reducing attack surface on ics with windows native solutions
TRANSCRIPT
![Page 1: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/1.jpg)
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
![Page 2: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/2.jpg)
Who?
Jan Seidl @jseidlSecurity Researcher
Brazilian, despite Dutch name and German surname
And that's my full name.
![Page 3: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/3.jpg)
Rio de Janeiro
![Page 4: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/4.jpg)
Who? (cont)
Speaker at: Hackers 2 Hackers Conference, CeBIT Hannover, Defcon Bangalore, Brazil Automation, FISL (Intl. Free Software Forum) & more
Co-author of “Seguranca de Automacao Industrial e SCADA”(SCADA & Industrial Automation Security)
first book on this subject in Brazilian Portuguese
![Page 5: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/5.jpg)
Who? (cont)
Certifications:
Birth Certificate
Yellow Fever Vaccination (As useful as a CISSP on proving infosec expertise)
Local Pub Contest Winner “Speed Tequila Shots”
![Page 6: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/6.jpg)
Who? (cont)Features:
*NIX/BSD freak
Digital tools blacksmith / python & C lover
Lousy guitar player
Coffee dependent
Hates printers, doesn't likes social networks anything
Selectively-social
![Page 7: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/7.jpg)
A huge number of ICS/SCADA systems runs on Windows OS
DEC VAX & other *NIXes → Windows Family (XP mostly)
![Page 8: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/8.jpg)
Standard axioms
Once installed, not much changes on machine (not even patches)
Clear (?) network connection matrix
Custom scripts (bat/vbs) might be used
Terminal Services probably will be used for remoting if needed
![Page 9: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/9.jpg)
Let's make those Windows harder
![Page 10: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/10.jpg)
![Page 11: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/11.jpg)
Steps for lockdown – The Hardening 101The things you may already know
![Page 12: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/12.jpg)
Start with all the basic steps for your everyday hardening:
Remove software (Games, Word, Windows Messaging)
Disable services
Restrict/tune file-system access
Perform service-user/account separation + least privilege
![Page 13: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/13.jpg)
You know Windows has a native host-based firewall, right?
![Page 14: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/14.jpg)
![Page 15: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/15.jpg)
Firewall adds up:
Prevents backdoors from listening for connections
Prevents malware/shell from communicating with attacker machine (if egress filtering is done properly)
Separates local interface services (which sometimes listens globally) from external world
![Page 16: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/16.jpg)
Firewall doesn't solves:
Abusing existing allowed portsShut down original service, listen on its port
Abusing existing connectionshttp://www.slideshare.net/bz98/defcon-22-bypass-firewalls-application-white-lists-secure-remote-desktops-in-20-seconds
![Page 17: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/17.jpg)
White-listingExplicitly allowing programs and scripts
![Page 18: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/18.jpg)
Problem:
Employees intentionally installs unauthorized softwareand/orEmployees are foiled and runs unauthorized software
Software has/is a malware which compromises the machine
Attackers can deploy tools locally for lateral movement
![Page 19: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/19.jpg)
Software Restriction Policies
Windows 7/2008 R2 and above
App Locker
Windows XP / Vista
![Page 20: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/20.jpg)
Restriction strategies:
Path-based (support env. vars., registry keys)
Certificate-based
Hash-based (md5 or sha1)
Zone-based (irrelevant for now, just mentioning)
![Page 21: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/21.jpg)
About scripting:
AppLocker/SRP cannot restrict code running within environments (Office VBS, Perl, Python interpreters etc)
CMD, BAT, VBS and PowerShell scripts can be individually signed
![Page 22: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/22.jpg)
Whitelisting adds up:
Prevents unauthorized software from running (hacker tools, misbehaving employees)
Allows controlled use of scripts
Flexibility enables security with minor (yeah, I know) business/operation hog
![Page 23: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/23.jpg)
Whitelisting doesn't solves:
In-memory code execution (e.g. DLL injection)http://leastprivilege.blogspot.com.br/2013/04/bypass-applocker-by-loading-dlls-from.html
Allowed application exploitation
OS or enforcement application vulns/0days
Running DLLs from rundll32.exehttps://www.attackdebris.com/?p=143
![Page 24: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/24.jpg)
![Page 25: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/25.jpg)
Keep a close eye on rundll32
![Page 26: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/26.jpg)
EMETEnhanced Mitigation
Experience Toolkit
Plugging up applications' holes
![Page 27: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/27.jpg)
Problem (example scenario):
All software on Machine M001is unpatched
ICS software was coded by peoplewithout secure SDLC mindset
Lots of software vulns. are present and won't be fixed soon
![Page 28: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/28.jpg)
![Page 29: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/29.jpg)
EMET – System-wide protections
![Page 30: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/30.jpg)
EMET – Application-specific protections
![Page 31: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/31.jpg)
![Page 32: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/32.jpg)
EMET adds up:
Reduces impact/likelihood of 0day exploitation
Adds complexity to attacks
Foils most off-the-shelf exploits
![Page 33: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/33.jpg)
Bypassing EMET is not impossible, but it's tricky:
“We started looking at EMET since version 4.0 and it’s come a long
way since. There's no doubt that Microsoft are stepping up their efforts
at making EMET ever more effective. This sort of layered defense goes
a long way in disrupting commodity attacks and increasing the level of
effort required for successful exploitation.”
