an operational cyber security perspective on emerging ... … · an operational cyber security...
TRANSCRIPT
An Operational Cyber Security Perspective on Emerging Challenges
Michael MisumiCIOJohns Hopkins University Applied Physics Lab (JHU/APL)
Johns Hopkins University Applied Physics Lab (JHU/APL)
University Affiliated Research CenterSponsors include DOD, NASA6,500+ staff
Cyber Attack 2009
• 2 Weeks disconnected from the Internet
• 40 GB of unclassified data lost
• 5 malware versions, 13 accounts, 48 systems
1. Completed risk assessment- Cross-APL team evaluated assets, assailants, tactics
2. Began distributing Application White Listing software- 2,000 systems by 6/11/09
3. Engaged Mandiant, preparing for a full network scan - 5,500 systems by 6/11/09, enterprise-wide scanning planned for 6/15/09
Pre-Cyber Attack 2009
Internet
APL Internal
APL Public
APL Unclassified Network1. Analyzed network traffic, found
command and control activity
2. Remediated systems and accounts
3. Consultant recommendation- Attackers are “A” team- Slow data removal typical- High probability of layered,
sophisticated intrusion tools- Partial measures drive the attackers
deeper, making full remediation more difficult
- Map attack via scanning without closing Internet access
4. Decision to stay connected and map the attack
Internet
APL Internal
APL Public
APL Unclassified Network1. Analyzed network traffic, found
command and control activity
2. Remediated systems and accounts
3. Consultant recommendation- Attackers are “A” team- Slow data removal typical- High probability of layered,
sophisticated intrusion tools- Partial measures drive the attackers
deeper, making full remediation more difficult
- Map attack via scanning without closing Internet access
4. Decision to stay connected and map the attack
Malware types
Systems impacted
Login accounts
Systems scanned
Application white listing installed Notes
Thu 6/11 1 3 1 2000 Attack discoveredFri 6/12 1 3 1Sat 6/13 1 3 1 1000 5500Sun 6/14 1 3 1Mon 6/15 1 7 2Tue 6/16 2 23 5 5000Wed 6/17 2 25 6Thu 6/18 3 31 8Fri 6/19 3 34 11 7300 6500Mon 6/22 3 37 13Tue 6/23 3 37 13Wed 6/24 3 37 13Thu 6/25 3 40 13Fri 6/26 * 5 *48 13 All All Internet access opened
Timeline to Restore Internet AccessRequirement
• Find all malware variants
• Secure all computers
Leveraging Synergy at APL
Mission Systems
CorporateCyber
CyberResearch
Leveraging Synergy at JHU/APL
Internal
Public
Unclassified Network
Internet
Internet
Internal
Public
VPN
Korea Hong Kong
ChinaCanada
Unclassified Network
Internet
Internal
Public
VPN
VirtualMachines
Korea Hong Kong
ChinaCanada
Unclassified Network
Internet
Internal
Public
VirtualMachines
X
Korea Hong Kong
ChinaCanada
Unclassified Network
VPN
Internet
Internal
Public
VirtualMachines
X
Korea Hong Kong
ChinaCanada
Unclassified Network
VPNX
Internet
Internal
Public
VPN
VirtualMachines
Korea Hong Kong
ChinaCanada
Unclassified Network
Social Networking
Internet
Internal
Public
VPN
VirtualMachines
Korea Hong Kong
ChinaCanada
Unclassified Network
Coordinating Regional Cyber Response
Team 1
Regional Defensive Teams
Team 2 Team 3 Team 4 Team 5 Team 6
Cyber Analysts
Integrated Threat Analysis Cell
LegalLaw Enforcement
Fusion Cell Cyber Communications
Visualize the Battlespace: Galaxy Main View
Filters for major event
types, lets the analyst turn off “noise”
Primary view is a node-link
graph helping the analyst
make sense of heterogeneous
event data
Zoomable timeline shows all events, provides a sense of scale.
Interactive selection of the focal time window and playback
Visualize the Battlespace: Galaxy Replay Capability
Replay capability helps illustrate sequences of
events. Here, a malicious actor finds a vulnerability and spreads through a
network.
