continuous asset discovery, risk management & threat … · 2019-03-05 · phil neray, vp of...
TRANSCRIPT
Phil Neray, VP of Industrial Cybersecurity
SANS Webinar on NIST Recommendations for IIoT & ICS SecurityWith Behavioral Anomaly Detection (BAD)
February 28, 2019
Continuous Asset Discovery, Risk Management & Threat Monitoring for IIoT & ICS Networks
2
CyberX at a Glance
Only industrial platform built by blue-team experts with a track record defending critical national infrastructure
Founded in 2013
Global Presence• Boston (HQ)• Chicago• Houston• Florida• London• Paris• Munich• Tokyo• Israel
Partnerships with leading security
companies & MSSPs worldwide
Simplest, mostmature and most
interoperablesolution
2
Only IIoT & ICS security firm with
a patent for its ICS-aware threat
analytics
Unified IT/OT Security Monitoring & Governance
3
Partnered with Global Technology Leaders
4
Challenges We Address for Clients
• What devices do I have, how are they connected — and how are they communicating with each other?
• What are the vulnerabilities and risks to our most valuable assets — and how do I prioritize mitigation?
• Do we have any ICS threats in our network — and how do we quickly respond to them?
• How can I leverage my existing IT security investments — people, training & tools — to secure my OT infrastructure?
Continuous Threat Monitoring,Incident Response & Threat Hunting
Asset Discovery Risk & Vulnerability Management
Unified IT/OT Security Monitoring & Governance
5
Most Recognized ICS Threat IntelligenceContinuously Discovering New ICS Zero-Day Vulnerabilities
CyberXthreat research
featured in Chapter 7
ICSA-15-300-03ABUFFER OVERFLOW
ICSA-15-351-01BUFFER OVERFLOW
ICSA-17-087-02ARBITRARY FILE UPLOAD
BUFFER OVERFLOW
ICSA-18-228-01UNCONTROLLED SEARCH PATH
ELEMENT, RELATIVE PATH TRAVERSAL, IMPROPER PRIVALAGE
MANAGEMENT, STACK-BASEDBUFFER OVERFLOW
ICSA-17-339-01DIMPROPER INPUT VALID (DDoS)
ICSA-16-306-01BUFFER OVERFLOW
ICSA-16-026-02BUFFER OVERFLOW
ICSA-17-278-01ABUFFER OVERFLOW
6
Simple, Non-Invasive, Agentless — No Rules or Signatures
CMDB asset data, firewall rules, etc.(OPTIONAL)
Proprietary Deep Packet Inspectionand Network Traffic Analysis (NTA)
OT Network
NetworkTraffic Data
SPAN port on network switch
7
CyberX Platform Architecture
8
CORE CAPABILITIES
IP Network & SerialDevice Dissectors
Embedded Knowledge of ICS Devices & Protocols
Proprietary ICS Threat Intelligence & Vulnerability Research
ICS MalwareAnalysis Sandbox
CYBERX CENTRAL MANAGEMENT
SELF-LEARNING ANALYTICS ENGINES
Network Traffic Analysis (NTS)
Data Mining Infrastructure
Behavioral Anomaly Detection
Protocol Violation Detection
IT & OT Malware Detection
Unusual M2M Communication
Detection
Operational Incident
Detection
CAPABILITIES & USE CASES
ICS Asset Management
ICS Risk & Vulnerability Management with Threat Modeling
ICS Threat Monitoring &
Detection
ICS Incident Response & Threat
Hunting
SOC Integration & REST APIs
SIEMTicketing & OrchestrationFirewalls & NACSecure Remote Access
Malware-Free Attacks Are Growing — Why BAD is Needed Now
9Source: https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
“So the important question to ask is not, ‘Can you prevent the initial compromise?’ — that may be an impossibility. To be successful at
stopping breaches, an organization needs to detect, investigate, and remediate or contain the threat as quickly as possible.”
