Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom...
Transcript of Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom...
![Page 1: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/1.jpg)
Joe Slowik / @jfslowik
Dragos, Inc. | May 2019
![Page 2: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/2.jpg)
Student
![Page 3: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/3.jpg)
Student
Officer
![Page 4: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/4.jpg)
Student
Officer
Network Defender
![Page 5: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/5.jpg)
Student
Officer
Network Defender
ICS Defender
![Page 6: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/6.jpg)
➢
➢
➢
➢
![Page 7: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/7.jpg)
https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf
![Page 8: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/8.jpg)
http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png
![Page 9: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/9.jpg)
Increasing Adoption of IT Technology in ICS Environments
Perimeter Extension and Greater Connectivity
Increased Vendor Interest in ICS Security
![Page 10: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/10.jpg)
Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment
Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT
Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities
![Page 11: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/11.jpg)
Traditional ICS Perimeter
Vendor and Contractor Access
Increased Remote Work and Administration
Cloud and Off-Prem Products
![Page 12: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/12.jpg)
Increased vendor interest in ICS space
Attempt to leverage “IT-ification” as justification to extend existing IT products to industrial
Fails to recognize operational and technical differences in how IT technologies are deployed for industrial use
![Page 13: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/13.jpg)
Breach victim IT network
Identify points of contact with
ICS
Enumerate and categorize
control system environment
Deliver effects on objective
![Page 14: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/14.jpg)
![Page 15: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/15.jpg)
Preparatory Actions
Deny Degrade Destroy
![Page 16: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/16.jpg)
![Page 17: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/17.jpg)
Recon & Initial Access
Many Attempts
Deny, Degrade, Destroy
Few Examples
![Page 18: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/18.jpg)
ICS-Focused Malware
• STUXNET
• HAVEX
• BLACKENERGY2
• CRASHOVERRIDE
• TRISIS
ICS Disruptive Events
• 2005-2010 (?): STUXNET
• 2014: German Steel Mill Attack
• 2015: Ukraine BLACKENERGY3
• 2016: Ukraine CRASHOVERIDE
• 2017: Saudi Arabia TRISIS
Disruptive/Destructive Malware
• STUXNET
• CRASHOVERRIDE
• TRISIS
![Page 19: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/19.jpg)
More Aggressive
Attacks
Greater Adversary
Risk Tolerance
Pursuit of Physical ICS
Attacks
Heightened Danger to
Asset Owners
![Page 20: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/20.jpg)
• Custom Malware and Specific Tools
• Exploit Use for Movement and Access
• Manual Operations for ICS Impact
Legacy (pre-2016)
• “Commodity” Techniques until ICS Attack
• Credential Theft and System Tool Use to Spread
• ICS Effects and Manipulation Codified in Software
Current
![Page 21: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/21.jpg)
Initial Intrusion & Lateral Movement
• Leverage “Commodity” Tools
• Deploy “Living off the Land” Techniques
• Avoid Custom Tools and Tradecraft
ICS-Specific Disruption
• Attacks are Unique to Target, Environment
• Requires Building Custom Attack Software
• Little Scope for Direct Replay
![Page 22: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/22.jpg)
![Page 23: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/23.jpg)
![Page 24: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/24.jpg)
ICS Environments are “Brittle”
• Little scope for direct testing
• Asset owners are conservative
ICS Attacks have Pre-Requisites
• Focus on enabling factors for testing
• Imperfect for complete security, but valuable for defense in depth
Multiple Paths to Security Testing
• Notional/Logical testing has value
• Direct penetration testing may be least valuable option
![Page 25: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/25.jpg)
•Clear communication and requirements necessary
•Be prepared for extensive discussion on ROE
•What experience, certifications, and training do you need to enter environment?
Asset Owner Trust
•Determine scope and direction of test
•ICS tools vs. IT tools – depends on type and extent of assessment
•Are custom tools/capabilities required?
