Continuous Asset Discovery, Risk Management & Threat Monitoring for IIoT & ICS Networks SANS Webinar on NIST Recommendations for IIoT & ICS Security With Behavioral Anomaly Detection (BAD) February 28, 2019 Phil Neray, VP of Industrial Cybersecurity
CyberX at a Glance Only industrial platform built by blue-team experts with a track record defending critical national infrastructure Global al P Presenc nce Founded Only IIoT & ICS Sim Simplest, most st Partnershi hips with in 201 013 • Boston (HQ) security firm with ma mature and mo most leading security • Chicago a pat atent f for it its in interoperable companies & Houston • ICS CS-awar are t threat solution MSSPs worldwide • Florida ana nalytics • London • Paris • Munich Tokyo • • Israel 2 2
Unified IT/OT Security Monitoring & Governance 3
Partnered with Global Technology Leaders 4
Challenges We Address for Clients Risk & Vulner erabilit lity M y Manage gemen ent Asset et Discov over ery • What devices do I have, how are they • What are the vulnerabilities and risks to our connected — and how are they most valuable assets — and how do I communicating with each other? prioritize mitigation? Cont ntinu nuous Threat M Monitoring ng, Unif ifie ied I IT/O /OT Sec ecurit ity M Mon onit itoring g Inciden ent Res espon onse e & Threat Hunting & Governa nanc nce • Do we have any ICS threats in our network • How can I leverage my existing IT — and how do we quickly respond to them? security investments — people, training & tools — to secure my OT infrastructure? 5
Most Recognized ICS Threat Intelligence CyberX threat research featured in Continuously Discovering New ICS Zero-Day Vulnerabilities Chapter 7 ICSA-18-228-01 UNCONTROLLED SEARCH PATH ICSA-17-278-01A ELEMENT, RELATIVE PATH ICSA-16-306-01 BUFFER OVERFLOW TRAVERSAL, IMPROPER PRIVALAGE BUFFER OVERFLOW MANAGEMENT, STACK-BASED BUFFER OVERFLOW ICSA-17-087-02 ICSA-16-026-02 ICSA-17-339-01D ICSA-15-300-03A ARBITRARY FILE UPLOAD BUFFER OVERFLOW IMPROPER INPUT VALID (DDoS) BUFFER OVERFLOW BUFFER OVERFLOW ICSA-15-351-01 BUFFER OVERFLOW 6
Simple, Non-Invasive, Agentless — No Rules or Signatures Propr prie ietary D Deep P p Packet I Inspection and N d Networ ork T k Traf affic A Anal alys ysis ( (NTA) CMDB asset data, firewall rules, etc. (OPTIO IONAL) Netwo work Traffic D Data SPAN p port o on networ ork s k switch OT N Network 7
CyberX Platform Architecture CYBERX CENTRAL MANAGEMENT CAPABILITIES & USE CASES SIEM ICS Risk & Vulnerability ICS Threat ICS Incident Ticketing & Orchestration ICS Asset SOC Integration & Management with Monitoring & Response & Threat Management REST APIs Firewalls & NAC Threat Modeling Detection Hunting Secure Remote Access SELF-LEARNING ANALYTICS ENGINES Behavioral Anomaly Protocol Violation IT & OT Malware Detection Detection Detection Network Traffic Data Mining Analysis (NTS) Infrastructure Unusual M2M Operational Communication Incident Detection Detection CORE CAPABILITIES IP Network & Serial Embedded Knowledge of ICS Proprietary ICS Threat Intelligence & ICS Malware Device Dissectors Devices & Protocols Vulnerability Research Analysis Sandbox 8
Malware-Free Attacks Are Growing — Why BAD is Needed Now “So the important question to ask is not, ‘Can you prevent the initial compromise?’ — that may be an impossibility. To be successful at stopping breaches, an or organiza zation on n needs to o detect, i , investigate, , and remediate or or con ontain t the threat a as quickly as pos ossible.” Malware-Free Examples • Stolen credentials • PowerShell • Router compromises Source: https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 9
CyberX Global ICS & IIoT Risk Report — Top Data Points Based on traffic data collected from 850+ production ICS networks across 6 continents and all sectors (Energy & Utilities, Oil & Gas, Pharmaceuticals, Chemicals, Manufacturing, Mining) Anti-Anti-Virus Mythical Air-Gap Broken Windows Hiding in Plain Sight 31% 31 40% 40% 47% 47 43% 43% Encrypted 53% 53% 60% 60% Internet passwords 69% 69% Automatic Only modern 57% 57 connections updates Windows Sites with No internet detected Plain-text detected versions No automatic unsupported connections passwords updates Windows detected boxes Download full report: cyberx-labs.com/risk-report-2019 10
The TRITON attack on a petrochemical facility “had a deadly goal … it was not designed to simply destroy data or shut down the plant … it was meant to sabotage the firm’s operations and trigger an explosion.” The New York Times https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html 11