Regional Cyber Response: Positive Exercise Outcomes
1. Increasing amount of threat information shared by defensive teams
2. Crowd-sourced intelligence leads to a broad view of adversary tactics
3. Adversaries shut down after first attack due to information sharing
4. Threat Analysts told to pause sharing Intelligence with Defensive Teams because they were “too fast”
5. Adversaries must bring increasing numbers of staff and infrastructure due to Intelligence-sharing capability
Information Technology (IT)
Operations Technology (OT)
ICS
Plant / Manufacturing Systems
ICS
The scale, scope, and frequency of cyber attacks on digital and physical infrastructure systems is growing rapidly. Threats are escalating as more sophisticated and organized attackers are designing targeted attacks to damage or disrupt vital services and critical physical systems. - President’s NIAC Report 8/2017
Industrial Control Systems (ICS) are EVERYWHERE
IT vs ICSIT System Control Systems (ICS)
Lifetime 3-5 years 10-30 years
Owner CIO Technicians, operators, managers
Purpose General computing, runs variety of applications
Control machines, runs few applications at high availability
Focus Preventing data loss Preventing operational disruption or damage
Patches IT staff; regularly scheduled, enterprise-wide, automated
External vendor; nontrivial scheduling due to production impact and may “break” ICS functionality; ICS owners required to define acceptable risk
Security software, incident response and forensics
Commercial products and consulting available
Few solutions; forensics immature; requires good IT/ICS relationships; difficult to retrofit with security
The greatest vulnerability to ICS occurs at any point of connection
Internet
Example: Fuel Delivery System
1. Phishing attack via the
Internet
2. Reconnaissance to identify pump
controller
3. Shutdown commands stop
fuel delivery
Example Dependency Model: Fuel Delivery System
Store Fuel Receive Fuel Distribute Fuel Provide cooling TransportationProvide safe working
environment
Perform preventative maintenance
Perform corrective
maintenance
Fuel manager DBAutomatic tank
guageHVAC Water Treatment
Building Automation
Fuel handling systems
Fire fighting equipment
Diesel Generator
Perform Operations
Level Sensor 1 Level Sensor 2 Fuel Pump 1 Fuel Pump 2
Wireless Access Point 2Wireless Access Point 1 Fuel Manager Server Windows Workstations
Example Assessment Findings• ICS modernization has largely been ignored
- Lots of end of life products (older hardware, software, expired warranties)- Operators are not fully aware of system interfaces- Systems have low funding priority (since they are so old), yet these elements directly impact the
facility mission (not commonly understood)
• Increasing connectivity between systems- Allows a large attack surface for “isolated” systems to be exploited- Many systems have unencrypted wireless access
• System owners are not aware of cyber risks
• Ownership structure adds complications to management of systems- System owners and operators report to two separate chains of command
• What does component failure mean for the overall system response?
• What does it mean for a multiple interacting systems?
• Overall economic impact?
• Potential to hold society at risk
• Vulnerability invites attack
• What about “soft science” consequences?
30
CyberWire 10/2017
Example Steps to Securing Control Systems (ICS)1. Determine level of risk the organization will accept
2. Decide on cyber security ownership- Bring IT and OT together- Who owns protecting the asset?
3. Identify the ICS functions- Criticality to operations? - Common component across systems?
4. Implement ICS operational security- Baseline devices, apps, comms- Secure network connections- Harden system boundaries- Invest in detection tools- Focus on whitelisting- Create and exercise recovery options- Provide security training
From SANS Securing ICS 2017
ICS
Joint Defense and Red Teaming• Government collaboration
• Consortium cyber response
• External red team
• New product penetration testing
Cyber Defense is a Team Sport
Cross-Organization Response: Tabletop Lessons
1. Where to direct requests for resourcing to solve emergency needs
2. Different levels of classified communications, and staff classification levels
3. Sharing personal contacts/relationships to gather and disseminate information
4. Discussion of how we’re informing the public
5. Coordinate external communications
Building a CONOPS to guide restoration operations is vital