threat analysis of steganographic and covert
play

THREAT ANALYSIS OF STEGANOGRAPHIC AND COVERT COMMUNICATION IN - PowerPoint PPT Presentation

Aug 30, 2023 •263 likes •378 views

THREAT ANALYSIS OF STEGANOGRAPHIC AND COVERT COMMUNICATION IN NUCLEAR I&C SYSTEMS M. Hildebrandt 1 , R. Altschaffel 1 , K. Lamshft 1 , M. Lange 2 , M.Szemkus 2 , T. Neubert 3 , C.Vielhauer 1,3 , Y. Ding 2 , J. Dittmann 1 1 Otto-von-Guericke

  1. THREAT ANALYSIS OF STEGANOGRAPHIC AND COVERT COMMUNICATION IN NUCLEAR I&C SYSTEMS M. Hildebrandt 1 , R. Altschaffel 1 , K. Lamshöft 1 , M. Lange 2 , M.Szemkus 2 , T. Neubert 3 , C.Vielhauer 1,3 , Y. Ding 2 , J. Dittmann 1 1 Otto-von-Guericke University, Magdeburg, Germany 2 Magdeburg-Stendal University of Applied Sciences, Magdeburg, Germany 3 Brandenburg University of Applied Sciences, Brandenburg, Germany The work in this paper has been funded by the German Federal Ministry for Economic Affairs and Energy (BMWi, Stealth-Szenarien, Grant No. 1501589A, 1501589B and 1501589C) within the scope of the German Reactor-Safety-Research-Program. This document was produced in part with the financial assistance of the European Union. The views expressed herein can in no way be taken to reflect the official opinion of the European Union. International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna IAEA-CN-278/478, Hildebrandt et al.

  2. Outline Movitvation/Introduction • State-of-the-Art • OT Infrastructure: NST047, IEC 62443 – Steganography and Data Hiding – Hidden Communication in Networks • Hidden communication in IT networks – Potential hidden communication in OT networks – Exemplary supply chain attacks • Strategic preparation and detection approaches • Summary and future work • International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 2 IAEA-CN-278/478, Hildebrandt et al.

  3. Motivation/Introduction ● Operational Technology (OT) / Instrumentation and Control Systems (I&C) consist of Sensors, Computing Units and Actors – including the communication between those components ● Increasing tendency of using hidden communication channels in Information Technology (IT) networks within advanced persistent threats (APT) ● Information Hiding can be used to exfiltrate information/commands, inject information/commands or to establish a command&control channel without being detected ● Typical protocols in OT networks, (Modbus/TCP, OPC UA, Syslog, …) can be potentially used as cover data for hidden communication International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 3 IAEA-CN-278/478, Hildebrandt et al.

  4. State-of-the-Art Architecture Information Hiding NST047 [3]: Derived from secret communication - ● ● Prisoners' Problem with the presence of a 5 Security Levels, SL1 systems vital to the facility warden → communication should remain – (e.g. safety&emergency systems), SL2 unnoticed and confidential operational control systems, SL3 supervision systems, SL4 technical data mangement IH is increasingly used in APT ● systems, SL5 business systems Cover channel/objects: data to hide stego ● Traffic between security levels is restricted (e.g. – data within no communication from SL2 to SL1, but communication from SL1 to SL2, Stego data: hidden communication ● Acknowledgements and control packates can be sent from SL3 to SL2, well-specified Requirements: protocol compliance, warden ● communication is allowed from SL4 to SL3) compliance, ideally should follow Kerckhoffs' IEC62443 [2]: Principle [8] ● Active steganography: end-to-end; passive Definition of foundational requirements, e.g. – ● restricted data flow; System Requirements and steganography: in some parts of the Requirement Enhancements communication path only 5 Security levels (SL0 no security, SL4, highest – security requirements) [2] CAN/CSA-IEC/TS 62443-1-1:2017-10-01, Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models (Adopted IEC technical specification 62443-1-1:2009, first edition, 2009-07) (2017) [3] IAEA- INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security Techniques for Nuclear Facilities, International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna Nuclear Security Series no 47, NST047 DRAFT (2017) [8] Ker, A.: Information Hiding (complete), (2016) http://www.cs.ox.ac.uk/andrew.ker/docs/informationhiding-lecture- 4 IAEA-CN-278/478, Hildebrandt et al. notes-ht2016.pdf

