@RobertMLee www.Dragos.com Robert M. Lee Current: CEO and - - PowerPoint PPT Presentation

MRO Webcast

Exploring the Unknown ICS Landscape

@RobertMLee

www.Dragos.com

Robert M. Lee

• Current:
• CEO and Founder, Dragos, Inc.
• SANS Institute Certified Instructor and Course Author

(FOR578 & ICS515)

• Non-resident National Cybersecurity Fellow, New America
• PhD Candidate, Kings College London
• Writer, Little Bobby
• Previous:
• U.S. Air Force Cyber Warfare Operations Officer
• U.S. Intelligence Community

Agenda

• How are ICS Cyber Attacks Conducted?
• ICS Cyber Attacks: Fact vs. Fiction
• Project MIMICS and Bringing Realistic Metrics to the Community

How Are ICS Cyber Attacks Conducted?

7

7

Full Ukraine Report: http://ics.sans.org/duc5

ICS Cyber Attacks: Fact vs. Fiction

Illinois Water Hack

Illinois Fusion Center report in 2011:

• Russia hacked a water utility leading to a pump failure!

Fact: Russian IP in logs and pump failure 5 months later Reality: Contractor was on vacation and learned

• f the incident via media

10

11

Norse Iran Cyber Attacks

Fact: No ICS were harmed in the making of this “report”

12

2008 Turkey Pipeline Explosion

Bloomberg published “Mysterious ‘08 Turkey Pipeline Blast Opened New Cyberwar” in December, 2014

Fact: BTC Pipeline was attacked Reality: No “cyber” involved

13

2015 Turkey Blackout

10-hour Power Failure reported by Bloomberg, CNN, and major media

• utlets as possible

Iranian Cyber Attack

Fact: Aging infrastructure caused outage Reality: “Cyber” linked through previous reports

An Abbreviated History of ICS Threats

Insiders Stuxnet Shamoon (Non ICS Targeted) Dragonfly (HAVEX) Sandworm (BlackEnergy 2 and 3) Incidental Malware Infections

• Dragos’ MIMICS Research

Example of the known

NCCIC / ICS-CERT Year in Review (FY 2015)

6% 1% 3% 6% 1% 37% 9% 37%

FY 2015 Incidents by Infection Vector (295 total)

Other Brute Force Abuse of Authorized Access Weak Authentication SQL Injection Spear Phishing Network Scanning Unknown Unknown 8% 0% 0% 1% 13% 78%

FY 2015 Observed Depth of Intrusion

Level 6 - Critical Systems Level 5 - Critical System Management Level 4 - Critical System DMZ Level 3 - Business Network Management Level 2 - Business Network Level 1 - Business DMZ Level 1 – Business DMZ

Project MIMICS

15,000 samples over ~3 months

MIMICS: Malware in Modern ICS

• Only public data: Virustotal.com
• Malware repository used by “the Internet” to test files against 50+ antivirus vendors
• Also used google, DNS data etc
• Purpose of the research is census-like data
• Explore hypotheses to give real data points without hype or fear

Hypothesis 1

• Non-targeted intrusions/malware in ICS is far more common than realized

Detect Rate (log)

Number of files Number of detections count 14949.000000 mean 6.338484 std 15.635142 min 0.000000 25% 0.000000 50% 0.000000 75% 0.000000 max 57.000000 Low hit rate High hit rate

Most Common Detections

count Trojan Virus-like (PE Infector) Virus-like (storage hopping) Approximate First Seen sivis 15863 ❔ ✅ ✅ 2012 lamer 6830 ❔ ✅ ✅ 2012 ramnit 3716 ✅ ✅ ✅ 2011 sinowal 2909 ✅ ❌ ❌ 2006 cosmu 2769 ✅ ✅ ✅ 2013 virut 1814 ✅ ✅ ✅ 2007 eldorado 1554 ❔ ❔ ❔ 2012 skeeyah 1486 ✅ ❔ ❔ 2015 androm 1471 ✅ ❌ ❌ 2013 sality 1225 ❔ ✅ ✅ 2003 zatoxp 1093 ❌ ✅ ✅ 2012 neshta 1085 ❌ ✅ ❌ 2008 nimnul 963 ✅ ✅ ✅ 2013 visisig 905 ❔ ✅ ✅ 2012 siggen 642 ❌ ✅ ✅ 2012 graftor 586 ❌ ✅ ✅ 2012 virtob 468 ✅ ✅ ✅ 2007

New Things

Hypothesis 2

• There are ICS themed intrusions/malware currently undiscovered or

underreported by non-ICS security companies

NMMSS Theme

Siemens themed downloader

• Downloader with Siemens theme

embedded in vs_versioninfo

• In wild since at least 2013
• Last observed March 2017
• Over 10 binaries located

Behavior

Execute Stage 1 Payload Get /vip.htm HTTP/1.1 Content-Type: text/html Accept: text/html, */* User-Agent: Mozilla/3.0 (compatible; Indy Library) Decrypt/read Stage 1 Download / execute /vip.htm /vip.htm /vip.htm /vip.htm /vip.htm Stage 2 Payload(s)

Submissions

3/2014 11/2013 11/2016 (2x) 12/2013 3/2014 7/2014 10/2016 1/2014 2/2014

User Behavior

& Poor Operations Security

Hypothesis 3

• Non-ICS security trained teams and IT security products are submitting

legitimate ICS software and files to public databases

Weird hypocrisy: you don’t trust your AV but you do trust 50 other AV companies?

Project files

~ 120 project files over course of ~ 90 days

• Speed Control BOM.rfq
• LogixDiagnostics.ACD
• LCS24.RSS
• DRIVE_CONTROL_ML1100_PF4CLASS-EN-DRV_CTRL-C0_07.RSS
• Rizhao_tertiary.RSS
• H:\Simple Systems\PBR\PB&R_ML1100_PF40-EN-PBR_PF40-C0_07.RSS
• C:\Users\Wu.Charlene\Downloads\8110409835_HMI_PAR_Line9_v1_04.mer
• Untitled.RSS

Data files

Installers

Scan your public content

One electric utility, starting in 2012 began routinely uploading their entire public website starting in 2012 to VirusTotal. 136 files indexed on VT

Program Files

Practices

Things to do

• Use VT as a data source
• Have suspected and confirmed

malware handling guidance/processes

Things NOT to do

• Treat VT as a whitelist
• Treat VT as a blacklist
• Use VT to validate your AV
• Allow your outsourced teams

(IT security or AV) to make decisions about your data

Key Takeaways

• Industrial cyber attacks are worth understanding – but avoid the hype
• Security in the ICS contributes to reliability even if just against common

viruses

• You’re more likely to be impacted with Virut than Stuxnet
• ICS themed malware (but not enabled) is definitely a thing
• VirusTotal is useful to shed light on specific campaigns post facto
• Supply chain weakness through legit binaries

Questions?

@robertmlee RLee@Dragos.com Stay in Touch: Dragos.com @DragosInc