[class 2014] palestra técnica - fabio rosa
DESCRIPTION
Título da Palestra: Era pós-prevenção: Como obter visibilidade das ameaças avançadas e evidência de fraudes Antes, Durante, e Após o eventoTRANSCRIPT
1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
THE EVOLVING THREAT LANDSCAPE AND APT
SECURING ICS/SCADA SYSTEMS
FABIO ROSAConsulting Architect
Oct 2014
2Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
AGENDA
Evolution of threats
how hackers operate and their tools
who are they?
Challenges for process control networks and SCADA
legacy systems and (little) protection
IT/OT convergence
Mitigation of risks
where to start
what to do
3Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
OFF TOPIC OR NOT?
Safety or security?
4Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
Integrity
Confidentiality
Availability
EVOLVING LANDSCAPE OF MODERN THREATS
TODAY’SADVANCED
THREATLANDSCAPE
5Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
EVOLUTION OF THREATS
Malware related threats growing
6Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
THREAT ACTOR: INSIDER
Why hack when you can recruit …
…or plant ?
Highly Successful
7Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 7
THREAT ACTOR: HACKTIVIST
— New York Times
Anonymous is the first Internet-based superconsciousness . A group — in the sense that a flock of birds is a group. At any given moment, more birds could join, leave or peel off in another direction entirely.“ ”
8Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
THREAT ACTOR: CYBER CRIMINAL
MORE THAN TWO DECADES
OF EXPERIENCE & RELATIONSHIPS
9Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
THREAT ACTOR: NATION STATE
God Made Man, but Samuel Colt made Them Equal...
Espionage
Propaganda
Attack
State
Non–state
Minor actors
Simple
Space - Range
Time - Fast
Inexpensive
Anonymous (somewhat)
Offense is Stronger
“ ”
Cyber Warfare – The Great Equalizer
10Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
Initial Attack to Compromise
TIME AND THE WINDOWOF OPPORTUNITY
Initial Compromiseto Discovery
Verizon 2014 Breach Investigation Report
“…bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month
of Sundays.”
Hours
60%
Days
13%
weeks
2% Seconds
11%Minutes
13%
84%
Months
62%Weeks
12%
78%
Days
11%
Hours
9%Years
4%
11Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
EVOLUTION OF THREATSUSE OF SSL
12Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
EVOLUTION OF THREATSUSE OF SSL
13Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
ATP CAMPAIGNS
Dragonfly aka Energetic Bear aka Crouching Yeti
OPC harvesting
14Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
SUCCESSFUL ATTACKS ON THE RISE
15Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
HACKER TOOLSWEB EXPLOIT PACKS
16Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
(http://gleg.net/agora_scada_upd.shtml)
HACKER TOOLSAPPLICATION EXPLOIT PACKS
17Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
HACKER TOOLSBANKING TROJAN EXAMPLE
Buy the trojan. ~2000->15000 USD
Buy the webinject for the specific bank. 100-1500 USD
Buy or lease the hosting, ~250 USD/month
Subscribe to a crypter service, ~100 USD/month
Buy distribution; pay-per-install, ~150 USD/1000 installs
Recruit money mules, 2-10% commission
One stop shop for malware and exploits
19Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
RE-USE OF MALWARE
20Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
HACKER TOOLSOTHER EXPLOIT AND PEN TESTING TOOLS
21Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
HACKER TOOLSDEFAULT PASSWORDS – THE FAST TRACK IN
DPE - The Default Password Enumeration Project• DPEparser Python code with XML file that can easily be used
with modules in Metasploit
22Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
project SHINE
HACKER TOOLSCAN YOU SEE YOUR SYSTEM?
23Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
HACKER TOOLSCAN YOU SEE YOUR SYSTEM?
Default passwords – No, it can’t be?
User class 1 = 1111
User class 2 = ????
24Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
SCADA CONTROLLED INFRASTRUCTURE
25Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
CHALLENGES FOR SCADA SYSTEMS
versus
26Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
CHALLENGES FOR SCADA SYSTEMS
Source: Unisys and Ponemon
Strategies priorities on reducing cyber security threats
27Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
CHALLENGES FOR SCADA SYSTEMS
IT/OT convergence
critical applications running on “off-the-shelves”
operating systems
“inherits” IT system weaknesses
In many cases lack of IT knowledge for OT people
28Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
CHALLENGES FOR SCADA SYSTEMS
How do we protect systems we can’t administer?
systems under contract with 3rd party
shouldn’t be changed
have few resources even if they can be
Antvirus is not enough
need to protect against a diverse range of threats
need to protect against multiple vectors, inc. USB
Availability is paramount
planned downtime must be scarce
unplanned downtime should be non-existent
29Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
IT AND OT CHALLENGES
� Most organizations are unprepared and reactive� Policy guidelines force hasty implementation
Lack of policy to address threatsLack of policy to address threats
� Weak process and technology in place for IT threats, let alone OT threats
� Advisory Vacuum: “What do I do, who can help?” – ICS-CERT, GSIs, SCADA equipment providers, Security Vendors?
Lack of advisory relationships
Lack of advisory relationships
� Lifecycle defense model needed that addresses both IT and OT threats
� Technologies, capabilities and resources must align with organization strategy
Technology, capabilities & services
Technology, capabilities & services
30Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
incidents
CHALLENGES FOR SCADA/ICSINCIDENTS
ASHEVILLE, N.C. -While computer hackers have been known to hack bank and social media accounts, in a new twist a hacker has targeted electronic highway signs in North Carolina.
The Department of Transportation says five electronic signs that warn motorists of traffic hazards were hacked on Friday morning. The messages read "Hack by Sun Hacker"
The messages appeared on electronic billboards in the Asheville area as well as in Winston-Salem and Mount Airy. The messages were taken down after they were discovered.
DOT officials say they are investigating how the hacker was able to get into the private network used to put messages on the billboards.
Source: The Associated Press
31Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
incidents
CHALLENGES FOR SCADA/ICSINCIDENTS
32Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
inci
de
nts
CHALLENGES FOR SCADA/ICSINCIDENTS
33Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
OTHER INCIDENTS - THE HUMAN FACTOR
Operation USB Candy Drop. A Security investigator dropped 20 Trojan carrying USB thumb drives in a company’s parking lot. According to his report “Of the 20 USB drives we planted, 15 were found by employees, and all had be en plugged into company computers ” within three days.
Source: Secure Network Technologies Inc. via Dark Reading
The data they obtained helped to compromise additional systems in the network.
34Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
OTHER SCADA ATTACKS
“Over the first eight months of its current fiscal year (between October 2012 and May 2013), the ICS-CERT registered more attacks on internet-enabled SCADA systems than in the previous twelve months.”
ICS-CERT, http://ics-cert.us-cert.gov/monitors/ICS-MM201306
One in four infrastructure entities are victims of extortion.
Extortion was pervasive in some countries, with 80% of respondents in Mexico and 60% in India reporting cyber extortion attempts.
CSIS Critical Infrastructure Report: In the Dark
Night Dragon IP Theft
Stuxnet Sabotage
Duqu
Attack on a water utility
Shamoon
35Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
IMPLICATIONS
POTENTIAL IMPACT IS SEVERE DUE TO THE HIGH VALUE
� Remote oil-well pumping stations
� Transportation systems� Electrical power
transmission� Oil and gas pipelines� Water treatment and
distribution� Wastewater collection
and treatment
36Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
ICS/SCADA SYSTEM CHALLENGES
Instrumentation
Optimization
Business
AdvancedControl
Control
Purdue Model1980s
Automation Systems
MES Software
Business Systems
MES Convergence1990s
Real TimeEnterpriseSystems
TransactionalEnterpriseSystems
Enterprise Convergence2000s
STRATEGY
EXECUTION
Production
Control
Business
Control
Process
Control
Delay
Dis
tort
ion
“THE CONTROL GAP”“THE CONTROL GAP”
Quarters Weeks Days Hours Minutes Seconds Sub-seconds
Revenue
Growth
Operating
MarginROA
Temp. Pressure Emissions
Integrated Control
37Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
ICS (OT) AND IT SYSTEMS – SECURITY GOALS
38Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
INTRODUCING NEW TECHNOLOGY IS HARD
39Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
� Gaps in Tools and Efficacy
� Gaps in Knowledge and Intel
� Gaps in Action/Response