Malware-Free Examples• Stolen credentials• PowerShell• Router compromises
CyberX Global ICS & IIoT Risk Report — Top Data PointsBased on traffic data collected from 850+ production ICS networks across 6 continents and all sectors (Energy & Utilities, Oil & Gas, Pharmaceuticals, Chemicals, Manufacturing, Mining)
Download full report: cyberx-labs.com/risk-report-2019
Anti-Anti-Virus Mythical Air-Gap Broken Windows Hiding in Plain Sight
43%57% Automatic
updates detectedNo automatic
updates detected
60%40%
No internet connections
Internet connections
detected
47%53% Only modern
Windows versions
Sites with unsupported
Windows boxes
31%
69%Encrypted passwords
Plain-text passwords
10
The TRITON attack on a petrochemical facility “had a deadly goal … it was not designed to simply destroy
data or shut down the plant … it was meant to sabotage the firm’s operations and trigger an explosion.”
The New York Times
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html11
L4 L3
L2
L1 L0
12
TRITON Kill Chain
Steal OT credentials1
Deploy PC malware2 3
Install RAT in safety PLC4
Disable safety PLC & launch 2nd
cyberattackTriStationProtocol
CyberX Threat Intelligence: Reverse-Engineering TRITONGetMPStatus packet structure:
https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/
3Install RAT in safety PLC
New TRITON Information from S4x19 Conference
• First incident actually 2 months earlier — in June 2017• Plant shutdown for 1 week when safety controller tripped• Automation vendor concluded it was mechanical failure
• 2nd incident affected (6) safety controllers — not just two• Caused another 1-week shutdown — hundreds of $ million from downtime & cleanup• Danger from toxic hydrogen sulfide gases
• Incident response uncovered multiple red flags• Misconfigured firewalls enabled attackers to move from IT network to DMZ to OT network• AV alerts on workstations about Mimikatz credential stealing malware were ignored• Ongoing alerts about RUN/PROGRAM key in unsafe position were also ignored — enabled
attackers to upload malicious backdoor into safety controller• Suspicious RDP sessions to plant's engineering workstations from IT network
• True lesson = lack of clear roles: Who is responsible for ensuring security controls are properly implemented & effective — IT, OT, integrator, or automation vendor?
https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-widespread-than-publicly-known/d/d-id/1333661https://www.cyberscoop.com/trisis-investigator-saudi-aramco-schneider-electric-s4x19/
https://www.eenews.net/energywire/stories/106011542314
Threat Anomaly Scenarios Detected by CyberX in NIST Report• Unauthorized Device Is Connected to the Network • Unencrypted HTTP Credentials• Unauthorized Ethernet/IP Scan of the Network• Unauthorized SSH Session Is Established with Internet-Based Server• Data Exfiltration to the Internet via DNS Tunneling• Unauthorized PLC Logic Download• Undefined Modbus TCP Function Codes Transmitted to PLC• Data Exfiltration to the Internet via Secure Copy Protocol• Virus Test File Is Detected on the Network• Denial-of-Service Attack Is Executed Against the ICS Network• Data Exfiltration Between ICS Devices via UDP• Invalid Credentials Are Used to Access a Networking Device• Brute-Force Password Attack Against a Networking Device• Unauthorized PLC Logic Update — Robotics System• Unauthorized PLC Logic Update – Process Control System
15
CyberX Event Timeline
16
Unauthorized Device Is
Connected to the Network
17
This anomaly was executed on the PCS. The engineering laptop (Windows 7) was removed from the network during the baseline analysis phase of the product and was later connected to VLAN-2 to execute the anomaly. After the initial connection, background traffic was automatically generated onto the network by the laptop.
Unencrypted Credentials
18
This anomaly was executed on the CRS. An Apache HTTP server was configured on Machining Station 1 and contained a directory that was protected by HTTP basic
authentication. The web pages hosted in the protected directory enabled an operator to remotely view machine status information. The connection was initiated from the Firefox
browser on the engineering workstation.
Unauthorized Ethernet/IP
Scan
19
During the reconnaissance phase, an attacker may attempt to locate vulnerable services in an ICS network and will likely include probing for ICS-specific services (e.g., Ethernet/IP). Once a
vulnerable service, host, or device is discovered, an attacker may attempt to exploit that entity.
