Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Phil Neray, VP of Industrial Cybersecurity

Agenda

• NotPetya: How a Single Piece of Code Crashed the World (Wired)

• VPNFilter Update

• What Happens When You Expose an ICS Honeypot

• Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Why It Matters

“INSECURE BY DESIGN” NETWORKS

SUPPORT BUSINESS NEED FOR DIGITALIZATION

RANGE OF MOTIVATED ADVERSARIES

Image Credit: CyberScoop/Jolie Gender

NotPetya: How a Single Piece of Code Crashed the World (WIRED)“Almost everyone who has studied NotPetya agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.”

– Thomas Rid, Johns Hopkins’ School of Advanced International Studies.

“Anyone who thinks this was accidental is engaged in wishful thinking.” — Cisco

• Propelled by a combination EternalBlue and Mimikatz; spread via intranets

• Spread within hours from a Ukrainian software firm to countless machines around the world, from a British manufacturer of Lysol to a chocolate factory in Tasmania

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

Update on VPNFilter Malware

• Multi-stage router malware– MODBUS packet sniffer– Wipes firmware of devices– Uses BE malware from 2015 Ukraine grid attack

• Latest updates from Cisco Talos – Endpoint exploitation tool

• Redirects and inspects content of HTTP traffic• Download binary payload & perform on-the-fly patching of Windows executables

– Port scanning & network mapping tool• Identify additional devices for lateral movement/compromise

– DoS specific forms of encrypted communication (WhatsApp, QQ Chat, Wikr, Signal)– New ways to obfuscate or encrypt malicious traffic; build distributed proxy network

6

https://cyberx-labs.com/en/resources/sans-webinar-vpnfilter-malware-and-implications-for-ics/

https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html

ICS Honeypot Experiment

• Simulated ICS environment– IT network, OT network with HMI– 3 Internet-facing servers with RDP, SSH & weak passwords– DNS names registered; internal names resembled “well-known” electric utility

• In 2 days: compromised by xDedic RDP Patch tool• 10 days: access to back door from “new owner”

– Presumed bought access to ICS via black market

• Multipoint network reconnaissance to identify paths from IT to OT

https://thecyberwire.com/podcasts/cw-podcasts-rs-2018-09-22.htmlhttps://www.cybereason.com/blog/industrial-control-system-specialized-hackers

(1) Identify “Crown Jewel” Processes

• Functions whose failure would threaten your company’s very survival– Revenue– Lawsuits– Brand reputation– Theft of intellectual property– Major compliance violations

• Requires conversations with business owners & OT• Examples

– Safety systems– Critical manufacturing production lines– Transformers or gas compressor stations– Historians (pharma)

8

(2) Map Digital Terrain

• Asset discovery & network topology mapping

• “How does information move through your network?”

• “Who touches your equipment — and how do do they connect?”

(3) Illuminate Most Likely Attack Paths

• Tabletop exercises

• Pen testers

• Automated threat modeling– Map ICS topology– Identify vulnerabilities– Calculate most likely attack paths

Simulating Attack Paths to Critical Assets

CyberX shows visual simulation of entire attack chain, enabling

“what-if” scenarios for remediation and mitigation

(e.g., zoning, patching)

Choose your most critical “crown jewel” assets

as targets

CyberX finds all potential attack paths, ranked by risk

Automated ICS Threat Modeling

(4) Options for Mitigation & Protection

• Reduce # of digital pathways to a minimum– Unauthorized Internet connections– Segmentation– Privileged identity management &

secure remote access• Address vulnerabilities

– Weak passwords– Unused open ports– Patching where possible

• Implement compensating controls– Continuous monitoring with behavioral

anomaly detection– Integration with firewall infrastructures

13

Detect & Respond Faster

Investigations & Threat Hunting

Palo Alto NGFW

Panorama

Cell Switch

Cell Switch

Cell Switch

Zone Switch

Zone Switch

Cell Switch

Cell Switch

SOC/DMZ

Policy Approval & Push3

Automated NGFW Policy Creation2

SIEM

Engineering Workstation

HMI

Controllers

1 CyberX Alert

CyberX Firewall Integration

CyberX at a Glance

• Founded in 2013 by military cyber experts with nation-state expertise defending critical infrastructure

• HQ in Boston with R&D and Threat Intelligence teams in Israel

• Purpose-built OT security platform– Asset management, vulnerability & risk management, continuous threat monitoring

– Non-invasive, agentless technology utilizing patented behavioral analytics & self-learning

– Integrates with existing SOC workflows & security stack for unified IT/OT monitoring

• Partnerships & integrations with major security companies & MSSPs worldwide– IBM Security, Palo Alto Networks, Splunk, ServiceNow, CyberArk, ArcSight, …

– Optiv Security, DXC Technologies, AT&T, Wipro, Singtel, …

ICS Zero-Day Vulnerabilities Discovered by CyberX

• https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A: Buffer Overflow

• https://ics-cert.us-cert.gov/advisories/ICSA-16-306-01: Buffer Overflow

• https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02: Arbitrary File Upload, Buffer Overflow

• https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01A: Buffer Overflow• https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D: Improper Input Valid. (DDoS)

• https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01: Uncontrolled search path element

• Undisclosed RCE vulnerability in controller (vendor Y)

CyberX researched featured in Chapter 7

CyberX Central Manager Corporate SOCCyberX SO

C Enablement Services

SIEM

TicketingSystem

CyberX Malware Analysis Sandbox

Service

CyberX Global ICS Threat Intelligence

Scalable Multi-Tier Architecture with Centralized Control

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed a

malware framework —which we call TRITON —designed to manipulate

Triconex Safety Instrumented System

(SIS) controllers.” FireEye, December 14

CONFIDENTIAL

21Palo Alto Networks Proprietary and Confidential

The TRITON attack “was not designed to simply destroy data or shut down the plant … It was meant to sabotage

the firm’s operations and trigger an explosion.”The New York Times

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

Goal: Disable plant safety systems?Campaign: Connected to Shamoon attacks?

Who: Likely Iran with assistance from Russia or N. Korea?

CONFIDENTIAL

L4 L3

L2

L1 L0

TRITON Cyberattack on Petrochemical Facility

22

Steal OT credentials1

Deploy PC malware2 3

Install RAT in safety PLC4

Disable safety PLC & launch

2nd cyberattackTriStationProtocol

For More Information

ICS & IIoT Security Knowledge Base• Threat & vulnerability research (Black Energy, etc.), transcripts from

SANS webinars, CyberX “Global ICS & IIoT Risk Report”, research presentations from Black Hat Europe

See Us at Upcoming Events• CS4CA Europe (Oct. 2-3, London) — NISD presentation• ICS Cyber Security Summit (Oct. 9-10, London)• Palo Alto Network IGNITE Europe (Oct. 8-10, Amsterdam)

– Featuring joint session with CISO of leading manufacturer• MANUSEC (Oct. 9-10, Chicago)• ICS Cyber Security Conference (Oct. 22-25, Atlanta)

– Free ½-day hands-on workshop with Palo Alto Networks & CyberX– Joint session with Emerson Automation Solutions: “ICS Security Researchers &

Automation Vendors: Building Mutual Trust”

• EU Utility Week (Nov. 6-8, Vienna) featuring CISO from EWZ Energy

CyberX vulnerability research featured in Chapter 7 — free

download from CyberX

phil@cyberx-labs.com

Thank You!