APT-Style Attacks on SCADA Systems Stuxnet … Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1
speaker Jonathan Pollet, CISSP, CAP, PCIP Started as a Control Systems Engineer for Chevron 12 years in Electrical Engineering / SCADA Began conducting research into Control Systems Security in 2001 Performed over 150 field assessments of SCADA, DCS, and Control Systems since 2001 Participant, developer, or reviewer of Control System Security Standards SCADA Security Trainer / Instructor Co-Developed the 5-day SCADA Security Advanced course offered through Red Tiger Security and the SANS Institute Co-Developed the 2-day course entitled “Building, Attacking and Defending SCADA Systems in the Age of Stuxnet” offered through Red Tiger Security and BlackHat 2
outline (10 mins) Quick introduction to APT (Advanced Persistent Threat) style attacks Initial Attack vector leverages Social Engineering and Social Networking sites Malware still favorite initial attack vector The role of C&C in these modern attacks Night Dragon (staged over 18 to 24 months) Stuxnet Q & A 3
security is more than just passwords and locks 4
APT – Techniques / Tradecraft OSINT Social Engineering Targeted “Spear Phishing” Malicious Attachments USB devices Websites 5
targeted spear phishing Require in-depth knowledge of target Sophistication based on posted / known information Used to leverage people / groups 6
Malicious attachments (malware) PDF MS Products Word, Excel, etc… The usual suffixes… mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs, js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe 7
APT – Targeted Attacks 8
malware (Con’t) General Attacks Malware Other 66,8% Phishing 7,7% Physical Loss 8,6% 3,1% Denial of Service 11,8% 1,8% Unauthorized Access 0,2% Attempt Inappropriate Use hIp://www.f ‐ secure.com/weblog/archives/00001676.html 9
Command and Control (C&C) Leverages communication systems to relay messages Command Vectors Twitter IRC Facebook Google Groups 10
Staged attack Series of weeks/months to fully compromise a system Incremental uploads/downloads/ xchanges Results are fully “rooted” devices Random “radio” silence Remain hidden, 11
APT – Phased Compromise Command Exfiltration / Initiation & Control Propagation Hosts / Discovery Devices 0Day / Spread Vuln Radio First Silence Contact Orders Infect Collect Data Transmit 12
Stuxnet • Jmicron Certificate • Realtek • Initial infection vector • USB USB replication (x3) • 4 unique Vulns Windows • Each found on 0day most MS 2003 • Discovers PLC Rogue PLC Device logic • Pushes new logic 13
Stuxnet 2 Privileges Escalation Vulnerabilities SMB – MS08-067 Print Spooler CVE-2010-2729 MS10-061 USB Proliferation Vulnerability BID 41732 + ~WTR4141.tmp ~WTR4132.tmp 14
Stuxnet targeted a difficult protocol / system… > Modbus would be a walk in the park 15
Mitigation Strategy Real world solutions to combat the APT Threat 16
Defence Strategy Conduct External/Internal Security Assessments What you don’t know can STILL hurt you Assessments from External / Internal perspective Education / Awareness Training Regular Briefings Foster environment of Security / Communication INTRA Departmental Security Bulletins Weekly reminders Trends Advanced Persistent Diligence Continuous Security Monitoring 17
Event Horizon What do we see on the way 18
The Horizon Mutating Bots / Command & Control Quiet installation Obfuscated Exfiltration (HTTP, DNS, Masked) Directed Social Engineering Staggered Attack Combined with other styles Building relationships over time Leverage of Social Networks (SocNet) Facebook is not your friend Twitter or Linkedin aren’t too fond of you either… 19
questions/comments Speaker: Jonathan Pollet, CISSP, CAP, PCIP Red Tiger Security office: +1.877.387.7733 Email: jpollet@redtigersecurity.com web: www.redtigersecurity.com Upcoming Training: http://www.blackhat.com/html/bh-us-11/training/parker-scada.html Check out our Industry Briefings and News Feeds: http://www.redtigersecurity.com/security-briefings/ 20
Recommend
More recommend