seminar series industrial cyber threats and
play

Seminar Series Industrial Cyber Threats and Future Planning Robert - PowerPoint PPT Presentation

Jul 10, 2023 •172 likes •424 views

Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com Agenda Where We Are Selected Case Studies in Cyber Attacks Where Were Heading

  1. Seminar Series

  2. Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

  3. Agenda • Where We Are • Selected Case Studies in Cyber Attacks • Where We’re Heading • Recommendations

  4. The Unknown Threat Landscape Few People Know How to Protect the ICS that Run Our World The Threat Landscape is Mostly Unknown 4

  5. Finding More and More Occurring 2015-2017 Adversaries Disrupt ICS - Campaigns: 10 Unique - ICS Malware: CRASHOVERRIDE and TRISIS 2013 - 2015 - First and second ever electric grid attacks that disrupt power 2010 - 2012 - First malware to target human life 1998 - 2009 Campaigns Target ICS New Interest in ICS Lack of Collection - Campaigns: Dragonfly - Campaigns: Sandworm - Campaigns: APT1 - ICS Malware: BlackEnergy 2 and Havex - ICS Malware: Stuxnet - ICS Malware: None - First attack to cause physical destruction on civilian infrastructure (German Steel)

  6. The Diamond Model Adversary Infrastructure Capability/TTPs Victim Ref: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

  7. Links: Development team for Sandworm ELECTRUM • Long term access to ICS • Dual-use infrastructure • CRASHOVERRIDE such as TOR to host C2 • ICS Specific Modules • Internal proxies setup • Operations Knowledge Russian State Interests • Ukrainian Utility Companies • Electric • Water

  8. Links: Dragonfly 2.0 Not Dragonfly 1.0 DYMALLOY • Malicious docs w/ credential • Compromise ISP IPs harvesting via external SMB • connections Compromised business • connections for initial RATs from publicly available toolkits • infection and subsequent Custom-developed information implants theft toolkits built on public tools Multi-State • One non-public toolkit Adversary Interests • North American electric operators • Turkish energy providers • Western Europe electric operators

  9. Links: “ OilgRig ” Actor CHRYSENE • • Actor owned infrastructure 64-bit malware using DNS for C2 • • Domain patterns after Greenbug malware with HTTP C2 • legitimate resources OilRig as evolution of Greenbug • • Custom DNS server as Unique DNS C2 system • authoritative for the Initial beacon AAAA request • domain to enable C2 IPv6 encoded commands Iranian State Interests • Arabian gulf region • Saudi Arabia petrochemical focus • Oil/gas, petro, and electric generation

  10. Links: APT 33 MAGNALIUM • • Spoofed domains of Commodity and non-public relevance to victim malware combination • • Dynamic DNS for C2 Publicly available crimeware • • IT services and aerospace Specific malware encoding routine themed Iranian State Interests • Saudi Arabian petrochemical • Aerospace companies • North America and South Korean targets only with Saudi business

  11. Links: Unknown COVELLITE • Sophisticated implant with secure communication channels • Similar features to malware used • Legitimate infrastructure against South Korean targets • University IPs for C2 • Specific session key used for payload and second encrypted North Korean layer State Interests • 41 minute and 30 second sleep • Electric utility companies in the United States

  12. German Steel Plant - 2014 • Dec 18, 2014 German Government’s BSI released annual report highlighting incidents • Identified “massive damage” in a steel facility due to a cyber attack • 2 nd publicly known case of physical damage to control systems from cyber attacks

  13. Ukraine 2015 • 1 st Ever cyber attack on a power grid to lead to outages • 3 power companies across Ukraine • SCADA Hijack scenario by a well funded team

  14. Ukraine 2016 - CRASHOVERRIDE

  15. Middle East 2017 - TRISIS • TRISIS was delivered into a petrochemical facility in the Middle East by a well funded attack team • Targeted Safety Instrumented System (SIS) and failed causing a stop in operations • 1 st malware to specifically target human life

  16. You Cannot Just Patch Away the Problem Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities: • 64% of all vulns didn’t eliminate the risk • 72% provided no alternate mitigation to the patch • Only 15% could be leveraged to gain initial access Ref: www.dragos.com/YearInReview/2017

  17. Where We’re Heading

  18. ICS Incidental Impact vs. ICS-Tailored ICS Incidental Impact ICS-Tailored • Resource Usage • Protocol Knowledge • Destructive • System Knowledge • Wormable • Process Knowledge

  19. Multi-Phase Attacks Ref: https://www.sans.org/reading-room/whitepapers/ICS/industrial- control-system-cyber-kill-chain-36297

  20. Research Ideas

  21. Your Goal – Satisfy the Right Requirements MTTR Company Risk RCA ADT 21

  22. Problems Problem: Rush for Sensors Problem: Over-Focus on Malware, Vulns, and Exploits Problem: Over-Focus on ML/AI Models Problem: Need to Scale Knowledge/Workforce Problem: Big Architecture Changes

  23. Ideas Idea: Common, Robust, Dynamic Sensor Idea: Limiting of Impact Outside Scope Idea: Intelligence-Driven Approach Idea: Enabling/Scaling Human Knowledge Idea: Common Logging/API in OEM Gear

