seminar series industrial cyber threats and
play

Seminar Series Industrial Cyber Threats and Future Planning Robert - PowerPoint PPT Presentation

Jul 10, 2023 •172 likes •424 views

Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com Agenda Where We Are Selected Case Studies in Cyber Attacks Where Were Heading

  1. Seminar Series

  2. Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

  3. Agenda • Where We Are • Selected Case Studies in Cyber Attacks • Where We’re Heading • Recommendations

  4. The Unknown Threat Landscape Few People Know How to Protect the ICS that Run Our World The Threat Landscape is Mostly Unknown 4

  5. Finding More and More Occurring 2015-2017 Adversaries Disrupt ICS - Campaigns: 10 Unique - ICS Malware: CRASHOVERRIDE and TRISIS 2013 - 2015 - First and second ever electric grid attacks that disrupt power 2010 - 2012 - First malware to target human life 1998 - 2009 Campaigns Target ICS New Interest in ICS Lack of Collection - Campaigns: Dragonfly - Campaigns: Sandworm - Campaigns: APT1 - ICS Malware: BlackEnergy 2 and Havex - ICS Malware: Stuxnet - ICS Malware: None - First attack to cause physical destruction on civilian infrastructure (German Steel)

  6. The Diamond Model Adversary Infrastructure Capability/TTPs Victim Ref: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

  7. Links: Development team for Sandworm ELECTRUM • Long term access to ICS • Dual-use infrastructure • CRASHOVERRIDE such as TOR to host C2 • ICS Specific Modules • Internal proxies setup • Operations Knowledge Russian State Interests • Ukrainian Utility Companies • Electric • Water

  8. Links: Dragonfly 2.0 Not Dragonfly 1.0 DYMALLOY • Malicious docs w/ credential • Compromise ISP IPs harvesting via external SMB • connections Compromised business • connections for initial RATs from publicly available toolkits • infection and subsequent Custom-developed information implants theft toolkits built on public tools Multi-State • One non-public toolkit Adversary Interests • North American electric operators • Turkish energy providers • Western Europe electric operators

  9. Links: “ OilgRig ” Actor CHRYSENE • • Actor owned infrastructure 64-bit malware using DNS for C2 • • Domain patterns after Greenbug malware with HTTP C2 • legitimate resources OilRig as evolution of Greenbug • • Custom DNS server as Unique DNS C2 system • authoritative for the Initial beacon AAAA request • domain to enable C2 IPv6 encoded commands Iranian State Interests • Arabian gulf region • Saudi Arabia petrochemical focus • Oil/gas, petro, and electric generation

  10. Links: APT 33 MAGNALIUM • • Spoofed domains of Commodity and non-public relevance to victim malware combination • • Dynamic DNS for C2 Publicly available crimeware • • IT services and aerospace Specific malware encoding routine themed Iranian State Interests • Saudi Arabian petrochemical • Aerospace companies • North America and South Korean targets only with Saudi business

  11. Links: Unknown COVELLITE • Sophisticated implant with secure communication channels • Similar features to malware used • Legitimate infrastructure against South Korean targets • University IPs for C2 • Specific session key used for payload and second encrypted North Korean layer State Interests • 41 minute and 30 second sleep • Electric utility companies in the United States

  12. German Steel Plant - 2014 • Dec 18, 2014 German Government’s BSI released annual report highlighting incidents • Identified “massive damage” in a steel facility due to a cyber attack • 2 nd publicly known case of physical damage to control systems from cyber attacks

  13. Ukraine 2015 • 1 st Ever cyber attack on a power grid to lead to outages • 3 power companies across Ukraine • SCADA Hijack scenario by a well funded team

  14. Ukraine 2016 - CRASHOVERRIDE

  15. Middle East 2017 - TRISIS • TRISIS was delivered into a petrochemical facility in the Middle East by a well funded attack team • Targeted Safety Instrumented System (SIS) and failed causing a stop in operations • 1 st malware to specifically target human life

  16. You Cannot Just Patch Away the Problem Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities: • 64% of all vulns didn’t eliminate the risk • 72% provided no alternate mitigation to the patch • Only 15% could be leveraged to gain initial access Ref: www.dragos.com/YearInReview/2017

  17. Where We’re Heading

  18. ICS Incidental Impact vs. ICS-Tailored ICS Incidental Impact ICS-Tailored • Resource Usage • Protocol Knowledge • Destructive • System Knowledge • Wormable • Process Knowledge

  19. Multi-Phase Attacks Ref: https://www.sans.org/reading-room/whitepapers/ICS/industrial- control-system-cyber-kill-chain-36297