Technical Capability
•Delineate goals in advance relative to ICS operations:
•Improve security
•Enhance recovery
•Minimize downtime
Identifying End-State
![Page 26: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/26.jpg)
![Page 27: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/27.jpg)
Initial Intrusion
Enterprise IT access
Enumerate and scope environment
Identify and gather information of interest to ICS operations
IT-ICS Pivot
Identify mechanisms to migrate to ICS
Requires continuous connectivity to adversary infrastructure
ICS Impact
Two mechanisms:
• Manual manipulation (legacy)
• Automated interaction (current)
Goal is to manipulate physical processes via logical means
![Page 28: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/28.jpg)
•Essentially a standard penetration test
•For industrial organizations, may need to assign “special attention” to operationally-significant groups
IT Intrusion
•Identify and assess IT-ICS links
•Still represents an IT-centric test, but determines ICS environment external risk
IT-ICS Boundary
•Options include Windows-centric lateral movement testing, or process-specific assessment
•Identify tools and techniques needed in advance in light of ROEICS Penetration
•Notional/logical only
•Demonstrate mechanisms through which impact could occur – rather than creating such an impact
ICS Impact
![Page 29: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/29.jpg)
Confidentiality
Integrity Availability
![Page 30: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/30.jpg)
ICS Operations
Process Safety
Process Reliability
Process Integrity
![Page 31: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/31.jpg)
Physical-process nature of ICS limits ability to directly assess impacts
Focus instead on pathways to ICS impact
When desired, leverage notional testing through table tops and walk-throughs for direct impact assessment
![Page 32: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/32.jpg)
• Essentially the same as a “normal” penetration test
• Identify ingress points to the organization
Initial Intrusion
• Identify and map routes to reach control systems
• What pathways exist enabling ICS access
Lateral Movement
• Once ICS accessed, what options are available to an adversary
• Test visibility, response, and monitoringICS Breach
![Page 33: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/33.jpg)
Recognize limitations in ICS environments for direct testing
Leverage whole-of-kill chain approach for comprehensive assessment
Build off of known ICS attacks to develop methodologies
![Page 34: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/34.jpg)
Table Top Exercise
•Walk through plans and responses
•Least invasive, also likely to have least value*
Attack Surface Assessment
•Logical and interactive probing of ICS-facing assets
•Determine and evaluate risk with minimally-invasive techniques
Interactive Pen Test
•Risky in the sense of possible “unforeseen consequences”
•Most valuable in accurately gauging defense
![Page 35: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/35.jpg)
Opportunistic IT Infections spreading to ICS
Direct Disruptive ICS Events
ICS Integrity Attacks
![Page 36: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/36.jpg)
![Page 37: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/37.jpg)
Identify IT-ICS Links
• Assess monitoring and access controls
• Identify work-arounds
Lateral Movement
in ICS
• How can additional systems in ICS be reached
• What is the scope of spread from IT
ICS Recovery
• Table top or discussion only
• Plans and procedures for restoring operation
![Page 38: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/38.jpg)
![Page 39: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/39.jpg)
Launcher Start
•Select Payload
•Initiate ICS Impact
Payload Execution
•Connect to Control Systems
•Manipulate State
Wiper•Wait for Timer
•Delete Files, Remap Services, Reboot System
Post-Attack
•Leave behind “Backup” Backdoor
•SIPROTEC DDoS (Fail)
![Page 40: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/40.jpg)
Test C2 capability from ICS
Interactive lateral movement within ICS environment
Determine accessibility of critical systems
(DCS, RTU, Historian, etc.)
Table top or walk-through of possible impacts enabled by
access
![Page 41: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/41.jpg)
![Page 42: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/42.jpg)
Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’)
Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools)
Utilize remote access to OT network via stolen credentials
Continue pivoting through network via credential capture
Gain sufficient access to SIS to deploy TRISIS
![Page 43: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/43.jpg)
Map out critical systems for ICS
operational safety and integrity
Determine access and
communication possibilities to these systems
Evaluate monitoring and
auditing mechanisms
Walk through integrity attack
scenarios based on access findings
![Page 44: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/44.jpg)
IT Skills have a Role in ICS Testing
• Audit and test links and communication
• “IT-ification” means production networks feature similarities to IT
Scope Needs and Purpose
• What is actually being tested?
• How will the actions better the organization?
Identify Core Interests and Values
• Safety, Reliability, and Integrity are critical
• Ensure methodologies respect and aim to secure these values!
![Page 45: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/45.jpg)
• Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp-content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)
• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/whitepapers/CrashOverride2018.html)
• TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)• Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)• TRITON – FireEye (https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-
triton.html) • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-
ISAC_SANS_Ukraine_DUC_5.pdf)
![Page 46: Dragos, Inc. | May 2019€¦ · •Deploy “Living off the Land” Techniques •Avoid Custom Tools and Tradecraft ICS-Specific Disruption •Attacks are Unique to Target, Environment](https://reader033.fdocuments.in/reader033/viewer/2022060321/5f0d52107e708231d439c408/html5/thumbnails/46.jpg)