View
213
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Título da Palestra: Como se iniciam os ataques à infraestrutura SCADA?
Citation preview
1Copyright © 2014 Trend Micro Incorporated. All rights reserved. 1Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Como se iniciam os ataques à infraestrutura SCADA?Franzvitor FiorimEngenheiro de [email protected]
2Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Cyberwar on your network
More frequent More targeted More money More sophiticated
• 2 new threat each second 1
• 1 cyber-intrusion each 5 minutes 2
• 67 % of infrastructure can’t block a custom & targeted attack 3
• 55 % of companies didn’t detected the breach 1
Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012
3Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Security by signature is not enough
3
Basic malware
PhishingExploitation tools
Malicious website
Commonvulnerabilities
Discovery tools
SWG NGFW
Document exploit
0-DayObfuscatedJavascript
Polymorphicpayload
CryptedRAT
WateringHole Attack
SpearPhishing
C&C communications
IPS AV
4Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Move lateralmente na rede
procurando dados valiosos
Coletam inteligência sobre
organizações e indivíduos
Copyright 2014 Trend Micro Inc.
Atacam indivíduos
utilizando engenharia social
Funcionários
Estabelece link com o
Command & Control server
Atacantes
Extrai dados de interesse – pode
não ser detectado por meses!
$$$$
Ataque: Social, Sofisticado, Silencioso
5Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Advanced Persistent Threats
� Nem sempre os componentes são maliciosos;� O foco é ser evasivo;� Controlado por um humano;
11/13/20 5Confidential | Copyright
� Múltiplos vetores de ataque;
� Ataque contínuo, repetitivo;
� Atacantes são pacientes;
� Exploram brechas do sistema;
� Exploram brechas de segurança;
� Com recursos suficientes para ter êxito no ataque.
6Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Riscos de Segurança aSistemas ICS (Industrial Control System )
7Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Casos de Incidentes de Segurança
Source: IPA, http://www.ipa.go.jp/security/fy20/reports/ics-sec/rep_main_fy20.pdfIPA, http://www.ipa.go.jp/security/fy21/reports/scada/documents/scada_report.pdfThe Security Incidents Organization, http://www.securityincidents.orgJPCERT,http://www.jpcert.or.jp/ics/2011/20110210-oguma.pdf
Car Factory Steel Plant Chemical Plant13 production line stopped/
$14M loss13 production line stopped/
$14M loss
Zotob virusZotob virusCarry-on PC or Office networkCarry-on PC or Office network
Steam turbine control system stopped
Steam turbine control system stopped
DOWNAD/Conficker virusDOWNAD/Conficker virus
unknownunknown
8 hours of monitoring incapability8 hours of monitoring incapability
PE_SALITY virusPE_SALITY virus
unknownunknown
Centrifugal separator crash(according to multiple reports)
Centrifugal separator crash(according to multiple reports)
Stuxnet virusStuxnet virus
USB flash or office networkUSB flash or office network
Industrial Facility Water Treating Plant Railway Traffic Control SystemLoss of control for 3 months
(1ML of polluted water emission)Loss of control for 3 months
(1ML of polluted water emission)
Unauthorized accessUnauthorized access
Wireless linkWireless link
Shutdown of train service in the morning during rush hour
Shutdown of train service in the morning during rush hour
Blaster virusBlaster virus
unknownunknown
Impact
Cause
Path
Impact
Cause
Path
*Pictures above is not related to the contents
8Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Tendência crescente de Incidentes de Segurança
Source: ICS-CERT Year in Review 2012 and 2013 http://ics-cert.us-cert.gov/Other-Reports
The number of incidents across critical infrastructure sectors, ICS-CERT responded, is increasing year after year. Most recently 257 incidents are reported. A big increase from 197 in 2012
39
140
197
257
0
50
100
150
200
250
300
FY2010 FY2011 FY2012 FY2013
9Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Direção do ICS:Toward Open and Collapse of the myth of safety
Past Item Present
Closed environmentPhysically closed Environment
Toward open environmentConnection with external N/W,
using USB flash drive
Specialized OS/ApplicationSpecialized protocol Technology
General OS / ApplicationStandard protocol
(EtherNet/IP, PROFINET, CC-Link IE, etc)
Seldom Incident case Increasing trend(STUXNET)
OS External media usage
Source:*1,2 : METI http://www.meti.go.jp/committee/kenkyukai/shoujo/cyber_security/001_06_01.pdf
*1 *2
10Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Attack Case Against Honeypot
OVERVIEW:OVERVIEW:OVERVIEW:OVERVIEW:
Develop honeypot of water
supply system and deploy on
the internet to catch attacks
against ICS.
