[class 2014] palestra técnica - fabio rosa

1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.

THE EVOLVING THREAT LANDSCAPE AND APT

SECURING ICS/SCADA SYSTEMS

FABIO ROSAConsulting Architect

Oct 2014


AGENDA

Evolution of threats

how hackers operate and their tools

who are they?

Challenges for process control networks and SCADA

legacy systems and (little) protection

IT/OT convergence

Mitigation of risks

where to start

what to do


OFF TOPIC OR NOT?

Safety or security?


Integrity

Confidentiality

Availability

EVOLVING LANDSCAPE OF MODERN THREATS

TODAY’SADVANCED

THREATLANDSCAPE


EVOLUTION OF THREATS

Malware related threats growing


THREAT ACTOR: INSIDER

Why hack when you can recruit …

…or plant ?

Highly Successful

7Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 7

THREAT ACTOR: HACKTIVIST

— New York Times

Anonymous is the first Internet-based superconsciousness . A group — in the sense that a flock of birds is a group. At any given moment, more birds could join, leave or peel off in another direction entirely.“ ”


THREAT ACTOR: CYBER CRIMINAL

MORE THAN TWO DECADES

OF EXPERIENCE & RELATIONSHIPS


THREAT ACTOR: NATION STATE

God Made Man, but Samuel Colt made Them Equal...

Espionage

Propaganda

Attack

State

Non–state

Minor actors

Simple

Space - Range

Time - Fast

Inexpensive

Anonymous (somewhat)

Offense is Stronger

“ ”

Cyber Warfare – The Great Equalizer


Initial Attack to Compromise

TIME AND THE WINDOWOF OPPORTUNITY

Initial Compromiseto Discovery

Verizon 2014 Breach Investigation Report

“…bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month

of Sundays.”

Hours

60%

Days

13%

weeks

2% Seconds

11%Minutes

13%

84%

Months

62%Weeks

12%

78%

Days

11%

Hours

9%Years

4%


EVOLUTION OF THREATSUSE OF SSL


ATP CAMPAIGNS

Dragonfly aka Energetic Bear aka Crouching Yeti

OPC harvesting


SUCCESSFUL ATTACKS ON THE RISE


HACKER TOOLSWEB EXPLOIT PACKS


(http://gleg.net/agora_scada_upd.shtml)

HACKER TOOLSAPPLICATION EXPLOIT PACKS


HACKER TOOLSBANKING TROJAN EXAMPLE

Buy the trojan. ~2000->15000 USD

Buy the webinject for the specific bank. 100-1500 USD

Buy or lease the hosting, ~250 USD/month

Subscribe to a crypter service, ~100 USD/month

Buy distribution; pay-per-install, ~150 USD/1000 installs

Recruit money mules, 2-10% commission

One stop shop for malware and exploits


RE-USE OF MALWARE


HACKER TOOLSOTHER EXPLOIT AND PEN TESTING TOOLS


HACKER TOOLSDEFAULT PASSWORDS – THE FAST TRACK IN

DPE - The Default Password Enumeration Project• DPEparser Python code with XML file that can easily be used

with modules in Metasploit


project SHINE

HACKER TOOLSCAN YOU SEE YOUR SYSTEM?


HACKER TOOLSCAN YOU SEE YOUR SYSTEM?

Default passwords – No, it can’t be?

User class 1 = 1111

User class 2 = ????


SCADA CONTROLLED INFRASTRUCTURE


CHALLENGES FOR SCADA SYSTEMS

versus



Source: Unisys and Ponemon

Strategies priorities on reducing cyber security threats



IT/OT convergence

critical applications running on “off-the-shelves”

operating systems

“inherits” IT system weaknesses

In many cases lack of IT knowledge for OT people



How do we protect systems we can’t administer?

systems under contract with 3rd party

shouldn’t be changed

have few resources even if they can be

Antvirus is not enough

need to protect against a diverse range of threats

need to protect against multiple vectors, inc. USB

Availability is paramount

planned downtime must be scarce

unplanned downtime should be non-existent


IT AND OT CHALLENGES

� Most organizations are unprepared and reactive� Policy guidelines force hasty implementation

Lack of policy to address threatsLack of policy to address threats

� Weak process and technology in place for IT threats, let alone OT threats

� Advisory Vacuum: “What do I do, who can help?” – ICS-CERT, GSIs, SCADA equipment providers, Security Vendors?