  5. Hidden communication in desktop IT networks Turla Lightneuron Backdoor [1] UDPoS Malware [12] ● ● POS credit card transaction eMail Scrape System Memory for Microsoft Exchange Credit Card Numbers TA1 TAn LightNeuron Parse eMail for Stego Craft DNS Request Message in JPG/PDF Transport Agent attachment Log Date and Sender Send DNS Requests to Do nothing ● Exfiltrate Credit Card Data Modify eMail ● Block eMail ● Execute Command Call companion DLL ● ... ● [1] Faou, M., TURLA LIGHTNEURON One email away from remote code execution, ESET Research White papers, May 2019 (2019) https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna [12]Cylance Threat Research Team, Threat Spotlight: Inside UDPoS Malware, (2018) 5 IAEA-CN-278/478, Hildebrandt et al. https://threatvector.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html

  6. Potential hidden communication in OT networks Fig. 1. Covert Channels in I&C Networks Based on [13] and access requirements for active steganography, access, access requirements International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 6 [13] Wendzel, S., Zander, S., Fechner, B., Herdin, C., Pattern-Based Survey and Categorization of Network Covert IAEA-CN-278/478, Hildebrandt et al. Channel Techniques, CSUR 47 3 (2015)

  7. Exemplary supply chain attacks based on OPC UA ● Storage channel based on ● Hybrid channel based on source timestamp CC S source timestamp CC h Digit sum of the second field is DTL Data Type for Timestamps: – kept odd or even for a longer Data Year Month Day Week Hour Minute Secon Nanos field day d econd period of time Data UInt USInt USInt USInt USInt USInt USInt UDInt type PLC will trigger a hidden – function if the time exceeds a Milliseconds Microseconds Nanoseconds certain threshold 1/10s 4 2 M N O 0 0 0 Capacity is very limited in – Synchronization comparison to the storage POKE_BOOL(Area, DBNumber, Byteoffset = 8 + M, Bitoffset = N, Value= O) channel Result: arbitrary manipulation of digital outputs International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 7 IAEA-CN-278/478, Hildebrandt et al.

  8. Strategic preparation and detection approaches ● Strategic preparation: Communication data needs to be monitored and captured – Data capturing must be non-identifiable by the potential attacker, otherwise – countermeasures (anti-forensics) might be utilized Standard system behavior need to be known – ● Detection: CC S - analysis of the source time stamps focusing on the distribution of – microsecond digit O: normally uniformly distributed, with stego channel limited to a few values CC h – analysis of the delta times of the source timestamps between two OPC UA – responses: delta times are not uniformly countiunuous if the stego channel is active International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 8 IAEA-CN-278/478, Hildebrandt et al.

  9. Summary and future work ● Steganographic communication channels are possible within OT networks ● A supply chain attack might introduce hidden functions that are not triggered during an isolated evaluation → source analysis is necessary ● Simple stego channels can be detected be performing an anomaly detection: normal traffic needs to be known ● In future work more advanced channels including the application of keys and a more dynamic behavior need to be evaluated towards potential detection approaches International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 9 IAEA-CN-278/478, Hildebrandt et al.

  10. THREAT ANALYSIS OF STEGANOGRAPHIC AND COVERT COMMUNICATION IN NUCLEAR I&C SYSTEMS Thank you for your kind attention! Contact information: Mario Hildebrandt Department of Computer Science Research Group Multimedia and Security Institute of Technical and Business Information Systems Otto-von-Guericke-University of Magdeburg Universitaetsplatz 2 39106 Magdeburg, Germany EMail: mario.hildebrandt@iti.cs.uni-magdeburg.de Phone: +49 (391) 67 51603 International Conference on Nuclear Security: Sustaining and Strengthening Efforts, 10-14 February 2020, Vienna 10 IAEA-CN-278/478, Hildebrandt et al.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in File S Systems t User Access Control The operating system is fully trusted to enforce the security policy. Is it good enough? Is it

888 views • 44 slides
Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Steganographic Design Elements Steganalysis of YASS Summary Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan Kodovsk Jessica Fridrich January 28, 2008 / Electronic Imaging 2008

