Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Joe Slowik / @jfslowik
Dragos, Inc. | May 2019
Student
Student
Officer
Student
Officer
Network Defender
Student
Officer
Network Defender
ICS Defender
➢
➢
➢
➢
https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf
http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png
Increasing Adoption of IT Technology in ICS Environments
Perimeter Extension and Greater Connectivity
Increased Vendor Interest in ICS Security
Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment
Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT
Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities
Traditional ICS Perimeter
Vendor and Contractor Access
Increased Remote Work and Administration
Cloud and Off-Prem Products
Increased vendor interest in ICS space
Attempt to leverage “IT-ification” as justification to extend existing IT products to industrial
Fails to recognize operational and technical differences in how IT technologies are deployed for industrial use
Breach victim IT network
Identify points of contact with
ICS
Enumerate and categorize
control system environment
Deliver effects on objective
Preparatory Actions
Deny Degrade Destroy
Recon & Initial Access
Many Attempts
Deny, Degrade, Destroy
Few Examples
ICS-Focused Malware
• STUXNET
• HAVEX
• BLACKENERGY2
• CRASHOVERRIDE
• TRISIS
ICS Disruptive Events
• 2005-2010 (?): STUXNET
• 2014: German Steel Mill Attack
• 2015: Ukraine BLACKENERGY3
• 2016: Ukraine CRASHOVERIDE
• 2017: Saudi Arabia TRISIS
Disruptive/Destructive Malware
• STUXNET
• CRASHOVERRIDE
• TRISIS
More Aggressive
Attacks
Greater Adversary
Risk Tolerance
Pursuit of Physical ICS
Attacks
Heightened Danger to
Asset Owners
• Custom Malware and Specific Tools
• Exploit Use for Movement and Access
• Manual Operations for ICS Impact
Legacy (pre-2016)
• “Commodity” Techniques until ICS Attack
• Credential Theft and System Tool Use to Spread
• ICS Effects and Manipulation Codified in Software
Current
Initial Intrusion & Lateral Movement
• Leverage “Commodity” Tools
• Deploy “Living off the Land” Techniques
• Avoid Custom Tools and Tradecraft
ICS-Specific Disruption
• Attacks are Unique to Target, Environment
• Requires Building Custom Attack Software
• Little Scope for Direct Replay
ICS Environments are “Brittle”
• Little scope for direct testing
• Asset owners are conservative
ICS Attacks have Pre-Requisites
• Focus on enabling factors for testing
• Imperfect for complete security, but valuable for defense in depth
Multiple Paths to Security Testing
• Notional/Logical testing has value
• Direct penetration testing may be least valuable option
•Clear communication and requirements necessary
•Be prepared for extensive discussion on ROE
•What experience, certifications, and training do you need to enter environment?
Asset Owner Trust
•Determine scope and direction of test
•ICS tools vs. IT tools – depends on type and extent of assessment
•Are custom tools/capabilities required?
Technical Capability
•Delineate goals in advance relative to ICS operations:
•Improve security
•Enhance recovery
•Minimize downtime
Identifying End-State
Initial Intrusion
Enterprise IT access
Enumerate and scope environment
Identify and gather information of interest to ICS operations
IT-ICS Pivot
Identify mechanisms to migrate to ICS
Requires continuous connectivity to adversary infrastructure
ICS Impact
Two mechanisms:
• Manual manipulation (legacy)
• Automated interaction (current)
Goal is to manipulate physical processes via logical means
•Essentially a standard penetration test
•For industrial organizations, may need to assign “special attention” to operationally-significant groups
IT Intrusion
•Identify and assess IT-ICS links
•Still represents an IT-centric test, but determines ICS environment external risk
IT-ICS Boundary
•Options include Windows-centric lateral movement testing, or process-specific assessment
•Identify tools and techniques needed in advance in light of ROEICS Penetration
•Notional/logical only
•Demonstrate mechanisms through which impact could occur – rather than creating such an impact
ICS Impact
Confidentiality
Integrity Availability
ICS Operations
Process Safety
Process Reliability
Process Integrity
Physical-process nature of ICS limits ability to directly assess impacts
Focus instead on pathways to ICS impact
When desired, leverage notional testing through table tops and walk-throughs for direct impact assessment
• Essentially the same as a “normal” penetration test
• Identify ingress points to the organization
Initial Intrusion
• Identify and map routes to reach control systems
• What pathways exist enabling ICS access
Lateral Movement
• Once ICS accessed, what options are available to an adversary
• Test visibility, response, and monitoringICS Breach
Recognize limitations in ICS environments for direct testing
Leverage whole-of-kill chain approach for comprehensive assessment
Build off of known ICS attacks to develop methodologies
Table Top Exercise
•Walk through plans and responses
•Least invasive, also likely to have least value*
Attack Surface Assessment
•Logical and interactive probing of ICS-facing assets
•Determine and evaluate risk with minimally-invasive techniques
Interactive Pen Test
•Risky in the sense of possible “unforeseen consequences”
•Most valuable in accurately gauging defense
Opportunistic IT Infections spreading to ICS
Direct Disruptive ICS Events
ICS Integrity Attacks
Identify IT-ICS Links
• Assess monitoring and access controls
• Identify work-arounds
Lateral Movement
in ICS
• How can additional systems in ICS be reached
• What is the scope of spread from IT
ICS Recovery
• Table top or discussion only
• Plans and procedures for restoring operation
Launcher Start
•Select Payload
•Initiate ICS Impact
Payload Execution
•Connect to Control Systems
•Manipulate State
Wiper•Wait for Timer
•Delete Files, Remap Services, Reboot System
Post-Attack
•Leave behind “Backup” Backdoor
•SIPROTEC DDoS (Fail)
Test C2 capability from ICS
Interactive lateral movement within ICS environment
Determine accessibility of critical systems
(DCS, RTU, Historian, etc.)
Table top or walk-through of possible impacts enabled by
access
Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’)
Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools)
Utilize remote access to OT network via stolen credentials
Continue pivoting through network via credential capture
Gain sufficient access to SIS to deploy TRISIS
Map out critical systems for ICS
operational safety and integrity
Determine access and
communication possibilities to these systems
Evaluate monitoring and
auditing mechanisms
Walk through integrity attack
scenarios based on access findings
IT Skills have a Role in ICS Testing
• Audit and test links and communication
• “IT-ification” means production networks feature similarities to IT
Scope Needs and Purpose
• What is actually being tested?
• How will the actions better the organization?
Identify Core Interests and Values
• Safety, Reliability, and Integrity are critical
• Ensure methodologies respect and aim to secure these values!
• Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp-content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)
• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/whitepapers/CrashOverride2018.html)
• TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)• Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)• TRITON – FireEye (https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-
triton.html) • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-
ISAC_SANS_Ukraine_DUC_5.pdf)