Lack of advisory relationships

Lack of advisory relationships

� Lifecycle defense model needed that addresses both IT and OT threats

� Technologies, capabilities and resources must align with organization strategy

Technology, capabilities & services

Technology, capabilities & services


incidents

CHALLENGES FOR SCADA/ICSINCIDENTS

ASHEVILLE, N.C. -While computer hackers have been known to hack bank and social media accounts, in a new twist a hacker has targeted electronic highway signs in North Carolina.

The Department of Transportation says five electronic signs that warn motorists of traffic hazards were hacked on Friday morning. The messages read "Hack by Sun Hacker"

The messages appeared on electronic billboards in the Asheville area as well as in Winston-Salem and Mount Airy. The messages were taken down after they were discovered.

DOT officials say they are investigating how the hacker was able to get into the private network used to put messages on the billboards.

Source: The Associated Press


incidents



inci

de

nts



OTHER INCIDENTS - THE HUMAN FACTOR

Operation USB Candy Drop. A Security investigator dropped 20 Trojan carrying USB thumb drives in a company’s parking lot. According to his report “Of the 20 USB drives we planted, 15 were found by employees, and all had be en plugged into company computers ” within three days.

Source: Secure Network Technologies Inc. via Dark Reading

The data they obtained helped to compromise additional systems in the network.


OTHER SCADA ATTACKS

“Over the first eight months of its current fiscal year (between October 2012 and May 2013), the ICS-CERT registered more attacks on internet-enabled SCADA systems than in the previous twelve months.”

ICS-CERT, http://ics-cert.us-cert.gov/monitors/ICS-MM201306

One in four infrastructure entities are victims of extortion.

Extortion was pervasive in some countries, with 80% of respondents in Mexico and 60% in India reporting cyber extortion attempts.

CSIS Critical Infrastructure Report: In the Dark

Night Dragon IP Theft

Stuxnet Sabotage

Duqu

Attack on a water utility

Shamoon


IMPLICATIONS

POTENTIAL IMPACT IS SEVERE DUE TO THE HIGH VALUE

� Remote oil-well pumping stations

� Transportation systems� Electrical power

transmission� Oil and gas pipelines� Water treatment and

distribution� Wastewater collection

and treatment


ICS/SCADA SYSTEM CHALLENGES

Instrumentation

Optimization

Business

AdvancedControl

Control

Purdue Model1980s

Automation Systems

MES Software

Business Systems

MES Convergence1990s

Real TimeEnterpriseSystems

TransactionalEnterpriseSystems

Enterprise Convergence2000s

STRATEGY

EXECUTION

Production

Control

Business

Control

Process

Control

Delay

Dis

tort

ion

“THE CONTROL GAP”“THE CONTROL GAP”

Quarters Weeks Days Hours Minutes Seconds Sub-seconds

Revenue

Growth

Operating

MarginROA

Temp. Pressure Emissions

Integrated Control


ICS (OT) AND IT SYSTEMS – SECURITY GOALS


INTRODUCING NEW TECHNOLOGY IS HARD


� Gaps in Tools and Efficacy

� Gaps in Knowledge and Intel

� Gaps in Action/Response

� Gaps in Operational Risk

Global Threat Landscape

Business Tech. Expansion

Interconnected Networks

Empowered Users

MITIGATION OF RISKSCLOSING THE GAP

VIS

IBIL

ITY

GA

P

From art to “operational discipline” in managing Cyber Risks. Overall discovery to resolution steps have to be retooled for the new threat Landscape and the new Shadow IT/OT World


GAPS Areas for Improvement

Investments in Security Tools

• Improve detection effectiveness• 100% Visibility• New approaches: Behavior, Anomaly

Action / Response • “Data Gathering and Triage” of the right events .• Better techniques to prioritize critical threats• Actionable intelligence to quarantine and remediate• Continuous monitoring and predictive analytics• Reduce time between onset and remediation

