seminar series industrial cyber threats and
play

Seminar Series Industrial Cyber Threats and Future Planning Robert - PowerPoint PPT Presentation

Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com Agenda Where We Are Selected Case Studies in Cyber Attacks Where Were Heading


  1. Seminar Series

  2. Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

  3. Agenda • Where We Are • Selected Case Studies in Cyber Attacks • Where We’re Heading • Recommendations

  4. The Unknown Threat Landscape Few People Know How to Protect the ICS that Run Our World The Threat Landscape is Mostly Unknown 4

  5. Finding More and More Occurring 2015-2017 Adversaries Disrupt ICS - Campaigns: 10 Unique - ICS Malware: CRASHOVERRIDE and TRISIS 2013 - 2015 - First and second ever electric grid attacks that disrupt power 2010 - 2012 - First malware to target human life 1998 - 2009 Campaigns Target ICS New Interest in ICS Lack of Collection - Campaigns: Dragonfly - Campaigns: Sandworm - Campaigns: APT1 - ICS Malware: BlackEnergy 2 and Havex - ICS Malware: Stuxnet - ICS Malware: None - First attack to cause physical destruction on civilian infrastructure (German Steel)

  6. The Diamond Model Adversary Infrastructure Capability/TTPs Victim Ref: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

  7. Links: Development team for Sandworm ELECTRUM • Long term access to ICS • Dual-use infrastructure • CRASHOVERRIDE such as TOR to host C2 • ICS Specific Modules • Internal proxies setup • Operations Knowledge Russian State Interests • Ukrainian Utility Companies • Electric • Water

  8. Links: Dragonfly 2.0 Not Dragonfly 1.0 DYMALLOY • Malicious docs w/ credential • Compromise ISP IPs harvesting via external SMB • connections Compromised business • connections for initial RATs from publicly available toolkits • infection and subsequent Custom-developed information implants theft toolkits built on public tools Multi-State • One non-public toolkit Adversary Interests • North American electric operators • Turkish energy providers • Western Europe electric operators

  9. Links: “ OilgRig ” Actor CHRYSENE • • Actor owned infrastructure 64-bit malware using DNS for C2 • • Domain patterns after Greenbug malware with HTTP C2 • legitimate resources OilRig as evolution of Greenbug • • Custom DNS server as Unique DNS C2 system • authoritative for the Initial beacon AAAA request • domain to enable C2 IPv6 encoded commands Iranian State Interests • Arabian gulf region • Saudi Arabia petrochemical focus • Oil/gas, petro, and electric generation

  10. Links: APT 33 MAGNALIUM • • Spoofed domains of Commodity and non-public relevance to victim malware combination • • Dynamic DNS for C2 Publicly available crimeware • • IT services and aerospace Specific malware encoding routine themed Iranian State Interests • Saudi Arabian petrochemical • Aerospace companies • North America and South Korean targets only with Saudi business

  11. Links: Unknown COVELLITE • Sophisticated implant with secure communication channels • Similar features to malware used • Legitimate infrastructure against South Korean targets • University IPs for C2 • Specific session key used for payload and second encrypted North Korean layer State Interests • 41 minute and 30 second sleep • Electric utility companies in the United States

  12. German Steel Plant - 2014 • Dec 18, 2014 German Government’s BSI released annual report highlighting incidents • Identified “massive damage” in a steel facility due to a cyber attack • 2 nd publicly known case of physical damage to control systems from cyber attacks

  13. Ukraine 2015 • 1 st Ever cyber attack on a power grid to lead to outages • 3 power companies across Ukraine • SCADA Hijack scenario by a well funded team

  14. Ukraine 2016 - CRASHOVERRIDE

  15. Middle East 2017 - TRISIS • TRISIS was delivered into a petrochemical facility in the Middle East by a well funded attack team • Targeted Safety Instrumented System (SIS) and failed causing a stop in operations • 1 st malware to specifically target human life

  16. You Cannot Just Patch Away the Problem Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities: • 64% of all vulns didn’t eliminate the risk • 72% provided no alternate mitigation to the patch • Only 15% could be leveraged to gain initial access Ref: www.dragos.com/YearInReview/2017

  17. Where We’re Heading

  18. ICS Incidental Impact vs. ICS-Tailored ICS Incidental Impact ICS-Tailored • Resource Usage • Protocol Knowledge • Destructive • System Knowledge • Wormable • Process Knowledge

  19. Multi-Phase Attacks Ref: https://www.sans.org/reading-room/whitepapers/ICS/industrial- control-system-cyber-kill-chain-36297

  20. Research Ideas

  21. Your Goal – Satisfy the Right Requirements MTTR Company Risk RCA ADT 21

  22. Problems Problem: Rush for Sensors Problem: Over-Focus on Malware, Vulns, and Exploits Problem: Over-Focus on ML/AI Models Problem: Need to Scale Knowledge/Workforce Problem: Big Architecture Changes

  23. Ideas Idea: Common, Robust, Dynamic Sensor Idea: Limiting of Impact Outside Scope Idea: Intelligence-Driven Approach Idea: Enabling/Scaling Human Knowledge Idea: Common Logging/API in OEM Gear

  24. Questions? Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com

Recommend


More recommend