Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling
Phil Neray, VP of Industrial Cybersecurity
Agenda
• NotPetya: How a Single Piece of Code Crashed the World (Wired)
• VPNFilter Update
• What Happens When You Expose an ICS Honeypot
• Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling
Why It Matters
“INSECURE BY DESIGN” NETWORKS
SUPPORT BUSINESS NEED FOR DIGITALIZATION
RANGE OF MOTIVATED ADVERSARIES
Image Credit: CyberScoop/Jolie Gender
NotPetya: How a Single Piece of Code Crashed the World (WIRED)“Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.”
– Thomas Rid, Johns Hopkins’ School of Advanced International Studies.
“Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco
• Propelled by a combination EternalBlue and Mimikatz; spread via intranets
• Spread within hours from a Ukrainian software firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Update on VPNFilter Malware
• Multi-stage router malware– MODBUS packet sniffer– Wipes firmware of devices– Uses BE malware from 2015 Ukraine grid attack
• Latest updates from Cisco Talos – Endpoint exploitation tool
• Redirects and inspects content of HTTP traffic• Download binary payload & perform on-the-fly patching of Windows executables
– Port scanning & network mapping tool• Identify additional devices for lateral movement/compromise
– DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal)– New ways to obfuscate or encrypt malicious traffic; build distributed proxy network
6
https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html
ICS Honeypot Experiment
• Simulated ICS environment– IT network, OT network with HMI– 3 Internet-facing servers with RDP, SSH & weak passwords– DNS names registered; internal names resembled “well-known” electric utility
• In 2 days: compromised by xDedic RDP Patch tool• 10 days: access to back door from “new owner”
– Presumed bought access to ICS via black market
• Multipoint network reconnaissance to identify paths from IT to OT
https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.htmlhttps://www.cybereason.com/blog/industrial-control-system-specialized-hackers
(1) Identify “Crown Jewel” Processes
• Functions whose failure would threaten your company’s very survival– Revenue– Lawsuits– Brand reputation– Theft of intellectual property– Major compliance violations
• Requires conversations with business owners & OT• Examples
– Safety systems– Critical manufacturing production lines– Transformers or gas compressor stations– Historians (pharma)
8
(2) Map Digital Terrain
• Asset discovery & network topology mapping
• “How does information move through your network?”
• “Who touches your equipment — and how do do they connect?”
(3) Illuminate Most Likely Attack Paths
• Tabletop exercises
• Pen testers
• Automated threat modeling– Map ICS topology– Identify vulnerabilities– Calculate most likely attack paths
Simulating Attack Paths to Critical Assets
CyberX shows visual simulation of entire attack chain, enabling
“what-if” scenarios for remediation and mitigation
(e.g., zoning, patching)
Choose your most critical “crown jewel” assets
as targets
CyberX finds all potential attack paths, ranked by risk
Automated ICS Threat Modeling
(4) Options for Mitigation & Protection
• Reduce # of digital pathways to a minimum– Unauthorized Internet connections– Segmentation– Privileged identity management &
secure remote access• Address vulnerabilities
– Weak passwords– Unused open ports– Patching where possible
• Implement compensating controls– Continuous monitoring with behavioral
anomaly detection– Integration with firewall infrastructures
13
Detect & Respond Faster
Investigations & Threat Hunting
Palo Alto NGFW
Panorama
Cell Switch
Cell Switch
Cell Switch
Zone Switch
Zone Switch
Cell Switch
Cell Switch
SOC/DMZ
Policy Approval & Push3
Automated NGFW Policy Creation2
SIEM
Engineering Workstation
HMI
Controllers
1 CyberX Alert
CyberX Firewall Integration
CyberX at a Glance
• Founded in 2013 by military cyber experts with nation-state expertise defending critical infrastructure
• HQ in Boston with R&D and Threat Intelligence teams in Israel
• Purpose-built OT security platform– Asset management, vulnerability & risk management, continuous threat monitoring
– Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning
– Integrates with existing SOC workflows & security stack for unified IT/OT monitoring
• Partnerships & integrations with major security companies & MSSPs worldwide– IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, …
– Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, …
ICS Zero-Day Vulnerabilities Discovered by CyberX
• https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS)
• https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element
• Undisclosed RCE vulnerability in controller (vendor Y)
CyberX researched featured in Chapter 7
CyberX Central Manager Corporate SOCCyberX SO
C Enablement Services
SIEM
TicketingSystem
CyberX Malware Analysis Sandbox
Service
CyberX Global ICS Threat Intelligence
Scalable Multi-Tier Architecture with Centralized Control
“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed a
malware framework —which we call TRITON —designed to manipulate
Triconex Safety Instrumented System
(SIS) controllers.” FireEye, December 14
CONFIDENTIAL
21Palo Alto Networks Proprietary and Confidential
The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage
the firm’s operations and trigger an explosion.”The New York Times
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html
Goal: Disable plant safety systems?Campaign: Connected to Shamoon attacks?
Who: Likely Iran with assistance from Russia or N. Korea?
CONFIDENTIAL
L4 L3
L2
L1 L0
TRITON Cyberattack on Petrochemical Facility
22
Steal OT credentials1
Deploy PC malware2 3
Install RAT in safety PLC4
Disable safety PLC & launch
2nd cyberattackTriStationProtocol
For More Information
ICS & IIoT Security Knowledge Base• Threat & vulnerability research (Black Energy, etc.), transcripts from
SANS webinars, CyberX “Global ICS & IIoT Risk Report”, research presentations from Black Hat Europe
See Us at Upcoming Events• CS4CA Europe (Oct. 2-3, London) — NISD presentation• ICS Cyber Security Summit (Oct. 9-10, London)• Palo Alto Network IGNITE Europe (Oct. 8-10, Amsterdam)
– Featuring joint session with CISO of leading manufacturer• MANUSEC (Oct. 9-10, Chicago)• ICS Cyber Security Conference (Oct. 22-25, Atlanta)
– Free ½-day hands-on workshop with Palo Alto Networks & CyberX– Joint session with Emerson Automation Solutions: “ICS Security Researchers &
Automation Vendors: Building Mutual Trust”
• EU Utility Week (Nov. 6-8, Vienna) featuring CISO from EWZ Energy
CyberX vulnerability research featured in Chapter 7 — free
download from CyberX