TRITON Kill Chain Deploy PC malware 4 1 2 3 Install RAT in safety PLC Steal OT credentials Disable safety PLC & launch 2 nd TriStation cyberattack Protocol L4 L3 L1 L0 L2 12
CyberX Threat Intelligence: Reverse-Engineering TRITON GetMPStatus packet structure: 3 Install RAT in safety PLC https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/
New TRITON Information from S4x19 Conference • First incident actually 2 months earlier — in June 2017 • Plant shutdown for 1 week when safety controller tripped • Automation vendor concluded it was mechanical failure • 2 nd incident affected (6) safety controllers — not just two • Caused another 1-week shutdown — hundreds of $ million from downtime & cleanup • Danger from toxic hydrogen sulfide gases • Incident response uncovered multiple red flags • Misconfigured firewalls enabled attackers to move from IT network to DMZ to OT network • AV alerts on workstations about Mimikatz credential stealing malware were ignored • Ongoing alerts about RUN/PROGRAM key in unsafe position were also ignored — enabled attackers to upload malicious backdoor into safety controller • Suspicious RDP sessions to plant's engineering workstations from IT network • True lesson = lack of clear roles: Who is responsible for ensuring security controls are properly implemented & effective — IT, OT, integrator, or automation vendor? https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-widespread-than-publicly-known/d/d-id/1333661 https://www.cyberscoop.com/trisis-investigator-saudi-aramco-schneider-electric-s4x19/ 14 https://www.eenews.net/energywire/stories/1060115423
Threat Anomaly Scenarios Detected by CyberX in NIST Report • Unauthorized Device Is Connected to the Network • Unencrypted HTTP Credentials • Unauthorized Ethernet/IP Scan of the Network • Unauthorized SSH Session Is Established with Internet-Based Server • Data Exfiltration to the Internet via DNS Tunneling • Unauthorized PLC Logic Download • Undefined Modbus TCP Function Codes Transmitted to PLC • Data Exfiltration to the Internet via Secure Copy Protocol • Virus Test File Is Detected on the Network • Denial-of-Service Attack Is Executed Against the ICS Network • Data Exfiltration Between ICS Devices via UDP • Invalid Credentials Are Used to Access a Networking Device • Brute-Force Password Attack Against a Networking Device • Unauthorized PLC Logic Update — Robotics System • Unauthorized PLC Logic Update – Process Control System 15
CyberX Event Timeline 16
Unauthorized Device Is Connected to the Network This anomaly was executed on the PCS. The engineering laptop (Windows 7) was removed from the network during the baseline analysis phase of the product and was later connected to VLAN-2 to execute the anomaly. After the initial connection, background traffic was automatically generated onto the network by the laptop. 17
Unencrypted Credentials This anomaly was executed on the CRS. An Apache HTTP server was configured on Machining Station 1 and contained a directory that was protected by HTTP basic authentication. The web pages hosted in the protected directory enabled an operator to remotely view machine status information. The connection was initiated from the Firefox browser on the engineering workstation. 18
Unauthorized Ethernet/IP Scan During the reconnaissance phase, an attacker may attempt to locate vulnerable services in an ICS network and will likely include probing for ICS-specific services (e.g., Ethernet/IP). Once a vulnerable service, host, or device is discovered, an attacker may attempt to exploit that entity. 19
Unauthorized SSH Session This anomaly was executed on the PCS. The OpenSSH suite was installed and configured on a server with an internally routed public IP address (129.6.1.2). The open-source SSH client PuTTY was used to establish a connection with the SSH service from the engineering workstation to the internet-based server. 20
Data Exfiltration to Internet via DNS Tunneling Attacks against ICS with the goal of information gathering, must (at some point) attempt to exfiltrate sensitive or proprietary data from the ICS network, potentially utilizing the internet as a transport mechanism. Monitoring for ICS devices communicating to other devices over the internet can help detect data exfiltration events, especially if the affected device does not normally communicate over the internet. 21
Recommend
More recommend