RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By - - PowerPoint PPT Presentation

reconnaissance campaigns targeting
SMART_READER_LITE
LIVE PREVIEW

RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By - - PowerPoint PPT Presentation

Jan 29, 2023 268 likes •634 views

DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba June 17, 2019 Detecting, Fingerprinting

slide-1
SLIDE 1

DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS

By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba

slide-2
SLIDE 2

Outline

Introduction Methodology Results Conclusion

June 17, 2019

Detecting, Fingerprinting and Tracking ICS Campaigns

2

slide-3
SLIDE 3

3

INTRODUCTION

June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 3

slide-4
SLIDE 4

Motivation

  • Used in the smart grid, smart city, smart devices, building automation
  • Sharp rise in the number of internet-connected devices
  • Internet is a huge attack surface against ICS and IoT

Industrial Control Systems (ICS) are vital pieces of our infrastructure

  • Huge financial cost to any successful attack against ICS
  • Consequences in the physical world: blackouts, destroyed equipment, …

ICS are attractive and vulnerable targets

  • Industroyer, BlackEnergy, Triton, …
  • These attacks require sophisticated knowhow and knowledge of their targets

Rise in the use of sophisticated attacks

June 17, 2019

Introduction

4

slide-5
SLIDE 5

Problem statement

With the onset of Internet-driven cyber attacks…

  • Need for accurate, timely & reliable

intelligence on incoming cyber attacks

  • To mitigate & prevent attacks before they
  • ccur

As reconnaissance campaigns are precursors to cyber attacks…

  • Need for a tool to identify campaigns

accurately and in near real-time

  • Identifying sources, targeted ICS devices &

scanning techniques

June 17, 2019

Introduction

5

slide-6
SLIDE 6

Contributions

Near real-time detection of ICS probing campaigns Tracking, characterization & identification of campaigns Intelligence on campaigns sources & targeted ICS infrastructure

June 17, 2019

Introduction

6

slide-7
SLIDE 7

7

METHODOLOGY

June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 7

slide-8
SLIDE 8

Overview

June 17, 2019

Methodology

8

slide-9
SLIDE 9

Network telescope (darknet) data

  • Originates from a /13 network telescope

11 subnets from 12 countries

About ½ million IP addresses

Live stream of network traffic: over 28 GB per day

  • Packets batched in PCAP-formatted files arrive in real-time
  • Contains traffic from ICS/IoT devices
  • Monitors 27 ICS/IoT protocols

June 17, 2019 9

Methodology

slide-10
SLIDE 10

Features

  • Extracts primary features from packets,

▪ Header fields & payload

  • Extracts secondary features from groups of packets

June 17, 2019

Methodology

10

Primary Features Total Length Payload IHL Fragment Offset IPv4 Flags TTL ToS IPv4 Options Identification TCP Flags TCP Options Urgent Pointer Offset Window Size Sequence # Acknowledgement # Secondary Features Destination Overlap Packet to Destination Ratio Packet Interval

slide-11
SLIDE 11

Classification

  • Core component of the campaign identification process

June 17, 2019

Methodology

11

Storing packet information in node data structures Pairwise node comparison using stored packet information Partitioning weighted graph based on edge weights Removing outliers from cluster Using common packet information shared with all nodes in the cluster

Packet Aggregation

Using Source IP and Protocol

Graph Generation

Using Header Features Matching

Cluster Formation

Using Graph Theory Metrics

Campaign Identification

Using Temporal Features Matching

Signature Generation

Based on Characteristic Features

slide-12
SLIDE 12

Calculating the weights

  • Weight calculation used for graph generation

▪ 𝑥𝑗 : the weight of the ith feature ▪ A : set of values representing the number of times all values of the ith feature appear ▪ 𝑏𝑘 : represents the number of occurrences of the jth value of the ith feature ▪ 𝑂 = σ𝑗=1

𝑜

𝑏𝑗 : the sum of all values in A

▪ d : exponent in the range [0, 1]

June 17, 2019

Methodology

12

𝑥𝑗 = ( ෍

𝑏𝑘 ∈ 𝐵

−𝑏𝑘 𝑂 log 𝐵 𝑏𝑘 𝑂 )𝑒

slide-13
SLIDE 13

Feature weight calculation

June 17, 2019

Methodology

13

slide-14
SLIDE 14

Similarity score

  • Compares:

▪ The features in the packets from each source IP

  • Features represented as vectors of probabilities
  • Calculating distance between vectors

