Upload
others
View
8
Download
1
Embed Size (px)
Citation preview
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Detecting Zero-Day Attacks in Real Time on Day Zero
Industrial Device Integrity Assessment – Hardware, OS & Software Malware Detection
© 2014 PFP Cybersecurity
2
Thurston Brooks
Mr. Brooks is focused on new technologies and solutions for industrial and commercial applications for the protection of critical infrastructure. He has more than 30 years developing and managing a wide variety of solutions for military and industrial applications. Mr. Brooks has engineering degrees from the University of Florida (BS) and the Massachusetts Institute of Technology (MS) with a thesis in Human-Machine Systems and Controls. He also has a University of Chicago MBA. He was a key member of the IEEE/NIST Committee on Smart Sensors (IEEE 1451). Mr. Brooks has published or presented in more than 40 industry journals, symposiums and conferences, and holds two patents. One patented product won 1993 Star Tech Award for Best New Product in Washington Technology magazine.
The Detection Gap
“On any given day, some 50 percent or more of known malware is undetectable.” CounterTack
“Signature-based antivirus is dead” ZDNet
“The Antivirus Era Is Over” MIT Technology Review
“We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. “ Scientific American
• Malware in embedded devices (partial list)
– SCADA/PLC Attacks: Stuxnet, both dormant and active
– Router Attacks: Routing table, forced write, etc.
– Bios Attacks: Root Kits
– Mobile Device Attacks: RATC
• Supply Chain
– Trojan Integrated Circuits: Designed in US, produced in China with backdoor
Cyber Security Trends
4
“Software solutions are no longer enough for software attacks”
“The Hardware Assisted Defense”
Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework (10-22-2013)
− Anomalous activity is detected in a timely manner and the potential impact of events is understood.
− A baseline of normal operations and procedures is identified and managed.
− The physical environment is monitored to detect potential cybersecurity events.
Signature Recognition
Based
HardwareAssisted
AnomalyDetection
PhysicalLayer
SoftwareOnly
Today’s
SOTA
Cutting
Edge
Tech
Standards
for the
Future
BaselineNormal
Current Solutions & What we Need
5
Physical
Layer
Application
Layer
Network
Layer
Current Vendors
Hardware
Assisted
Today TheTrend
Software
Execution
OS
BIOS
Hardware
Out-of-Band
Detection
A New Approach using Sideband Analysis – Quantitative and Deterministic
6
� Detect intrusions by anomaly detection on the processor’s power consumption
Compare New
Data with the
Baseline
Evaluate Next
Module
Side-Channel
Non-Contact
New Power
Trace
Anomaly? Alert
User
yes
no
Real Time and Near Zero False Positive
PFP Monitoring
How Sideband Cyber Attack Discovery Works
7
CPU
Memory
Power Supply
SCADA System
CurrentMonitor
Control Valve In Plant
Plant Operator Monitors Plant
Create Baseline of Instantaneous
Power Usage
Monitoring Unit
PFP Monitoring
Cyber Attack Discovery by Monitoring Power Changes
8
CPU
Memory
Power Supply
SCADA System
CurrentMonitor
Match Signature
Control Valve In Plant
Plant Operator Sees Everything
is Good
Monitoring Unit
ONLY ONE “BIT” ISDIFFERENT
PFP matches Signature
Cyber Attack Recognition Thru Power Discrepancies
9
CPU
Memory
Power Supply
SCADA System
CurrentMonitor
Hacker Injects Malicious Code
Instantly detect
Anomaly in baseline
Plant Operator is “Alerted” System
Compromised
MONITORING ELECTRICAL SIGNATURE
ALLOWS ONE TO “SEE” THE CHANGE
Control Valve In Plant
Monitoring Unit
ONLY ONE “BIT” ISDIFFERENT
PFP matches Signature
Cyber Attack Recognition Thru Power Discrepancies
10
CPU
Memory
Power Supply
SCADA System
CurrentMonitor
Hacker Injects Malicious Code
Instantly detect
Anomaly in baseline
Plant Operator is “Alerted” System
Compromised
MONITORING ELECTRICAL SIGNATURE
ALLOWS ONE TO “SEE” THE CHANGE
Control Valve In Plant
Monitoring Unit
The End-to-End Approach
11
� A disruptive, effective and simple solution- Detect the zero-day attack- Detect both Active & Dormant attacks- No Added Software Needed- Non-intrusive (no electrical contact)- Scalable from chips, boards, devices, systems, etc.- Nearly impossible to evade
Non-Contact
Sensors
Analytics
Chips
SCADA
Networks
Computers
Mobile
Dash Board
For SaaS
Probes
• COTS probes • Low-cost custom design with and
without connectors• Traces on boards or chips have no
cost impact
12
Scanner Probe•COTS
Monitor Probe•COTS•$25 with connector
Board Monitor •<$1•No connector
Board Level•Traces on board
•Free
Chip Level•Traces or active circuits on chip
•Free
The Deployment Process
Exploration • Identify probe requirements• Identify sampling requirements
Characterization • Extract PFP baseline feature sets
Integration• Set user-defined parameters• Create Response policy• Develop Dashboard / UI / API
Monitoring• Assess integrity• Initiate response• Update UI
Maintenance • New version characterization• System updates
13
A Sample Deployment
14
Identify the target device
Establish the baseline
with a Scanner
Verify the monitoring
solution
Set up a Monitor with the verified
solution
In-Field baseline update?