https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
![Page 34: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/34.jpg)
Bypassing EMET is not impossible, but it's tricky:
“We found that EMET was very good at stopping pre-existing
memory corruption attacks (a type of hacker exploit). But we
wondered: is it possible for a slightly more technical attacker to bypass
the protections offered in EMET? And yes, we found ways to bypass all
of the protections in EMET.”
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
![Page 35: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/35.jpg)
Bypassing EMET is not impossible, but it's tricky:
“(…) But truth be told EMET has tons of good protections which
render a lot of methods useless (…) EMET fights tough, more than any
public exploit mitigation solution out there. A lot tougher than MBAE
and enterprise exploit detection products.
But if we get to study the system, its only a matter of time.”
http://casual-scrutiny.blogspot.com.br/2015/03/defeating-emet-52.html
![Page 36: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/36.jpg)
![Page 37: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/37.jpg)
EMET caveats:
Application might still be exploitable by other means
EMET can be bypassed within a good effort
Some applications might not go well with EMET
Windows XP has very limited support
![Page 38: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/38.jpg)
PowerShell Remoting and JEA
Because most of the times you don't really need Terminal Service
![Page 39: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/39.jpg)
Problem (example scenario):
Machine M001 runs Software XYZ
Software XYZ runs as Administrator
User ABC needs to restart Software XYZ
User ABC ends up with Administrator account on Machine M001
![Page 40: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/40.jpg)
![Page 41: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/41.jpg)
PS Remoting and JEA adds up:
Enables remote operation without Terminal Service
Enables restricted operation environment
Works cross-domains
![Page 42: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/42.jpg)
PS Remoting and JEA caveats:
Requires Windows Management Framework (WMF) 5.0
Requires some coding knowledge
Requires some more attention to PS traffic on your wires
![Page 43: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/43.jpg)
Implementation techniques for the goodiesStandalone or centralized deployments
![Page 44: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/44.jpg)
Deploy from your domain or configure locally:
Firewall rules
EMET install / updates / configuration
Software Restriction Policies (Win XP / Vista)
App Locker policies (Win 7+)
![Page 45: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/45.jpg)
Suitable for mixed environments:
Software Restriction Policies & App Locker can coexist
Basic firewall rules applies to whole Windows XP/Vista/7/8
Appropriate version of EMET can be deployed to specific hosts
![Page 46: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/46.jpg)
Summing up:
Unauthorized code execution (Whitelisting, AppLocker/SRP)
Unauthorized network communication (Native host-based firewall)
Exploitation mitigation (EMET)
![Page 47: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/47.jpg)
Attackers' face upon realizing you've implemented all those stuff
![Page 48: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/48.jpg)
If ICS world allowed us to have nice thingsLike last-generation tech at least...
![Page 49: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/49.jpg)
Configuration management is the word
![Page 50: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/50.jpg)
Windows PowerShell Desired State Configuration (DSC)
DSC provides a set of Windows PowerShell language extensions, new
Windows PowerShell cmdlets, and resources that you can use to
declaratively specify how you want your software environment to be
configured.
https://technet.microsoft.com/en-us/library/dn249912.aspx
![Page 51: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/51.jpg)
Questions?
![Page 52: Reducing attack surface on ICS with Windows native solutions](https://reader031.vdocuments.net/reader031/viewer/2022030207/58a94e5c1a28ab77408b4691/html5/thumbnails/52.jpg)
Thanks for your time!
[email protected] // @jseidl // wroot.org
Slides: http://slideshare.net/jseidl Codes http://github.com/jseidl