� Gaps in Operational Risk
Global Threat Landscape
Business Tech. Expansion
Interconnected Networks
Empowered Users
MITIGATION OF RISKSCLOSING THE GAP
VIS
IBIL
ITY
GA
P
From art to “operational discipline” in managing Cyber Risks. Overall discovery to resolution steps have to be retooled for the new threat Landscape and the new Shadow IT/OT World
40Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
GAPS Areas for Improvement
Investments in Security Tools
• Improve detection effectiveness• 100% Visibility• New approaches: Behavior, Anomaly
Action / Response • “Data Gathering and Triage” of the right events .• Better techniques to prioritize critical threats• Actionable intelligence to quarantine and remediate• Continuous monitoring and predictive analytics• Reduce time between onset and remediation
Knowledge / Process/Intelligence
• Full Lifecycle Threat Analysis• Cyber Security Techniques• Enhanced Sharing and Collaboration• Industry unique Analytics
Operational Risk • Industry frameworks• Maturity Model• Benchmarking
MITIGATION OF RISKSCLOSING THE GAP
41Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
NG
FW
IDS
/ IP
S
Hos
t AV
Web
Gat
eway
SIE
M
Em
ail G
atew
ay
DLP
Web
App
licat
ion
Fire
wal
l
MITIGATION OF RISKSPOST-PREVENTION SECURITY GAP
Advanced Threat Advanced Threat Advanced Threat Advanced Threat
ProtectionProtectionProtectionProtection
• Content
• Detection
• Analytics
• Context
• Visibility
• Analysis
• Intelligence
SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS
Nation States
Cybercriminals
Hactivists
Insider-Threats
ThreatActors
Known Threats
Known Malware
Known Files
Known IPs/URLs
TraditionalThreats
Novel Malware
Zero-Day Threats
Targeted Attacks
Modern Tactics & Techniques
AdvancedThreats
SSLSSLSSLSSL
42Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
GLOBAL INTELLIGENCE
NETWORK
ADVANCED THREAT
PROTECTION LIFECYCLE DEFENSE
1OngoingOperations
Detect & Protect Block All
Known Threats
2Incident ContainmentAnalyze & Mitigate
Novel ThreatInterpretation
3IncidentResolution
Investigate & Remediate Breach
Threat Profiling& Eradication
MITIGATION OF RISKSLIFECYCLE APPROACH FOR IT AND OT
43Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
ProcessProcess
PeoplePeople
TechnologyTechnology
MITIGATION OF RISKSSECURITY ORGANIZATION
SOC
44Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
SECURITY OPERATIONS CENTER (SOC)
Tomorrow's SOC will spend more time on security analytics and
less time on perimeter defense."security perimeter" of a given organization is becoming increasingly harder to
define -- and nearly impossible to defend.
Prepare for a post breach world“The company will be compromised, and probably already has been”
Security teams will have to spend at least as much time analyzing logs, events,
and incidents as they currently do on building perimeter defense
The next-generation SOC
Will need a better process for quickly analyzing behavioral data that might indicate
new threats and escalating it to the top of the security team's priority list
45Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
MITIGATION OF RISKSOPERATIONAL FACTORS
documentation!!
test your network (carefully)
vulnerability watch
threat landscape monitoring
change and patch
management
Understand your network
46Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
MITIGATION OF RISKSWHERE TO START
What approach to choose aka pick your poision…
Consequence based
Compliance or regulatory based
Risk Management
47Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
MITIGATION OF RISKSWHAT TO DO
training and certifications
security conferences
vendor certifications
inspire consequence thinking by example
Employee training
Security awareness is critical
Important as a foundation, but don’t provide realistic security in a dynamic threat landscape
Compliance != security
48Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
MITIGATION OF RISKSWHERE TO GET HELP
Is there a corporate SOC?
corporate IRT or CERT - is there one?
national CERT or sector CERT
vendors
consultants
Guide to Industrial Control Systems (ICS) Security
NERC CIP compliance
ENISA Good Practice Guide for CERTs in ICS
Where to report and get help
Security frameworks and best practices etc.
IEC 62443 (formar ISA 99)
49Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
SUMMARY
APT will be the norm in the near future
-critical infrastructure may be the weak link
Defense strategies must change with threat landscape
-IT/OT must work together in SOC
-needs well defined processes
Big (security) Data requires new security tools and
approches
Collaboration necessary
50Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
Security that MattersYou have been targeted. You will be hacked. Now wha t?
Our advanced threat protection and security analytics together with portable device protection solutions help protect organizations from cyber attackers.
You have been targeted. You will be hacked. Now wha t?
Our advanced threat protection and security analytics together with portable device protection solutions help protect organizations from cyber attackers.