  24. Questions? Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

Recommend

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the

Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the

Seminar Series C E E R Cyber-Physical Experimentation Environment for RADICS Advancing the state of art, CEER is a game changer. A generational leap in capabilities for Cyber- Physical Experimentation in the Electric Power Grid Increased

792 views • 49 slides
Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N , M A S S A C H U S E T T S J U N E 4 , 2 0 12 Antitrust Notice 2 The Casualty Actuarial Society is committed to adhering strictly to the

577 views • 26 slides
Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK businesses and how to remain safe What help is available Further reading Setting the scene 21.2bn The cost of fraud to the

304 views • 19 slides
Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed

Do You See What I See? Navigating Human & Cyber Threats at the Workplace The views expressed by us are not representative of the City of Charlotte. OUTLINE INTRODUCTIONS HUMAN THREATS CYBER THREATS QUESTIONS INTRODUCTIONS

445 views • 25 slides
The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber

The Onslaught of Cyber Security Threats and What that Means to You No End in Sight for Cyber Crime Growth Number of mobile 200M devices affected IBM 11.6M Number of accounts hacked CNN Money 432M Number of malware samples collected Intel

652 views • 30 slides
The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana

The New Era of Cyber Threats The Shift to Self-Learning, Self-Defending Networks Georgiana Wagemann Director of Sales, Darktrace Evolving Threats in a New Business Landscape Outsourced IT, SaaS, cloud, virtual, supply chain, IoT Not just data

412 views • 15 slides
Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro

Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro

Introduction to Cyber Threats: current status, perspectives and reflects in Brazil Adriano Mauro Cansian Agenda New Cybernetic Global Order Cyber threats. The present and future threat scenarios. The scenario in Brazil. Final

617 views • 46 slides
Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig

Preparing to Fail Changing the way we think about cyber threats Oil Rig Pic Flaming Oil Rig picture The asymmetric nature of the Internet The current state of cyber underground Our current approach UNCLASSIFIED 7 Software Integrity Denial

388 views • 18 slides
Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities

Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities

Commonwealth of Virginia Cyber Commission First Year Report Threats and Opportunities Executive Order Number 8 Identify high risk cyber security issues facing COV. Provide advice and recommendations to secure COV networks,

449 views • 20 slides
tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse

tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse

Introducing the new SpaceGuard SGP 30 series tel SGP 30 Series SpaceGuard Series SGP 30 Series NEW tel SGP 30 in Brief Industrial diffuse proximity light grid Self-contained system (no need for separate controller) Designed for

715 views • 23 slides
Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation

Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation

Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation Baltimore Division Overview Cyber Threat Overview Cyber-enabled Fraud Types of Cyber-enabled Fraud Business Email Compromise

796 views • 47 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or

Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or

Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss State, Local, Tribal, or Territorial Government Entity 2 Why SLTT Governments? Criminals look for data... and governments have a lot of it! 3 TLP: WHITE 3 CBA 6 CBA 4

911 views • 35 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University

Cyber Security Awareness Seminar Presented By: Ryan Moore Ohio Cyber Range Institute, University of Cincinnati About This Seminar Designed for everyday cyber citizens Online Webinar 2 hour Presentation 10 Minute break

607 views • 57 slides
Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib

Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib

Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib Dr. Zahri Yunos Presentation Outline 1. Our Service: CyberDEF (Cyber Defence) 2. Our R&D Product: CMERP (Coordinated Malware Eradication &

605 views • 25 slides
Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against Black Sky Events Bill Lawrence, Director of Programs and Engagement Cyber Resilient Energy Delivery Consortium February 3, 2017 1 Agenda

820 views • 48 slides
The Cyber Landscape Ikahan Seminar Jakarta April 2019 Commodore James McCormack RAN Commander

The Cyber Landscape Ikahan Seminar Jakarta April 2019 Commodore James McCormack RAN Commander

The Cyber Landscape Ikahan Seminar Jakarta April 2019 Commodore James McCormack RAN Commander Defence SIGINT and Cyber Command Scope What is cyber Cyber 101. The Conceptual Framework The nature of the cyber threat problem.

753 views • 12 slides
CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

3/29/2012 CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College of India I N T R O D U C T I O N What is Cyber-safety Consequences Threats of Inaction Cyber-safety? Cyber-safety Cyber-safety at

215 views • 7 slides
Minimizing Business Disruption After a Cyberattack Cyber Security Challenges, Threats and

Minimizing Business Disruption After a Cyberattack Cyber Security Challenges, Threats and

1 Minimizing Business Disruption After a Cyberattack Cyber Security Challenges, Threats and Strategies Symposium University of Bahrain 21 st September 2016 By: Ahmed Albalooshi, CISA, CISM, CGEIT. First Vice President IT Al Baraka Banking

200 views • 15 slides
Seminar Series IT and OT, Information Security Architectural and Operational Divides in the

Seminar Series IT and OT, Information Security Architectural and Operational Divides in the

Seminar Series IT and OT, Information Security Architectural and Operational Divides in the Energy Sector Cyber Resilient Energy Delivery Consortium (CREDC) Mark Guth Manager Corporate Security Critical Infrastructure Compliance March 13,

230 views • 22 slides
Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack: cyberatuc.slack.com (URL changed!) SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of our committees:

484 views • 13 slides
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number or compromises escalates and our

182 views • 15 slides

More recommend