Surveillance Period:Surveillance Period:Surveillance Period:Surveillance Period:
Mar. – Jun. 2013
HoneypotHoneypotHoneypotHoneypot deployed placedeployed placedeployed placedeployed place::::
8 Countries, 12 Places
HoneypotHoneypotHoneypotHoneypot Sample Web Page:Sample Web Page:Sample Web Page:Sample Web Page:
Source:http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/white-papers/wp-the-scada-that-didnt-cry-wolf.pdf
Confirmed 74 attacks against Confirmed 74 attacks against Confirmed 74 attacks against Confirmed 74 attacks against HoneypotHoneypotHoneypotHoneypot
modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump
shutdown, etc…shutdown, etc…shutdown, etc…shutdown, etc…
11Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Attack Case Against Honeypot
12Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Background of Incidents
13Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Increasing Trend of ICS Related Vulnerability Information
2008 2009 2010 2011 2012 2013
Level III 6 6 14 64 97 80
Level II 2 4 3 28 74 49
Level I 4 1 3 2
0
20
40
60
80
100
120
140
160
180
200
SeverityLevel III (Danger : System Hijack)Level II (Alert : System Stop)
Level I (Notice:Partial Damage)
Source:http://www.ipa.go.jp/files/000036346.pdf
14Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Malware Infection through USB Flash Drive
Source:TrendLabsSM 2013 Annual Security Roundup, http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/rpt-cashing-in-on-digital-information.pdf
Malware infection risk surely existseven though it’s in closed environment
Top 3 Malware by Segment, 2013
Has capability of infection through USB flash drive
15Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Connected Devices is Easily Detected
Modbus/TCP to RTU Bridge Serial Number ********MAC address ***********Software version 01.8b3 (031021)
Press Enter to go into Setup Mode
16Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Sandworm (CVE-2014-4114)
17Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Special Characteristics and Security Requirements of ICS
18Copyright © 2014 Trend Micro Incorporated. All rights reserved.
ICS ICS ICS ICS vsvsvsvs ICTICTICTICT
*C(Confidentiality:), I(Integrity), A(Availability)Source:IPA, Survey about ICS of Critical Infrastructure and IT Service Continuity , Sep, 2009
Control System Security Requirement Information SystemA.I.C(Availability ) Priority for Security C.I.A
24x365 stable running(No reboot permitted)
AvailabilityBasically during working time (Reboot is acceptable)
Worst case, Damage generally becomes serious
Result of incidentPecuniary lossPrivacy damage
10 - 20 years Operating term 3-5 years
Real time response Data processing speedLess impact for
Delay responseIrregular by each control system
vendor, Quite long term(once a 1~4years)
Cycle for release patch and applying
Often and Regularly
Field Technical dept. Operation management Information System dept.Threats become reality and
occurs incident. Conscious about security Already measured basically.
Discussing with Country level Security standard Already establishedStuff (Facility, Product)
Service (continuous running)
Object for security Information
Industrial control systems are systems with special characteristics that arevery different to Information Systems
19Copyright © 2014 Trend Micro Incorporated. All rights reserved.
