NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the...
Transcript of NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the...
![Page 1: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/1.jpg)
NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER
LITTLE ARC-FLASH:HOW DIGITAL ATTACKS CAN CAUSEPHYSICAL RAMIFICATIONS
7/18/2019
![Page 2: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/2.jpg)
Critical Infrastructure Sectors
Critical
Infrastructure16 Sectors per PPD-21
Dams
Energy
Nuclear
![Page 3: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/3.jpg)
Flat Networks Pose Significant Risk
![Page 4: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/4.jpg)
Isolated Networks are the First Mitigation
![Page 5: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/5.jpg)
Moving into the Present
Al Gore
Edison invents Ukraine
Generation SCADA ARPANET Internet Grid Attack
—-|—-—--|—-—--|—-—--|—-—--|—-—--| ∫∫ —-—--| —-—--| —-—--| —-—--|—-—--| ∫∫ —-—--|—-—--|
•1882 1900 1920 1960 1990 2015
![Page 6: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/6.jpg)
From the Perspective of an Attacker
![Page 7: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/7.jpg)
How to Approach the Target?
• Reconnaissance• Opensource research
• Gain access to the network through any workstation• Each employee has access to some level of sensitive information
• Email, applications and logistics all provide new insights to the inner workings of the organization
• Elevate access through either an exploit or credential harvesting• Zero day exploits are rarely used or needed
![Page 8: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/8.jpg)
How to Approach the Target?
• Determine how and when to cause a certain outcome• This process may take considerable time
• Gathering intel can be a lengthy process, and time between initial intrusion and taking action will make post-mortem analysis more difficult
• Understanding the system and how to disrupt it or cause a cyber-physical consequence
• Timing depends on desired effect• Holiday? Weekend? Weekday?
• Strike when there is a lack of visibility or when a larger impact can occur
![Page 9: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/9.jpg)
Approach A: Spear Phishing• Pros:
• Very little time investment for theattacker
• Exceedingly high likelihood to be effective
• People get used to repetition
• Cons:
• Could expose the attack effort if someone investigates
![Page 10: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/10.jpg)
BlackEnergy
•An official invite from the government!
•The ministry of energy asked for my help!
Government Hearing on Electric Quality
Dear Sir; we have a very important matter that needs your
immediate and expert attention. Please refer to the attachment
for details or click on the link below.
http://www.freedonia.com/hearings/official-invitation.doc
official-invitation.doc
G. Marx
Director of Energy Affairs
Ministry of Energy
Government of Freedonia
It is definitely official alright, its
got the seal in the email and
everything.
I better enable macros to view, it
must be incredibly important.
![Page 11: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/11.jpg)
BlackEnergy
•Multiple infection vectors
•Macros enabled in a Word document
•HMI software vulnerabilities
•Variants targeted routers
•Destructive: Overwrite files and hard drives
![Page 12: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/12.jpg)
BlackEnergy Timeline
Phishing
Active
Directory
(keys to
kingdom)
Engineering
WorkstationHMIRTU
Power
Outage
Evil Erik Simple Sam
![Page 13: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/13.jpg)
Approach B: Watering Hole
• Pros:
• Much more difficult to discover
• May provide elevated access immediately
• Much more reliable for segmented networks
• Cons:
• Requires upfront effort to compromise third party
• Operation could be derailed if discovered early
• Difficult to control timeframe
![Page 14: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/14.jpg)
Havex
•Its time to patch! Let’s get the latest updates from our trusted vendor.
I wonder what this gobbledygook is for?
![Page 15: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/15.jpg)
Havex
I don’t remember the last update taking that long to download. Hmmm… and this patch seems to be a weird size?
However, I’m really busy today, I need to get this installed ASAP.
Run as Administrator
![Page 16: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/16.jpg)
Havex
As a result of running Trojan-ized software, systems have been infected with a Remote Access Trojan (RAT).
Your ICS details are now being gathered by a Black Hat from anywhere in the world and operation continuity is at risk.
![Page 17: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/17.jpg)
Havex Timeline
Trojan
Active
Directory
(keys to
kingdom)
Engineering
WorkstationHMIRTU
Power
Outage
Evil Erik Simple Sam
![Page 18: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/18.jpg)
So what?
• Many different techniques to gain initial access to a victim network
• Often insufficient security in place at utilities due to need for remote access
• Similar threat landscape is seen across all sectors
![Page 19: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/19.jpg)
Little Arc-Flash (LAF)
• All components of LAF are functional industrial control system equipment commonly seen in the field
• Attacker utilizes a common phishing strategy to gain initial access to the corporate environment
• Active Directory manipulated by the attacker to gain execution on engineer workstation
DEMO
![Page 20: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/20.jpg)
Aftermath
• Recovery• Returning to a known good state can be exceedingly difficult after the
fact
• Avoid becoming a victim• Auditing and proactive monitoring of infrastructure changes is vital to
the ongoing process
• Plan for the day things go wrong• Proactive approaches are key, but all the planning in the world will not
protect against a sufficiently motivated attacker
• Know your ‘worst case’ scenario, and how you would respond to a compromise
![Page 21: NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ......BlackEnergy •An official invite from the government! •The ministry of energy asked for my help! ministryofenergy@freedonia.gov](https://reader030.fdocuments.in/reader030/viewer/2022041022/5ed37a4b59f0c92a7d325b3c/html5/thumbnails/21.jpg)
21