkins’ School of Advanced International Studies.

“Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco

Propelled by a combination EternalBlue and

Mimikatz; spread via intranets

Spread within hours from a Ukrainian software

firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

SLIDE 6

Update on VPNFilter Malware

Multi-stage router malware

– MODBUS packet sniffer – Wipes firmware of devices – Uses BE malware from 2015 Ukraine grid attack

Latest updates from Cisco Talos

– Endpoint exploitation tool

Redirects and inspects content of HTTP traffic
Download binary payload & perform on-the-fly patching of Windows executables

– Port scanning & network mapping tool

Identify additional devices for lateral movement/compromise

– DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal) – New ways to obfuscate or encrypt malicious traffic; build distributed proxy network

6 https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/ https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html

SLIDE 7

ICS Honeypot Experiment

Simulated ICS environment

– IT network, OT network with HMI – 3 Internet-facing servers with RDP, SSH & weak passwords – DNS names registered; internal names resembled “well-known” electric utility

In 2 days: compromised by xDedic RDP Patch tool
10 days: access to back door from “new owner”

– Presumed bought access to ICS via black market

Multipoint network reconnaissance to identify paths from IT to OT

https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.html https://www.cybereason.com/blog/industrial-control-system-specialized-hackers

SLIDE 8

(1) Identify “Crown Jewel” Processes

Functions whose failure would threaten

your company’s very survival

– Revenue – Lawsuits – Brand reputation – Theft of intellectual property – Major compliance violations

Requires conversations with business owners & OT
Examples

– Safety systems – Critical manufacturing production lines – Transformers or gas compressor stations – Historians (pharma)

8

SLIDE 9

(2) Map Digital Terrain

Asset discovery & network

topology mapping

“How does information

move through your network?”

“Who touches your

equipment — and how do do they connect?”

SLIDE 10

(3) Illuminate Most Likely Attack Paths

Tabletop exercises
Pen testers
Automated threat modeling

– Map ICS topology – Identify vulnerabilities – Calculate most likely attack paths

SLIDE 11

Simulating Attack Paths to Critical Assets

SLIDE 12

CyberX shows visual simulation

f entire attack chain, enabling

“what-if” scenarios for remediation and mitigation (e.g., zoning, patching) Choose your most critical “crown jewel” assets as targets CyberX finds all potential attack paths, ranked by risk

Automated ICS Threat Modeling

SLIDE 13

(4) Options for Mitigation & Protection

Reduce # of digital pathways to a minimum

– Unauthorized Internet connections – Segmentation – Privileged identity management & secure remote access

Address vulnerabilities

– Weak passwords – Unused open ports – Patching where possible

Implement compensating controls

– Continuous monitoring with behavioral anomaly detection – Integration with firewall infrastructures

13

SLIDE 14

Detect & Respond Faster

SLIDE 15

Investigations & Threat Hunting

SLIDE 16

Palo Alto NGFW Panoram a Cell Switch Cell Switch Cell Switch

Zone Switch Zone Switch

Cell Switch Cell Switch

SOC/DMZ

Policy Approval & Push

3

Automated NGFW Policy Creation

2

SIEM Engineering Workstation HMI Controllers

1

CyberX Alert

CyberX Firewall Integration

SLIDE 17

CyberX at a Glance

Founded in 2013 by military cyber experts with

nation-state expertise defending critical infrastructure

HQ in Boston with R&D and Threat Intelligence teams in Israel
Purpose-built OT security platform

– Asset management, vulnerability & risk management, continuous threat monitoring – Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning – Integrates with existing SOC workflows & security stack for unified IT/OT monitoring

Partnerships & integrations with major security companies & MSSPs worldwide

– IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, … – Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, …

SLIDE 18

ICS Zero-Day Vulnerabilities Discovered by CyberX

https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow
https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS)
https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element
Undisclosed RCE vulnerability in controller (vendor Y)

CyberX researched featured in Chapter 7

SLIDE 19

CyberX Central Manager Corporate SOC

CyberX SOC Enablement Services

SIEM

Ticketing System

CyberX Malware Analysis Sandbox Service CyberX Global ICS Threat Intelligence

Scalable Multi-Tier Architecture with Centralized Control

SLIDE 20

“Mandiant recently responded to an incident at a critical infrastructure

rganization where an

attacker deployed a malware framework — which we call TRITON — designed to manipulate Triconex Safety Instrumented System (SIS) controllers.” FireEye, December 14

SLIDE 21

CONFIDENTIAL

21

Palo Alto Networks Proprietary and Confidential

The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage the firm’s operations and trigger an explosion.”

The New York Times

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

Goal: Disable plant safety systems? Campaign: Connected to Shamoon attacks? Who: Likely Iran with assistance from Russia or N. Korea?

SLIDE 22