implementing consequence-driven cybersecurity · ics honeypot experiment • simulated ics...
TRANSCRIPT
![Page 1: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/1.jpg)
![Page 2: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/2.jpg)
Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling
Phil Neray, VP of Industrial Cybersecurity
![Page 3: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/3.jpg)
Agenda
• NotPetya: How a Single Piece of Code Crashed the World (Wired)
• VPNFilter Update
• What Happens When You Expose an ICS Honeypot
• Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling
![Page 4: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/4.jpg)
Why It Matters
“INSECURE BY DESIGN” NETWORKS
SUPPORT BUSINESS NEED FOR DIGITALIZATION
RANGE OF MOTIVATED ADVERSARIES
Image Credit: CyberScoop/Jolie Gender
![Page 5: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/5.jpg)
NotPetya: How a Single Piece of Code Crashed the World (WIRED)“Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.”
– Thomas Rid, Johns Hopkins’ School of Advanced International Studies.
“Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco
• Propelled by a combination EternalBlue and Mimikatz; spread via intranets
• Spread within hours from a Ukrainian software firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
![Page 6: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/6.jpg)
Update on VPNFilter Malware
• Multi-stage router malware– MODBUS packet sniffer– Wipes firmware of devices– Uses BE malware from 2015 Ukraine grid attack
• Latest updates from Cisco Talos – Endpoint exploitation tool
• Redirects and inspects content of HTTP traffic• Download binary payload & perform on-the-fly patching of Windows executables
– Port scanning & network mapping tool• Identify additional devices for lateral movement/compromise
– DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal)– New ways to obfuscate or encrypt malicious traffic; build distributed proxy network
6
https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html
![Page 7: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/7.jpg)
ICS Honeypot Experiment
• Simulated ICS environment– IT network, OT network with HMI– 3 Internet-facing servers with RDP, SSH & weak passwords– DNS names registered; internal names resembled “well-known” electric utility
• In 2 days: compromised by xDedic RDP Patch tool• 10 days: access to back door from “new owner”
– Presumed bought access to ICS via black market
• Multipoint network reconnaissance to identify paths from IT to OT
https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.htmlhttps://www.cybereason.com/blog/industrial-control-system-specialized-hackers
![Page 8: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/8.jpg)
(1) Identify “Crown Jewel” Processes
• Functions whose failure would threaten your company’s very survival– Revenue– Lawsuits– Brand reputation– Theft of intellectual property– Major compliance violations
• Requires conversations with business owners & OT• Examples
– Safety systems– Critical manufacturing production lines– Transformers or gas compressor stations– Historians (pharma)
8
![Page 9: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/9.jpg)
(2) Map Digital Terrain
• Asset discovery & network topology mapping
• “How does information move through your network?”
• “Who touches your equipment — and how do do they connect?”
![Page 10: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/10.jpg)
(3) Illuminate Most Likely Attack Paths
• Tabletop exercises
• Pen testers
• Automated threat modeling– Map ICS topology– Identify vulnerabilities– Calculate most likely attack paths
![Page 11: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/11.jpg)
Simulating Attack Paths to Critical Assets
![Page 12: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/12.jpg)
CyberX shows visual simulation of entire attack chain, enabling
“what-if” scenarios for remediation and mitigation
(e.g., zoning, patching)
Choose your most critical “crown jewel” assets
as targets
CyberX finds all potential attack paths, ranked by risk
Automated ICS Threat Modeling
![Page 13: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/13.jpg)
(4) Options for Mitigation & Protection
• Reduce # of digital pathways to a minimum– Unauthorized Internet connections– Segmentation– Privileged identity management &
secure remote access• Address vulnerabilities
– Weak passwords– Unused open ports– Patching where possible
• Implement compensating controls– Continuous monitoring with behavioral
anomaly detection– Integration with firewall infrastructures
13
![Page 14: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/14.jpg)
Detect & Respond Faster
![Page 15: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/15.jpg)
Investigations & Threat Hunting
![Page 16: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/16.jpg)
Palo Alto NGFW
Panorama
Cell Switch
Cell Switch
Cell Switch
Zone Switch
Zone Switch
Cell Switch
Cell Switch
SOC/DMZ
Policy Approval & Push3
Automated NGFW Policy Creation2
SIEM
Engineering Workstation
HMI
Controllers
1 CyberX Alert
CyberX Firewall Integration
![Page 17: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/17.jpg)
CyberX at a Glance
• Founded in 2013 by military cyber experts with nation-state expertise defending critical infrastructure
• HQ in Boston with R&D and Threat Intelligence teams in Israel
• Purpose-built OT security platform– Asset management, vulnerability & risk management, continuous threat monitoring
– Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning
– Integrates with existing SOC workflows & security stack for unified IT/OT monitoring
• Partnerships & integrations with major security companies & MSSPs worldwide– IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, …
– Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, …
![Page 18: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/18.jpg)
ICS Zero-Day Vulnerabilities Discovered by CyberX
• https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow
• https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS)
• https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element
• Undisclosed RCE vulnerability in controller (vendor Y)
CyberX researched featured in Chapter 7
![Page 19: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/19.jpg)
CyberX Central Manager Corporate SOCCyberX SO
C Enablement Services
SIEM
TicketingSystem
CyberX Malware Analysis Sandbox
Service
CyberX Global ICS Threat Intelligence
Scalable Multi-Tier Architecture with Centralized Control
![Page 20: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/20.jpg)
“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed a
malware framework —which we call TRITON —designed to manipulate
Triconex Safety Instrumented System
(SIS) controllers.” FireEye, December 14
![Page 21: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/21.jpg)
CONFIDENTIAL
21Palo Alto Networks Proprietary and Confidential
The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage
the firm’s operations and trigger an explosion.”The New York Times
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html
Goal: Disable plant safety systems?Campaign: Connected to Shamoon attacks?
Who: Likely Iran with assistance from Russia or N. Korea?
![Page 22: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/22.jpg)
CONFIDENTIAL
L4 L3
L2
L1 L0
TRITON Cyberattack on Petrochemical Facility
22
Steal OT credentials1
Deploy PC malware2 3
Install RAT in safety PLC4
Disable safety PLC & launch
2nd cyberattackTriStationProtocol
![Page 23: Implementing Consequence-Driven Cybersecurity · ICS Honeypot Experiment • Simulated ICS environment – IT network, OT network with HMI – 3 Internet-facing servers with RDP,](https://reader030.vdocument.in/reader030/viewer/2022040121/5eda6878b3745412b5714a67/html5/thumbnails/23.jpg)
For More Information
ICS & IIoT Security Knowledge Base• Threat & vulnerability research (Black Energy, etc.), transcripts from
SANS webinars, CyberX “Global ICS & IIoT Risk Report”, research presentations from Black Hat Europe
See Us at Upcoming Events• CS4CA Europe (Oct. 2-3, London) — NISD presentation• ICS Cyber Security Summit (Oct. 9-10, London)• Palo Alto Network IGNITE Europe (Oct. 8-10, Amsterdam)
– Featuring joint session with CISO of leading manufacturer• MANUSEC (Oct. 9-10, Chicago)• ICS Cyber Security Conference (Oct. 22-25, Atlanta)
– Free ½-day hands-on workshop with Palo Alto Networks & CyberX– Joint session with Emerson Automation Solutions: “ICS Security Researchers &
Automation Vendors: Building Mutual Trust”
• EU Utility Week (Nov. 6-8, Vienna) featuring CISO from EWZ Energy
CyberX vulnerability research featured in Chapter 7 — free
download from CyberX