Upload
energysec
View
799
Download
1
Embed Size (px)
Citation preview
”Please, Come and Hack my SCADA System!”
Mikael Vingaard, IT-Security Consultant – EnergiNet.dkCISSP - GICSP
l11th Annual EnergySec Security & Compliance Summit | Sept. 14-16 | Washington D.C.
1
Introduction, WHOAMI and takeaway
EnergyNet.dk (Danish National TSO) are responsible for the
national infrastructure, which supplies Denmark with electrical
power and natural gas. We are a non-profit enterprise fully
owned by the Danish government.
$whoami
After this presentation, a non-technical overview combined
with real-life cases will highlight the possible advantages a
honey-pot network may provide to the sector.
2
What is a Honeypot?
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/
service) is to learn more about your attackers and the methods
they will use to breach your systems.
3 different deployment “modes” (Internal, DMZ and external).
The research concentrates on the last – external honeypots.
A great cost effective way to gather (close to) real time threat
intelligence, if done right.
3
Con Honeypots
Deployment must be careful planned – especial in DMZ and
external mode.
PR/ Media and potential legal questions must be considered.
“To be breached or not to be breached”- an ongoing process to
prevent your assets from becoming a liability.
A word on Geo-location.
Intelligence gathering is a process – not a destination.
4
Pro Honeypot
Cost effective, real time threat intelligence compare to some
external vendors threat feeds.
As generic (or custom made) information as you want it to be.
Depending on the different deployment scenarios, you can
establish if a specific attack is directed at your organization or
“everyone”.
Deployment methods and options have matured much the last
years.
Last but not least, FUN!
5
4 types of attackers (external only)
6
Y = Dedication to harm YOUR organizationX = Technical Knowledge & ressources .
Y
X
Technical setup – 4 types of Honeypots
Type 1: “Crash and burn”
Red Storm Rising, Ultimate level: "Life can be brutal and short.“
Type 2: “To fake to be true”
Run - if you have any understanding of I.T/O.T systems.
lType 3: “Regular Honeypots”
I am right here…
Type 4: “Hidden Honeypots”
Breach me – if you can find me
7
Case ”Human or automated attack”
Type 1: “crash and burn”
From ”boot” to ”oh-no – Houston, we do have a problem” – shortest time
was 26 min.
192.168.1.141:22 192.168.1.5:44586 ESTABLISHED
192.168.1.141:22 101.227.241.251:57705 ESTABLISHED
192.168.1.141:22 115.239.248.238:35325 ESTABLISHED
192.168.1.141:22 1.85.44.222:44587 ESTABLISHED
…..
MOTD Banner fun:
“You are currently breaching my honeypot,
ABUSE report with PCAP evidence will be mailed
to your ISP”
8
Case ”The Internet are NOT your oyster”
Type 2: “To fake to be true”
Reply to an abuse report (honeypots on public cloud
providers).
“These connections are part of an Internet-wide research study
being conducted by computer scientists at the University of
Michigan. The research involves making benign connection
attempts to every public IP address. By measuring the entire
public address space, we are able to analyze global patterns
and trends in protocol deployment and security.
If our scans are causing problems, we would be happy to
exclude your host or network from future research scans from
the University of Michigan. Simply send us your IP address or
CIDR prefix.”9
Case ”Smile - you are on camera”
Type 3: “Regular Honeypots”
The attacker first tries the following combination of password
and user name: username: PlcmSpIp password: PlcmSpIp
Above combination are the factory default access for many
Polycom.com's products e.g. the SoundPoint SIP (VOIP)
phones.
Immediately afterwards the attacker tries the combination of
root:TANDBERG This happens to be the default password/user
name on Tandberg/Cisco boardroom videoconferencing
systems . - Surveillance on camera/voice
10
Case ”The day before Zero”
Huawei Wimax CPE bm632w (undocumented backdoor).
Reversed binary configuration (router firmware)
< UserInfoInstance InstanceID="1" Username="admin"
Userpassword="admin" UserLevel="2">
< UserInfo NumberOfInstances="1">
< UserInfoInstance InstanceID="1" Username="wimax"
Userpassword="wimax820" Userlevel="0"/>
< /UserInfo>
Date : 30 May 2015 | Exploit Author : Koorosh Ghorbani |
Site : http://8thbit.net/
11
Honeypots, SCADA & open source
Open Source can get you a long way – even on a tight budget.
• Tools and deployment methods are available to make your
life (more) easy as Honeypot asset owner.
• Possible to Proxy/mix Honeypot with real (e.g. older /
decommissioned ) SCADA devices.
• DefCon/Blackhat observations.
12
Closing remarks
Yes, it is possible!
• 50+ reports send to various organizations, like ISP's,
CERT's, universities, corporations and governmental
agencies.
“The more you give, the more you get”
• 800+ Indication Of Compromise (IOC) detected
• 25.000+ password/ user names combination collected.
Future areas of research:
More “type 4” honeypots - automated threat feeds in various
formats: STIX/taxii and IDS signatures.
13
Questions
Deal of the day: “Ask me two good questions, and the third
question are free” :-)
Thank you for your attention
Contact details:
Mikael Vingaard | [email protected],
14