Maintenance and ongoing monitoring
0 2 4 6 8 10 12 14x 10
8-4-2024681012
Frequency
PS
D D
iffer
ence
0 2 4 6 8 10 12 14x 10
8-4-202468
1012)
Frequency
PS
D D
iffer
ence
Devices to be monitored Baseline Anomaly
Cloud-basedand
third-party monitoring solutions
Testing at Savannah River National Lab
Enable new baseline with
software update or on demand
Threats in Semiconductor
• Detecting tampering (kill switch or back door) in chips and modules
• An emulated backdoor– Invert output only when cond_1
is true
4-Bit Counter
LEDs
Encond_1
0 1 2 3 4 5 6 7 80
1
2
3
4
5
6
7
8
9
10
11FPGA Demo, MalMode 1.1 Active
Sam
ple
PD
FMaximum Error
Original App
Tampered App
Cond_1: True
DORMANT
Kill switch loaded
Cond_1: False
ACTIVE
Kill switch Activated
baseline
Deterministic, no false positive
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14FPGA Demo, MalMode 1.1 Inactive
Sam
ple
PD
F
Maximum Error
Original App
Tampered App
FPGA Short Videohttp://youtu.be/3VVuUG7z1qo 15
Clear separation = no false positive
Threats in Android
• Android OS running on the Motorola Droid Processor
• Malware distributed in the Official Android Market – Used by DroidDream,
DroidKungFu, and other malware
• RageAgainstTheCage(RATC) Privilege Escalation Attack
• Monitored Kernel integrity
16
� Single pass assessment results
1 2 3 4 5 6 7 80
0 .1
0 .2
0 .3
0 .4
0 .5
0 .6
0 .7
0 .8
0 .9
D is ta n c e fro m s ig n a tu re
Den
sity
S e tu id re s u lts d is tr ib u tio n a n d fit
O rig ina l e x e c . t rac es
lo g -n o rm a l fi t-E A G A IN e x e c . t rac es
W e ibu ll fit
Proven for sophisticated CPUs and
Operating Systems
Threats in PLCs (Stuxnet)
• On a Siemens PLC (SIMATIC S7-1200) in both Dormant and Active Modes, targeted by Stuxnet (similar to the Iranian setup)
• PLC Logic: Tank level control
Process
HighSensor
PLC
LowSensor
Pump
Out1: level
over sensor
0: levelbelow sensor
0 0.5 1 1.5 2 2.5 3 3.5 4 4.50
2
4
6
8
10
12
14
16
18PLC Demo, Tamper Active L0 H1
Sam
ple
PD
F
Maximum Error
Original App
Tampered App
0 0.5 1 1.5 2 2.5 3 3.5 4 4.50
2
4
6
8
10
12
14
16
18PLC Demo, Tamper Inactive L0 H1
Sam
ple
PD
F
Maximum Error
Original App
Tampered App
Active post processing tamper
ACTIVE
Codes activated
Disabled post processing tamper
DORMANT
Codes loaded in memory
baseline
Real-Time, Continuous MonitoringPLC Short Videohttp://youtu.be/biRAlt7VbPk 17
Allen Bradley SLC-500 PLC Savannah River Nuclear Laboratory
• Initial step, sample the RF emissions given off by the PLC’s processor for each execution path.
• The sampled time series of an execution path is referred to as a trace
18
Allen Bradley SLC-500 PLC Savannah River Nuclear Laboratory
• Compute the statistical characteristics of the execution path.
• Ideally each cycle of the execution path will be identical within a reasonable amount of uncertainty
19
Clear Separation on Deviation from Normal
2014-2015 Products
• eMonitor – standalone unit and probe. Available in convenient DIN-rail mountable form-factors
21
PFP Analytics
Software
Inside
PFP “Scientific” Dashboard
� P2Scan – kit for users to evaluate and monitor their devices for corruption.
� CoreCloud – a SaaS solution that provides cloud-based analytics
� SIEM API – a software API for interfacing to 3rd-party Security Information and Event Management
User’s Equipment
Product Development
• Reducing size, weight, power, and cost
22
P2Scan-L(Laboratory ID System)
•COTS•Bench-top•High-end
P2Scan-P(Production System)
•COTS•Compact•Portable
eMonitor•COTS•Small Form Factor
•DIN Rail Mount
Embedded Board-Level
•PFP embedded on Customer board
Chip•FPGA•Stand-alone silicone, or
• Integrated IP
LaboratoryProbe
•COTS
ProductionProbe
•COTS•$25 with connector
Low-Cost Probe
•<$1•No connector
Embedded Probe
•Traces on board
•Free
Chip Level•Traces or active circuits on chip
•Free
Proofs of Concept
• Network - Wireless – Attacks such as kernel, routing
table, forced write to storage, etc.
• Semiconductor– Detecting tampering (kill switch
or back door) in chips and modules
• SCADA– Siemens PLC (SIMATIC S7-
1200) in both Dormant and Active Modes, targeted by Stuxnet
• Android OS Kernel integrity– RageAgainstTheCage (RATC)
Privilege Escalation Attack• Others – Medical, Mobile
23
3D printed probe
Commercialprobe