apt and impact to scada systems · apt and impact to scada systems mark fabro cissp, cism, csse...

© 2010 Lofty Perch, Inc. © 2010 Lofty Perch, Inc.

APT and Impact to SCADA Systems

Mark Fabro CISSP, CISM, CSSE

President and Chief Security Scientist

Lofty Perch, Inc.

2010 SANS European Community SCADA and Process Control Summit

October 11-13, 2010 London, U.K.

© 2010 Lofty Perch, Inc.

Agenda

• Defining APT for the session

• APT requirements

• Observations

– Security Assessments

– APT Focus Reviews

– „fly away‟ response

• Countermeasures

• Conclusions


What is APT?

The term was used to describe

specific groups associated with

nation-states that aggressively

and successfully penetrated

critical infrastructure networks

and established well

developed, multi-level

footholds in those networks.

But now it increasingly means

“generally bad thing from the

Internet”.


The perfect storm is upon us as a new breed of sophisticated

cyber attackers emerge. Honing in on their high value targets,

they deliver a persistent torrent of multi-faceted, advanced attacks

that can subvert even the most cutting edge protective systems to

steal valuable data, or threaten critical infrastructures.

It has dawned upon today’s government and business leaders that

they can no longer depend on mere perimeter protections to

keep their assets safe.


Framing the Definition (for this discussion)

• The „A‟ should be for Adequate

– No new hacks unless it is really required

• „Advanced‟ is relative to the

countermeasures deployed for maintaining

presence or previously unseen capabilities

• The threat is the actor

– Not the exploits

– Not the tools

– Not weaponized precision malware


Exfiltration Problem

CORE

DATA

FIREWALLS IDS/IPS CONTENT FILTERING

AV ASSESSMENT

TESTING

CONFIG MGMT.


APT Elements

Target Folders

Organized/

Structured

High Chance of Success

• High chance of success

• Targeted (very rarely opportunistic)

• Organized and structured

– Mid-term and long-term plans

– No random elements

• Exploit human nature

– Software and wetware vulnerabilities

– Legitimate credentials are acquired

• E.g „Gh0stNet„ and obvious C2 chain

• Newness‟ is really defined by elements of attack

The value of the target data

greatly exceeds investment cost

to get it


Tactics, Techniques,

Procedures • Advanced attributes are defined by 0-days, code

nuances, and structured exploits built on

KNOWN APPLICATIONS

• Creating a super-kit for SCADA just not feasible

• ROI is maximized when APT methods are

reused

– Often same MD5 of C2 channel or dropper

• Each threat has a TTP or a „fist‟ that is often

recognizable and defendable

– Self preservation/expansion/replication

– Stuxnet not so easy


Observations From the Field

• Sources of data are several

– Secruity assessments

– APT „focus reviews‟

– „fly away‟ incident response (with law

enforcement)



• ICS instances appear to be collateral

– Connectivity enabled the compromise, lateral functions simply

catch automation

• Of 37 instances to investigate anomalous activity and

rogue compromise 3 yielded artifacts suggesting actual

direct APT impact on ICS

– And the activity on ICS was secondary based on collected

(compromised) intelligence

• Target folders exist but nothing beyond level 1 adversary

with standard OSINT

– Folders full of stuff we know or have seen before

• No artifacts on field equipment

– No need if compromise HMI or FEP


Artifacts on ICS

• Obvious C2 channel

• Windows and *nix

• No indication of intent to damage system,

only collection

– Typical of most APT

• Q:How do we know ICS was not targeted?

– We don‟t

– What if time to ICS compromise was really

short?



•Rogue network sockets open by processes

•Evidence of driver layering

•Packet interception and keystroke capture

•SCADA/ICS done well after initial domain

• Not obvious channels

• Port 80 or ICMP

• Comms from ICS:

• Out to corp

• Direct to Internet

• Out via VPN

• Phishing

• SQL Injection

• Trust abuse

• Target folders

• Corporate analysis

• Peer business activities

• Integration/service provider investigation

Recon Penetration

Escalation and Lateral

Activity

Command and Control


Target Folder

• Emails

(exec/admin/legal/HR)

• Personnel profiles

• Facebook

• Twitter

• Family Trees

• Blog pages

• Corporate ppt

• Corporate events

• M&A

• 501(c)

• Network diagrams

(notional)

• Network diagrams

(integrators

• Case studies

• Nmap/nessus

reports

• Service records

• ISP data

• Peer comms

• ipindex

ACME CORP.

• Recent data

• Progress

• C2 monitoring


Countermeasures • Of the observed „APT‟ damage was avoided by

implementation of defense in depth

– Existing host and network tools work perfect

• Live SCADA forensics proved very useful to

aggregate anomalies

• Code analysis provided framework for egress

and DNS corrective actions

• Persistence is proportional to vulnerabilities

– Kernel locking works very well for 0 days

• It is very hard to get rid of some of these


Exfiltration Problem

CORE

DATA

FIREWALLS With

Ingress/Egress Filtering

IDS/IPS PROPERLY

TUNED

CONTENT FILTERING

BEHAVIOR BASED

AV ASSESSMENT TESTING with

APT Components

CONFIG MGMT.

ICS/SCADA DOMAIN


Active APT Forensics on ICS • Must be fast and non-intrusive to process

– load similar to virus scan

• Actually easier when system is operating for a single purpose!

Main Imaging

Access pre loaded servlets

Map known process .exe .dll

Egress monitoring

Running Processes

Review open handles and map to virtual address

space

Review open network sockets

Core Device/driver layering

Walk linked list (loaded kernel modules)

Identify hooks (System Call Table, Interrupt Descriptor Table, Driver Function Table

Identification of loaded drivers and verification

of signatures


Facts

• Any real frequency of SCADA/ICS APT is

several orders of magnitude below

defense contractors, embassies, and FI‟s

• Only mild indicators that initial target was

ICS

– But this is almost impossible to know

– Future modus operandi may provide intel

• Expect to see a lot more now that we

know what to look for


Caution

“In the cyber security domain, APT is

quickly becoming the new Smart Grid.

Pretty soon it will be a catch-all for

everything we are not clever enough to

understand, and become so ethereal that

only the people trying to sell it will have a

definition – and different ones at that.”

© 2010 Lofty Perch, Inc. © 2010 Lofty Perch, Inc.

Thank You

QUESTIONS?

Mark Fabro CISSP, CISM, CSSE

President and Chief Security Scientist

Lofty Perch, Inc. [email protected]

2010 SANS European Community SCADA and Process Control Summit

October 11-13, 2010 London, U.K.

apt and impact to scada systems · apt and impact to scada systems mark fabro cissp, cism, csse...

Documents