DETECTING, FINGERPRINTING AND TRACKING …€¦ · By Olivier Cabana, Amr M. Youssef, Mourad...
Transcript of DETECTING, FINGERPRINTING AND TRACKING …€¦ · By Olivier Cabana, Amr M. Youssef, Mourad...
DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS
By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba
Outline
Introduction
Methodology
Results
Conclusion
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 2
3
INTRODUCTION
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 3
Motivation
• Used in the smart grid, smart city, smart devices, building automation
• Sharp rise in the number of internet-connected devices
• Internet is a huge attack surface against ICS and IoT
Industrial Control Systems (ICS) are vital pieces of our infrastructure
• Huge financial cost to any successful attack against ICS
• Consequences in the physical world: blackouts, destroyed equipment, …
ICS are attractive and vulnerable targets
• Industroyer, BlackEnergy, Triton, …
• These attacks require sophisticated knowhow and knowledge of their targets
Rise in the use of sophisticated attacks
June 17, 2019 Introduction 4
Problem statement
With the onset of Internet-driven cyber attacks…
• Need for accurate, timely & reliableintelligence on incoming cyber attacks
• To mitigate & prevent attacks before they occur
As reconnaissance campaigns are precursors to cyber attacks…
• Need for a tool to identify campaignsaccurately and in near real-time
• Identifying sources, targeted ICS devices & scanning techniques
June 17, 2019 Introduction 5
Contributions
Near real-time detection of ICS probing campaigns
Tracking, characterization & identification of campaigns
Intelligence on campaigns sources & targeted ICS infrastructure
June 17, 2019 Introduction 6
7
METHODOLOGY
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 7
Overview
June 17, 2019 Methodology 8
Network telescope (darknet) data
• Originates from a /13 network telescope▪ 11 subnets from 12 countries▪ About ½ million IP addresses▪ Live stream of network traffic: over 28 GB per day
• Packets batched in PCAP-formatted files arrive in real-time
• Contains traffic from ICS/IoT devices
• Monitors 27 ICS/IoT protocols
June 17, 2019 9Methodology
Features
• Extracts primary features from packets, ▪ Header fields & payload
• Extracts secondary features from groups of packets
June 17, 2019 Methodology 10
Primary Features
Total Length Payload IHL Fragment Offset
IPv4 Flags TTL ToS IPv4 Options
Identification TCP Flags TCP Options Urgent Pointer
Offset Window Size Sequence # Acknowledgement #
Secondary Features
Destination Overlap Packet to Destination Ratio Packet Interval
Classification
• Core component of the campaign identification process
June 17, 2019 Methodology 11
Storing packet information in node data structures
Pairwise node comparison using stored packet information
Partitioning weighted graph based on edge weights
Removing outliers from cluster
Using common packet information shared with all nodes in the cluster
Packet AggregationUsing Source IP and Protocol
Graph Generation Using Header Features Matching
Cluster FormationUsing Graph Theory Metrics
Campaign IdentificationUsing Temporal Features Matching
Signature GenerationBased on Characteristic Features
Calculating the weights
• Weight calculation used for graph generation
▪ 𝑤𝑖 : the weight of the ith feature
▪ A : set of values representing the number of times all values of the ith feature appear
▪ 𝑎𝑗 : represents the number of occurrences of the jth value of the ith feature