▪ Adding the scores for each feature together

June 17, 2019

Methodology

14

ttl source port “32” : 3 “64” : 10 “128”: 2 “256”: 5 “80” : 1 “102” : 2 “502” : 1 “8080”: 1 … … tcp_flags “100000” : 5 “110000” : 2 “000000” : 1 …

slide-15
SLIDE 15

Calculating the similarity score

  • Similarity score between two nodes for a feature i

▪ si : similarity score for feature i ▪ wi : weight of the ith feature ▪ 𝑊

𝑦 = σ𝑘=1 |𝑂𝑦| 𝑜𝑘, (i.e. the total number of packets in node x)

▪ Nx : set of all different values for feature i in node x ▪ nxj : number of occurrences of the value j in node x ▪ 𝑉 = 𝑂1 ∪ 𝑂2

June 17, 2019

Methodology

15

𝑡𝑗 = 𝑥𝑗 × (1 −

𝑛𝑗𝑜 𝑊

1,𝑊 2

𝑛𝑏𝑦 𝑊

1,𝑊 2 ×

1 2 ×

σ𝑘=1

𝑉 𝑜1𝑘 𝑊

1 −

𝑜2𝑘 𝑊

2

2

)

slide-16
SLIDE 16

Calculating the similarity score

  • Similarity score between the payloads of two nodes

▪ spayload : similarity score for the payload feature ▪ wpayload : weight of the payload feature ▪ |Px| : size of payload x ▪ bxi : the ith byte in Px

June 17, 2019

Methodology

16

𝑡𝑞𝑏𝑧𝑚𝑝𝑏𝑒 = 𝑥𝑞𝑏𝑧𝑚𝑝𝑏𝑒 × ෍

𝑗=1 𝑛𝑗𝑜(|𝑄1|,|𝑄2|) (𝑐1𝑗 == 𝑐2𝑗)

𝑛𝑏𝑦(|𝑄

1|, |𝑄2|)

slide-17
SLIDE 17

Graph generation

June 17, 2019

Methodology

17

slide-18
SLIDE 18

Belonging degree & conductance

▪ 𝛤 𝑣, 𝐷 : belonging degree between u and C ▪ C : set of nodes in the cluster ▪ u : node adjacent to C ▪ Nu : set of nodes neighboring u ▪ wux : weight of the edge between nodes u and x ▪ 𝛸 𝐷 : conductance of C ▪ 𝑑𝑣𝑢(𝐷, 𝐻/𝐷) : sum of the weights of edges between nodes in C and outside of C ▪ wc : sum of the weights of all edges in C

June 17, 2019

Methodology

18

𝛤 𝑣, 𝐷 = σ𝑤∈𝐷 𝑥𝑣𝑤 σ𝑢∈𝑂𝑣 𝑥𝑣𝑢 𝛸 𝐷 = 𝑑𝑣𝑢(𝐷, 𝐻/𝐷) 𝑥𝐷

slide-19
SLIDE 19

Cluster formation

June 17, 2019

Methodology

19

slide-20
SLIDE 20

Campaign Formation

  • Pairwise comparison of nodes inside the cluster

▪ Calculating similarity score using secondary features (temporal characteristics) ▪ Removing outliers

June 17, 2019

Methodology

20

slide-21
SLIDE 21

Signature Generation

  • Building identifying signature

▪ Listing of all primary features ▪ Vector quantization of secondary features

  • Using hierarchical agglomerative clustering

June 17, 2019

Methodology

21

slide-22
SLIDE 22

22

RESULTS

June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 22

slide-23
SLIDE 23

ICS & IoT Protocols

  • Categorizes packets by

source IP & protocol

  • Retains traffic from ICS/IoT

protocols

June 17, 2019

Results

23

Protocol Port(s) Protocol Port(s) FL-net 55000 to 55003 Modbus 502, 802 PROFINET 34962 to 34964 OMRON FINS 9600 DNP3 19999, 20000 PCWorx 1962 GE-STRP 18245, 18246 CoAP 5683, 5684 MELSEC-Q 5006, 5007 EtherNet/IP 2036, 2221, 2222, 44818 Niagara Fox 1911, 4911 BACnet 47808 to 47823 CODESYS 2455 Emerson ROC 4000 Red lion 789 EtherCAT 34980 ProConOS 20547 Hart-IP 5094 Zigbee 17754 to 17756 ICCP 102 Emerson ecmp 6160 Siemens S7 Foundation Fieldbus 1090, 1091, 3622 IEC 60870-5-104 2404, 19998 OPC UA 4840, 4843 Johnson Controls 11001 MQ Telemetry 1883

slide-24
SLIDE 24

Legitimate organizations

  • 3 legitimate research organizations

▪ Well-known research objective ▪ No effort to obfuscate their scans

June 17, 2019

Results

24

Organization Protocol Packets Kudelski security MQTT 3,176,785 Modbus 3,225,764 Niagara Fox 3,338,688 BACnet 3,186,966 Project sonar BACnet 1,408,866 MQTT 1,365,953 EtherNet/IP 749,032 CoAP 673,405 Censys Modbus 14,546,546 DNP3 8,674,021 BACnet 14,472,089 Niagara Fox 11,027,247 S7 Comm 6,001,835 EtherNet/IP 41