Knowledge / Process/Intelligence

• Full Lifecycle Threat Analysis• Cyber Security Techniques• Enhanced Sharing and Collaboration• Industry unique Analytics

Operational Risk • Industry frameworks• Maturity Model• Benchmarking

MITIGATION OF RISKSCLOSING THE GAP


NG

FW

IDS

/ IP

S

Hos

t AV

Web

Gat

eway

SIE

M

Em

ail G

atew

ay

DLP

Web

App

licat

ion

Fire

wal

l

MITIGATION OF RISKSPOST-PREVENTION SECURITY GAP

Advanced Threat Advanced Threat Advanced Threat Advanced Threat

ProtectionProtectionProtectionProtection

• Content

• Detection

• Analytics

• Context

• Visibility

• Analysis

• Intelligence

SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS

Nation States

Cybercriminals

Hactivists

Insider-Threats

ThreatActors

Known Threats

Known Malware

Known Files

Known IPs/URLs

TraditionalThreats

Novel Malware

Zero-Day Threats

Targeted Attacks

Modern Tactics & Techniques

AdvancedThreats

SSLSSLSSLSSL


GLOBAL INTELLIGENCE

NETWORK

ADVANCED THREAT

PROTECTION LIFECYCLE DEFENSE

1OngoingOperations

Detect & Protect Block All

Known Threats

2Incident ContainmentAnalyze & Mitigate

Novel ThreatInterpretation

3IncidentResolution

Investigate & Remediate Breach

Threat Profiling& Eradication

MITIGATION OF RISKSLIFECYCLE APPROACH FOR IT AND OT


ProcessProcess

PeoplePeople

TechnologyTechnology

MITIGATION OF RISKSSECURITY ORGANIZATION

SOC


SECURITY OPERATIONS CENTER (SOC)

Tomorrow's SOC will spend more time on security analytics and

less time on perimeter defense."security perimeter" of a given organization is becoming increasingly harder to

define -- and nearly impossible to defend.

Prepare for a post breach world“The company will be compromised, and probably already has been”

Security teams will have to spend at least as much time analyzing logs, events,

and incidents as they currently do on building perimeter defense

The next-generation SOC

Will need a better process for quickly analyzing behavioral data that might indicate

new threats and escalating it to the top of the security team's priority list


MITIGATION OF RISKSOPERATIONAL FACTORS

documentation!!

test your network (carefully)

vulnerability watch

threat landscape monitoring

change and patch

management

Understand your network


MITIGATION OF RISKSWHERE TO START

What approach to choose aka pick your poision…

Consequence based

Compliance or regulatory based

Risk Management


MITIGATION OF RISKSWHAT TO DO

training and certifications

security conferences

vendor certifications

inspire consequence thinking by example

Employee training

Security awareness is critical

Important as a foundation, but don’t provide realistic security in a dynamic threat landscape

Compliance != security


MITIGATION OF RISKSWHERE TO GET HELP

Is there a corporate SOC?

corporate IRT or CERT - is there one?

national CERT or sector CERT

vendors

consultants

Guide to Industrial Control Systems (ICS) Security

NERC CIP compliance

ENISA Good Practice Guide for CERTs in ICS

Where to report and get help

Security frameworks and best practices etc.

IEC 62443 (formar ISA 99)


SUMMARY

APT will be the norm in the near future

-critical infrastructure may be the weak link

Defense strategies must change with threat landscape

-IT/OT must work together in SOC

-needs well defined processes

Big (security) Data requires new security tools and

approches

Collaboration necessary


Security that MattersYou have been targeted. You will be hacked. Now wha t?

Our advanced threat protection and security analytics together with portable device protection solutions help protect organizations from cyber attackers.

You have been targeted. You will be hacked. Now wha t?

Our advanced threat protection and security analytics together with portable device protection solutions help protect organizations from cyber attackers.

[class 2014] palestra técnica - fabio rosa

Technology

blue coat systems

scadalegacy systems

threat actor

ot challenges

hacker toolscan

scada systemsversuscopyright

scada systemshow

hacker toolsother exploit