▪ 𝑁 = σ𝑖=1𝑛 𝑎𝑖 : the sum of all values in A
▪ d : exponent in the range [0, 1]
June 17, 2019 Methodology 12
𝑤𝑖 = (
𝑎𝑗∈ 𝐴
−𝑎𝑗𝑁
log 𝐴
𝑎𝑗𝑁
)𝑑
Feature weight calculation
June 17, 2019 Methodology 13
Similarity score
•Compares:▪ The features in the packets from each source IP
oFeatures represented as vectors of probabilities
oCalculating distance between vectors
▪ Adding the scores for each feature together
June 17, 2019 Methodology 14
ttl
source port
“32” : 3“64” : 10“128”: 2“256”: 5
“80” : 1“102” : 2“502” : 1“8080”: 1
……
tcp_flags
“100000” : 5“110000” : 2“000000” : 1
…
Calculating the similarity score
• Similarity score between two nodes for a feature i▪ si : similarity score for feature i
▪ wi : weight of the ith feature
▪ 𝑉𝑥 = σ𝑗=1|𝑁𝑥|𝑛𝑗, (i.e. the total number of packets in node x)
▪ Nx : set of all different values for feature i in node x
▪ nxj : number of occurrences of the value j in node x
▪ 𝑈 = 𝑁1 ∪ 𝑁2
June 17, 2019 Methodology 15
𝑠𝑖 = 𝑤𝑖 × (1 −𝑚𝑖𝑛 𝑉1,𝑉2
𝑚𝑎𝑥 𝑉1,𝑉2×
1
2× σ
𝑗=1𝑈 𝑛1𝑗
𝑉1−
𝑛2𝑗
𝑉2
2)
Calculating the similarity score
• Similarity score between the payloads of two nodes
▪ spayload : similarity score for the payload feature
▪ wpayload : weight of the payload feature
▪ |Px| : size of payload x
▪ bxi : the ith byte in Px
June 17, 2019 Methodology 16
𝑠𝑝𝑎𝑦𝑙𝑜𝑎𝑑 = 𝑤𝑝𝑎𝑦𝑙𝑜𝑎𝑑 ×
𝑖=1
𝑚𝑖𝑛(|𝑃1|,|𝑃2|)(𝑏1𝑖 == 𝑏2𝑖)
𝑚𝑎𝑥(|𝑃1|, |𝑃2|)
Graph generation
June 17, 2019 Methodology 17
Belonging degree & conductance
▪ 𝛣 𝑢, 𝐶 : belonging degree between u and C
▪ C : set of nodes in the cluster
▪ u : node adjacent to C
▪ Nu : set of nodes neighboring u
▪ wux : weight of the edge between nodes u and x
▪ 𝛷 𝐶 : conductance of C
▪ 𝑐𝑢𝑡(𝐶, 𝐺/𝐶) : sum of the weights of edges between nodes in C and outside of C
▪ wc : sum of the weights of all edges in C
June 17, 2019 Methodology 18
𝛣 𝑢, 𝐶 =σ𝑣∈𝐶𝑤𝑢𝑣σ𝑡∈𝑁𝑢
𝑤𝑢𝑡
𝛷 𝐶 =𝑐𝑢𝑡(𝐶, 𝐺/𝐶)
𝑤𝐶
Cluster formation
June 17, 2019 Methodology 19
Campaign Formation
• Pairwise comparison of nodes inside the cluster▪ Calculating similarity score using secondary features (temporal characteristics)
▪ Removing outliers
June 17, 2019 Methodology 20
Signature Generation
• Building identifying signature▪ Listing of all primary features
▪ Vector quantization of secondary features
o Using hierarchical agglomerative clustering
June 17, 2019 Methodology 21
22
RESULTS
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 22
ICS & IoT Protocols
• Categorizes packets by source IP & protocol
• Retains traffic from ICS/IoTprotocols
June 17, 2019 Results 23
Protocol Port(s) Protocol Port(s)
FL-net 55000 to 55003 Modbus 502, 802
PROFINET 34962 to 34964 OMRON FINS 9600
DNP3 19999, 20000 PCWorx 1962
GE-STRP 18245, 18246 CoAP 5683, 5684
MELSEC-Q 5006, 5007 EtherNet/IP 2036, 2221, 2222, 44818Niagara Fox 1911, 4911
BACnet 47808 to 47823 CODESYS 2455
Emerson ROC 4000 Red lion 789
EtherCAT 34980 ProConOS 20547
Hart-IP 5094 Zigbee 17754 to 17756
ICCP102
Emerson ecmp 6160
Siemens S7 Foundation Fieldbus 1090, 1091, 3622
IEC 60870-5-104 2404, 19998 OPC UA 4840, 4843
Johnson Controls 11001 MQ Telemetry 1883
Legitimate organizations
• 3 legitimate research organizations▪ Well-known research objective
▪ No effort to obfuscate their scans
June 17, 2019 Results 24
Organization Protocol Packets
Kudelski security MQTT 3,176,785
Modbus 3,225,764
Niagara Fox 3,338,688
BACnet 3,186,966
Project sonar BACnet 1,408,866
MQTT 1,365,953
EtherNet/IP 749,032
CoAP 673,405
Censys Modbus 14,546,546
DNP3 8,674,021
BACnet 14,472,089
Niagara Fox 11,027,247
S7 Comm 6,001,835
EtherNet/IP 41
Legitimate campaign signature