slide-25
SLIDE 25

Legitimate campaign signature

  • Against the BACnet protocol

▪ Includes the entire darknet ▪ Conducted multiple times

  • Over a period of 9 months

▪ 242 source IPs involved

June 17, 2019

Results

25

Stats Transport protocol UDP # of destinations Entire darknet Protocol BACnet # of packets 5,562,890 Destination port 47808 Start 05-08-18, 20:59:52 # of sources 242 End 02-19-19, 20:56:33 Signature Source port 47808 Identification 54321 ToS 72 Fragment offset TTL 254 Packet interval 87ms IHL 5 Packet/destination ratio 1.0 Total length 77 Destination overlap 0.0 IPv4 options None Flags None Payload 810a002301040005000e0c023fffff1e094b09780979092c090c09 4d0946091c093a1f

slide-26
SLIDE 26

Legitimate ampaign date histogram

  • Regular (weekly) traffic
  • Several missing spikes of data, when the algorithm returned a false negative

June 17, 2019

Results

26

slide-27
SLIDE 27

Malicious campaign signature

  • Against the EtherNet/IP protocol

▪ Included parts of the darknet

  • Visiting IPs more than once

▪ Multiple spikes of activity ▪ 21 source IPs involved

June 17, 2019

Results

27

Stats Transport protocol UDP # of destinations 160,000 Protocol EtherNet/IP # of packets 1,653,444 Destination port 2222 Start 10-07-18, 13:19:06 # of sources 21 End 02-19-19, 21:48:51 Signature Source port * Offset 5 ToS 40 Window Size * TTL 128 Urgent Pointer IHL 5 TCP Options None Total length * TCP Flags SYN IPv4 options None Sequence # * Flags None Acknowledgment # Payload None Packet interval 552 ms Identification 256 Packet/destination ratio 1.0 Fragment offset Destination overlap 0.0

slide-28
SLIDE 28

Malicious campaign date histogram

  • Traffic is irregular, no discernable pattern

June 17, 2019

Results

28

slide-29
SLIDE 29

Malicious campaign details

  • Geo-localization of source IPs

▪ Most IPs are from China ▪ Rest from the United-States

June 17, 2019

Results

29

slide-30
SLIDE 30

Malicious campaign details

  • A circular scanning pattern
  • IPs had ties with several fast-fluxing domains
  • IPs had ties with malware

▪ Including Trojans, miners, DDoS

June 17, 2019

Results

30

slide-31
SLIDE 31

Malicious campaign details

  • Found 32 domains associated with the 21 IPs

▪ All had neutral or poor reputation ▪ 8 domains known for spamming ▪ Found 160 IP addresses associated with the domains

  • Out of the 70 IP addresses investigated at random, 45 were fast-fluxing

June 17, 2019

Results

31

slide-32
SLIDE 32

Malicious campaign details

  • Cross-correlation between malware files

detected in campaign sources and malware stream from Farsight

▪ During spikes in campaign activity

  • Strong presence of Trojan malware

▪ Possible attempt to increase botnet size

June 17, 2019

Results

32

Names # of Hits Trojan.Win32.Generic!BT 1,397,819 Trojan:Win32/Skeeyah.A!rfn 29,681 Virus.Win32.Virut.ce 22,623 Trojan:Win32/Tiggre!rfn 7,395 Backdoor:Win32/Zegost 830 Virus:Win32/Ramnit.J 225 Trojan-Downloader.Win32.Agent 200 DDoS:Win32/Nitol.B 137 Virus:Win32/Virut.BN 108 DDoS:Win32/Nitol.A 78 VirTool:Win32/Ceeinject.TD!bit 67 DDoS:Win32/Nitol.P!bit 39 TrojanDownloader:Win32/Farfli.F!bit 30 DDoS:Win32/Nitol!rfn 13 Trojan:Win32/Togapy.A!bit 2 Virus:Win32/Parite.C 2

slide-33
SLIDE 33

33

CONCLUSION

June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 33

slide-34
SLIDE 34

Conclusion

  • Built a Threat Intelligence generation platform for ICS threats
  • Leveraged the platform to analyze over 10 months of darknet data
  • Found several campaigns by legitimate organizations
  • Found evidence of malicious campaigns
  • Future Work

▪ Extending our tool to deal with campaigns spanning several ports ▪ Extending the range of ports covered by our application

June 17, 2019

Conclusion

34

slide-35
SLIDE 35

June 17, 2019

Detecting, Fingerprinting and Tracking ICS Campaigns

35