  20. Research Ideas

  21. Your Goal – Satisfy the Right Requirements MTTR Company Risk RCA ADT 21

  22. Problems Problem: Rush for Sensors Problem: Over-Focus on Malware, Vulns, and Exploits Problem: Over-Focus on ML/AI Models Problem: Need to Scale Knowledge/Workforce Problem: Big Architecture Changes

  23. Ideas Idea: Common, Robust, Dynamic Sensor Idea: Limiting of Impact Outside Scope Idea: Intelligence-Driven Approach Idea: Enabling/Scaling Human Knowledge Idea: Common Logging/API in OEM Gear

  24. Questions? Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the

Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the

Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the state of art, CEER is a game changer. A generational leap in capabilities for Cyber- Physical Experimentation in the Electric Power Grid Increased

792 views • 49 slides
Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N , M A S S A C H U S E T T S J U N E 4 , 2 0 12 Antitrust Notice 2 The Casualty Actuarial Society is committed to adhering strictly to the

577 views • 26 slides
Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK businesses and how to remain safe What help is available Further reading Setting the scene 21.2bn The cost of fraud to the

304 views • 19 slides
Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed by us are not representative of the City of Charlotte. OUTLINE INTRODUCTIONS HUMAN THREATS CYBER THREATS QUESTIONS INTRODUCTIONS

445 views • 25 slides
The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber Crime Growth Number of mobile 200M devices affected IBM 11.6M Number of accounts hacked CNN Money 432M Number of malware samples collected Intel

652 views • 30 slides
The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana Wagemann Director of Sales, Darktrace Evolving Threats in a New Business Landscape Outsourced IT, SaaS, cloud, virtual, supply chain, IoT Not just data

412 views • 15 slides
Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro

Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro

Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro Cansian Agenda New Cybernetic Global Order Cyber threats. The present and future threat scenarios. The scenario in Brazil. Final

617 views • 46 slides
Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig picture The asymmetric nature of the Internet The current state of cyber underground Our current approach UNCLASSIFIED 7 Software Integrity Denial

388 views • 18 slides
Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities

Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities

Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities Executive Order Number 8 Identify high risk cyber security issues facing COV. Provide advice and recommendations to secure COV networks,

449 views • 20 slides
tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse

tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse

Introducing the new SpaceGuard SGP 30 series tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse proximity light grid Self-contained system (no need for separate controller) Designed for

715 views • 23 slides
Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation

Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation

Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation Baltimore Division Overview Cyber Threat Overview Cyber-enabled Fraud Types of Cyber-enabled Fraud Business Email Compromise

796 views • 47 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or

Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or

Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or Territorial Government Entity 2 Why SLTT Governments? Criminals look for data... and governments have a lot of it! 3 TLP: WHITE 3 CBA 6 CBA 4

911 views • 35 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University of Cincinnati About This Seminar Designed for everyday cyber citizens Online Webinar 2 hour Presentation 10 Minute break

607 views • 57 slides
Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of

Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of

3/18/16 Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of Medicine University of California, San Francisco Continuing Medical Education March 18, 2016 Disclosure Investigator on NPS

404 views • 25 slides
Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence 1.12 Gross anatomy of the forebrain. (Part 3) Haines, Fund. Neuro., Fig 16 10 Figure A21 The ventricular system of the human brain (Part 1) Box

589 views • 36 slides
Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment

Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment

Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment Program at Connecticut Childrens Medical Center Jennifer Twachtman-Bassett, M.S. CCC-SLP Department of Speech-Language Pathology Lead Clinician ~

397 views • 17 slides
Emergency Use, Compassionate Use & Expanded Access Programs Investigational New Drug An

Emergency Use, Compassionate Use & Expanded Access Programs Investigational New Drug An

Emergency Use, Compassionate Use & Expanded Access Programs Investigational New Drug An Investigational New Drug (IND) is a substance that has been tested in the laboratory and has been approved by the U.S. Food and Drug Administration

414 views • 25 slides
Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction.

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction.

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. Exercise: find your way around in the training VM. Block 2: Bro-logs, network logs. Introduction on

292 views • 13 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and why does it matter?) Who we are (and why does it matter?) So... 2013 2013 Significant Events Research Themes Future Themes ? References / Links

983 views • 71 slides
OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

DETECT . ANALYZE . REMEDIATE OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz +972-545444313 1 1 1 What People Think 2 True or False? Threat intelligence Nation-state actors Commercial threat

247 views • 24 slides

More recommend