• Against the BACnet protocol▪ Includes the entire darknet
▪ Conducted multiple times
o Over a period of 9 months
▪ 242 source IPs involved
June 17, 2019 Results 25
Stats Transport protocol UDP # of destinations Entire darknet
Protocol BACnet # of packets 5,562,890
Destination port 47808 Start 05-08-18, 20:59:52
# of sources 242 End 02-19-19, 20:56:33
Signature Source port 47808 Identification 54321
ToS 72 Fragment offset 0
TTL 254 Packet interval 87ms
IHL 5 Packet/destination ratio 1.0
Total length 77 Destination overlap 0.0
IPv4 options None Flags None
Payload810a002301040005000e0c023fffff1e094b09780979092c090c094d0946091c093a1f
Legitimate ampaign date histogram
• Regular (weekly) traffic
• Several missing spikes of data, when the algorithm returned a false negative
June 17, 2019 Results 26
Malicious campaign signature
• Against the EtherNet/IP protocol▪ Included parts of the darknet
o Visiting IPs more than once
▪ Multiple spikes of activity
▪ 21 source IPs involved
June 17, 2019 Results 27
Stats Transport protocol UDP # of destinations 160,000
Protocol EtherNet/IP # of packets 1,653,444
Destination port 2222 Start 10-07-18, 13:19:06
# of sources 21 End 02-19-19, 21:48:51
Signature Source port * Offset 5
ToS 40 Window Size *
TTL 128 Urgent Pointer 0
IHL 5 TCP Options None
Total length * TCP Flags SYN
IPv4 options None Sequence # *
Flags None Acknowledgment # 0
Payload None Packet interval 552 ms
Identification 256 Packet/destination ratio 1.0
Fragment offset 0 Destination overlap 0.0
Malicious campaign date histogram
• Traffic is irregular, no discernable pattern
June 17, 2019 Results 28
Malicious campaign details
• Geo-localization of source IPs ▪ Most IPs are from China
▪ Rest from the United-States
June 17, 2019 Results 29
Malicious campaign details
• A circular scanning pattern
• IPs had ties with several fast-fluxing domains
• IPs had ties with malware▪ Including Trojans, miners, DDoS
June 17, 2019 Results 30
Malicious campaign details
• Found 32 domains associated with the 21 IPs▪ All had neutral or poor reputation
▪ 8 domains known for spamming
▪ Found 160 IP addresses associated with the domains
o Out of the 70 IP addresses investigated at random, 45 were fast-fluxing
June 17, 2019 Results 31
Malicious campaign details
• Cross-correlation between malware files detected in campaign sources and malware stream from Farsight▪ During spikes in campaign activity
• Strong presence of Trojan malware▪ Possible attempt to increase botnet size
June 17, 2019 Results 32
Names # of Hits
Trojan.Win32.Generic!BT 1,397,819
Trojan:Win32/Skeeyah.A!rfn 29,681
Virus.Win32.Virut.ce 22,623
Trojan:Win32/Tiggre!rfn 7,395
Backdoor:Win32/Zegost 830
Virus:Win32/Ramnit.J 225
Trojan-Downloader.Win32.Agent 200
DDoS:Win32/Nitol.B 137
Virus:Win32/Virut.BN 108
DDoS:Win32/Nitol.A 78
VirTool:Win32/Ceeinject.TD!bit 67
DDoS:Win32/Nitol.P!bit 39
TrojanDownloader:Win32/Farfli.F!bit 30
DDoS:Win32/Nitol!rfn 13
Trojan:Win32/Togapy.A!bit 2
Virus:Win32/Parite.C 2
33
CONCLUSION
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 33
Conclusion
• Built a Threat Intelligence generation platform for ICS threats
• Leveraged the platform to analyze over 10 months of darknet data
• Found several campaigns by legitimate organizations
• Found evidence of malicious campaigns
• Future Work▪ Extending our tool to deal with campaigns spanning several ports
▪ Extending the range of ports covered by our application
June 17, 2019 Conclusion 34
June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 35