apt style attacks on scada systems
play

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan - PowerPoint PPT Presentation

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan Pollet, CISSP, CAP, PCIP Started as a Control Systems Engineer


  1. APT-Style Attacks on SCADA Systems Stuxnet … Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1

  2. speaker — Jonathan Pollet, CISSP, CAP, PCIP — Started as a Control Systems Engineer for Chevron — 12 years in Electrical Engineering / SCADA — Began conducting research into Control Systems Security in 2001 — Performed over 150 field assessments of SCADA, DCS, and Control Systems since 2001 — Participant, developer, or reviewer of Control System Security Standards — SCADA Security Trainer / Instructor — Co-Developed the 5-day SCADA Security Advanced course offered through Red Tiger Security and the SANS Institute — Co-Developed the 2-day course entitled “Building, Attacking and Defending SCADA Systems in the Age of Stuxnet” offered through Red Tiger Security and BlackHat 2

  3. outline (10 mins) — Quick introduction to APT (Advanced Persistent Threat) style attacks — Initial Attack vector leverages Social Engineering and Social Networking sites — Malware still favorite initial attack vector — The role of C&C in these modern attacks — Night Dragon (staged over 18 to 24 months) — Stuxnet — Q & A 3

  4. security is more than just passwords and locks 4

  5. APT – Techniques / Tradecraft — OSINT — Social Engineering — Targeted “Spear Phishing” — Malicious Attachments — USB devices — Websites 5

  6. targeted spear phishing — Require in-depth knowledge of target — Sophistication based on posted / known information — Used to leverage people / groups 6

  7. Malicious attachments (malware) — PDF — MS Products — Word, Excel, etc… — The usual suffixes… — mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs, js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe 7

  8. APT – Targeted Attacks 8

  9. malware (Con’t) General Attacks Malware Other 66,8% Phishing 7,7% Physical Loss 8,6% 3,1% Denial of Service 11,8% 1,8% Unauthorized Access 0,2% Attempt Inappropriate Use hIp://www.f ‐ secure.com/weblog/archives/00001676.html 9

  10. Command and Control (C&C) — Leverages communication systems to relay messages — Command Vectors — Twitter — IRC — Facebook — Google Groups 10

  11. Staged attack — Series of weeks/months to fully compromise a system — Incremental uploads/downloads/ xchanges — Results are fully “rooted” devices — Random “radio” silence — Remain hidden, 11

  12. APT – Phased Compromise Command Exfiltration / Initiation & Control Propagation Hosts / Discovery Devices 0Day / Spread Vuln Radio First Silence Contact Orders Infect Collect Data Transmit 12

  13. Stuxnet • Jmicron Certificate • Realtek • Initial infection vector • USB USB replication (x3) • 4 unique Vulns Windows • Each found on 0day most MS 2003 • Discovers PLC Rogue PLC Device logic • Pushes new logic 13

  14. Stuxnet — 2 Privileges Escalation Vulnerabilities — SMB – MS08-067 — Print Spooler — CVE-2010-2729 — MS10-061 — USB Proliferation Vulnerability BID 41732 + ~WTR4141.tmp — ~WTR4132.tmp — 14

  15. Stuxnet targeted a difficult protocol / system… > Modbus would be a walk in the park 15

  16. Mitigation Strategy Real world solutions to combat the APT Threat 16

  17. Defence Strategy — Conduct External/Internal Security Assessments What you don’t know can STILL hurt you — Assessments from External / Internal perspective — — Education / Awareness Training — Regular Briefings — Foster environment of Security / Communication — INTRA Departmental — — Security Bulletins Weekly reminders — Trends — — Advanced Persistent Diligence Continuous Security Monitoring — 17

  18. Event Horizon What do we see on the way 18

  19. The Horizon — Mutating Bots / Command & Control — Quiet installation — Obfuscated Exfiltration (HTTP, DNS, Masked) — Directed Social Engineering — Staggered Attack — Combined with other styles — Building relationships over time — Leverage of Social Networks (SocNet) — Facebook is not your friend — Twitter or Linkedin aren’t too fond of you either… 19

  20. questions/comments — Speaker: Jonathan Pollet, CISSP, CAP, PCIP Red Tiger Security office: +1.877.387.7733 Email: jpollet@redtigersecurity.com web: www.redtigersecurity.com — Upcoming Training: http://www.blackhat.com/html/bh-us-11/training/parker-scada.html — Check out our Industry Briefings and News Feeds: http://www.redtigersecurity.com/security-briefings/ 20

Recommend


More recommend