817 views • 22 slides
Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why

Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why

2013 Conference Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why this presentation ? A typical example of ex. Gov Stuff State level threat some years ago. Now Coporate level Very good

877 views • 32 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks Aron Laszka 1 , 2 Benjamin Johnson 3 Jens Grossklags 1 1 Pennsylvania State University 2 Budapest University of Technology and Economics 3 University

867 views • 43 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit 11/10/2013 1 Overview What is the Asymmetric Threat Response and Analysis Program (ATRAP)? Data Ingestion Structured vs. unstructured

817 views • 44 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FLoCon 2005 1 MOTIVATION CNN.COM

234 views • 19 slides
Security Identification and Garage Management Unit Pre-Retirement Seminar October 2016 I:\ID

Security Identification and Garage Management Unit Pre-Retirement Seminar October 2016 I:\ID

Security Identification and Garage Management Unit Pre-Retirement Seminar October 2016 I:\ID Retirement Presentation Retirement and Access to the Pre-retirement Seminar UNOG October 2016 The following is a brief presentation which aims to

222 views • 11 slides
Appropriateness Process Dallas Landmark Commission City of Dallas What is a Certificate of

Appropriateness Process Dallas Landmark Commission City of Dallas What is a Certificate of

Navigating the Certificate of Appropriateness Process Dallas Landmark Commission City of Dallas What is a Certificate of Appropriateness? And when is one needed? Certificate of Appropriateness (CA) What is it? When is it needed? A

567 views • 21 slides
GOVERNMENT OF PUERTO RICO PUBLIC SERVICE REGULATORY BOARD Oct 25, 2019 PUERTO RICO ENERGY BUREAU

GOVERNMENT OF PUERTO RICO PUBLIC SERVICE REGULATORY BOARD Oct 25, 2019 PUERTO RICO ENERGY BUREAU

NEPR 0052 Received: GOVERNMENT OF PUERTO RICO PUBLIC SERVICE REGULATORY BOARD Oct 25, 2019 PUERTO RICO ENERGY BUREAU 5:55 PM IN RE: CASE NO.: CEPR-AP-2015-0001; NEPR-AP-2018-0003 PUERTO RICO ELECTRIC POWER AUTHORITY RATE REVIEW SUBJECT:

109 views • 7 slides
Security for Virtualized Distributed Systems Thse soutenue le 3 Novembre 2015 . Context Hacker

Security for Virtualized Distributed Systems Thse soutenue le 3 Novembre 2015 . Context Hacker

From Modelization to Deployment . Arnaud Lefray Workshop SEC2 - 4 Juillet 2016 Qirinus - Inria Sous la direction de : Ralise dans les quipes : Eddy Caron, Avalon - LIP - ENS Lyon Christian Toinard, SDS - LIFO - INSA CVL Jonathan

1.36k views • 80 slides
PENNDOT PROJECT INFORMATION South Arch Street Bridge Replacement SR 1037, Section B10 City of

PENNDOT PROJECT INFORMATION South Arch Street Bridge Replacement SR 1037, Section B10 City of

PENNDOT PROJECT INFORMATION South Arch Street Bridge Replacement SR 1037, Section B10 City of Connellsville, Fayette County PROJECT TEAM Design Division Direct questions to: Brian C. Svesnik - Project Manager at 724.415.2400

451 views • 10 slides
WTS 2015 Papers Presented Friday, April 17, 2015 Friday, April 17 Holiday Inn Midtown 57 th Street

WTS 2015 Papers Presented Friday, April 17, 2015 Friday, April 17 Holiday Inn Midtown 57 th Street

WTS 2015 Papers Presented Friday, April 17, 2015 Friday, April 17 Holiday Inn Midtown 57 th Street Paper Presentation Session (I - A) Wireless Modeling, Algorithms and Simulations I Chair: Jan Holub. Czech Technical University Symbol Request

77 views • 7 slides
Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch April 2,

Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch April 2,

Game Theoretic Modeling of Security and Interdependency in a Public Cloud Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch April 2, 2014 Collaborators: Kevin Kwiat (AFRL/RIGA) Joon S. Park (Syracuse

589 views • 22 slides

More recommend