ICS ICS ICS ICS vsvsvsvs ICTICTICTICT
ICS
• Correct commands issued (Integrity)
• Limit interruptions (Availability)
• Protect the data (Confidentiality)
IT
• Protect the data (Confidentiality)• Correct commands issued
(Integrity)• Limit interruptions (Availability)
20Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Countermeasure points in ICS
Plant
Relay/terminalServer
EWS
HMI
Internet
PLC/DCS
ICS VendorsSystem integrators
Office PCOffice PC
Field bus
HistorianOPC ServerMaintenance
Maintenance service
Plant DMZControl information network
Operation PC MES
Control network
5 55
5
44
6
6
3
1
2
2
2
7
Countermeasure points① Gateway
1
1
⑦ PCs brought to work
② Network③ Server (plant DMZ)④ Client/Server
(Control information N/W)⑤ Client/Server:
(Control N/W)⑥ External storage media
Office network
21Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)
①②①②①②①②
Gateway/Network
Server/Client PC
⑥⑦⑥⑦⑥⑦⑥⑦
External Device/PC
③③③③ Plant DMZ④④④④ Control Information
Network
⑤⑤⑤⑤
Control Network
TMUSB
• No change system• Scan and clean with latest pattern file
even in closed network
• Prohibit unauthorized external device
• Scan external device with latest pattern before/after connect with ICS
Prevention
Detection
Cleanup
Mission-CriticalSpecific Purpose
Non Mission-CriticalGeneral Purpose
• No stop system in update or recovery time frequently.
• Secure the system even in closed network
• Secure the system that cannot patched regularly
• Keep minimum impact on system performance
• Offer easy installation/operation for non IT persons
• Secure the system that have system change frequently
• Secure the system that exchange applications and documents from outside of plant
• Secure the system that is accessed by unauthorized devices
• Monitor and control data transaction at zone boundaries
N/A
• Create network segment based on risk level as zone
• Block unauthorized access and malicious code
22Copyright © 2013 Trend Micro Incorporated. All rights reserved.
23Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Materiais de
Apoio
11/13/2014 Confidential | Copyright 2014 Trend Micro Inc.
24Copyright © 2014 Trend Micro Incorporated. All rights reserved.
Raio-X APT: Ferramentas de ataqueNome Fases Típicas - Uso Description
GETMAIL Extração Typically used to ascertain mail archives and mail out of those archives.
Netbox Ataque, Extração, PersistênciaFor hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the
backend to support operational tasks. (Netbox also has valid uses, and is not a direct
indicator of compromise)
Pwdump Movimento LateralDumps password hashes from the Windows registry. Typically used to crack
passwords for lateral movement throughout the victim environment. It can also be
used in pass-the-hash attacks.
Cachedump Movimento LateralA program for extracting cached password hashes from a system’s registry. Typically
used to crack passwords for lateral movement throughout the victim environment. It
can also be used in pass-the-hash attacks.
Lslsass Persistência, Movimento LateralDumps active login session password hashes from windows processes. It is used to
crack passwords for lateral movement throughout the victim environment. It can also
be used in pass-the-hash attacks.
mapiget Persistência, Movimento LateralThis is for collecting emails directly from Outlook, prior to ever getting archived. It is
then dumped to text files.
HTRAN Ataque, Extração, Persistência
Connection bouncer, redirects TCP traffic destinted for one host to an alternate host.
It is also used to help obfuscate source IP of an attacker. It allows the attacker to
bounce through several connections in the victim country, confusing incident
responders.
Windows Credential Editor
(WCE)Persistência, Movimento Lateral
A security tool that allows to list logon sessions and add, change, list and delete
associated credentials
Lz77.exe ExtraçãoIt is used as a compression application to help exfiltrate data. This is commonly seen
in Winrar, 7zip, and Winzip.
Gsecdump Movimento LateralGrabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in
victim environment and pass-the-hash style attacks.
ZXProxy (A.K.A AProxy) Extração, PersistênciaProxy functionality for traffic redirection. This helps redirect HTTP/HTTPS
connections for source obfuscation. We have seen it used in data exfiltration.
LSB-Steganography Comprometimento Inicial, ExtraçãoUses steganography techniques to embed files into images. This helps with data
exfiltration as well as during the initial compromise of a traditional APT attack.
UPX Shell Ataque, PersistênciaUsed to help pack code for malware used in APT campaigns. This tool helps prevent
reverse engineering and code analysis.
ZXPortMap Extração, Persistência Traffic redirection tool, which helps to obfuscate the source of connections.
ZXHttpServer ExtraçãoSmall HTTP server that is deployable and extremely flexible. We have seen it used
when attempting transfer of some files.
Sdelete Persistência, CoberturaSecure deletion tool. Allows for secure deletion to make forensic recovery difficult-
therefore complicating incident response procedures.
Dbgview Persistência, Movimento LateralAn application that lets you monitor debug output on your local system, or any
computer on the network that you can reach via TCP/IP
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/