Unauthorized SSH Session
20
This anomaly was executed on the PCS. The OpenSSH suite was installed and configured on a server with an internally routed public IP address (129.6.1.2). The open-source SSH
client PuTTY was used to establish a connection with the SSH service from the engineering workstation to the internet-based server.
Data Exfiltration to Internet
via DNS Tunneling
21
Attacks against ICS with the goal of information gathering, must (at some point) attempt to exfiltrate sensitive or proprietary data from the ICS network, potentially utilizing the internet as a transport
mechanism. Monitoring for ICS devices communicating to other devices over the internet can help detect data exfiltration events, especially if the affected device does not normally communicate over the internet.
Unauthorized PLC Logic Download
22
Many ICS devices provide services to remotely update control logic over the network. These network services can also provide a mechanism for
attackers to replace valid control logic with malicious logic if the device is not protected. The Allen-Bradley software Studio 5000 was used to
download the logic from the PCS PLC to the engineering workstation. Physical access to the PLC was required in order to change the operation
mode from RUN to REMOTE RUN.
Undefined Modbus TCP
Function Codes Are
Transmitted to PLC
23
Communications that do not conform to the defined specifications of the industrial protocol may cause an ICS device to act in an undefined or unsafe manner. Depending on the manufacturing process and the ICS device, the nonconforming communications may or may not be impactful, but investigation into the cause is warranted. Python was used to create a Modbus TCP message
with the undefined function code value of 49 (0x31). The message was generated by the CybersecVM and was transmitted to the PLC Modbus server.
Brute-Force Password
Attack
24
Compiled lists containing default user credentials are freely available on the internet. Given enough time, an attacker may be able to access vulnerable systems by using a brute-force
password attack. The software Nmap was used to generate the brute-force password attack by using the script telnet-brute. The attack was pointed at the PCS router, which has a Telnet service for remote configuration and is protected by a password. The service was not configured to limit
the number of authentication attempts.
Full Alert Flow
25
26
27
How CyberX Supports the NIST Cybersecurity Framework
28
ThreatInsight
Threat Prevention
Threat Detection
Threat Response
Threat RecoveryIdentify Prevent Detect Respond Recover
Automated ICS threat modeling
ICS vulnerability management &
mitigation
Integration with NGFWs
Continuous monitoring with
patented analytics & self-learning for
anomaly detection
Deep forensic & threat hunting
tools
Native apps for IBM QRadar &
Splunk
Integration with ArcSight, RSA, LogRhythm,
McAfee
Asset discovery
Network topology mapping
Automated reporting to
stakeholders
ServiceNow integration
IBM Resilient integration
CyberX Integration with Palo Alto Networks• Accelerate time between threat detection & prevention• Automatically generate firewall policies to block sources of malicious traffic
identified by CyberX — use cases:• Unauthorized PLC changes• Protocol violations — can indicate malicious attempt
to compromise device vulnerabilities (e.g., buffer overflow)• PLC Stop commands — can break production• Malware — e.g., programs using EternalBlue exploits• Scanning malware — can indicate cyber reconnaissance in early stages of breach
• Implement granular network segmentation based on asset profiles• CyberX tags discovered assets with ICS properties (protocols, type, authorized, etc.)• Rapidly create asset-based segmentation policies & Dynamic Access Groups (DAGs)
29
CyberX Integration with Palo Alto App Framework (Cortex)• Analyze data collected by Palo Alto appliances already deployed in network• Native CyberX app now available from App Framework portal• https://apps.paloaltonetworks.com/marketplace/cyberx
30
Applying INL’s CCE Methodology to Securing ICS
CCE = Consequence-Driven Cyber-informed Engineering 1. Identify Your Crown Jewel Processes2. Map the Digital Terrain3. Illuminate the Likely Attack Paths4. Generate Options for Mitigation and Protection
“If you’re in critical infrastructure you should plan to be targeted. And if you’re targeted, you will be compromised. It’s that simple.”
Andy Bochman, Senior Grid Strategist for National & Homeland Security, INL
https://cyberx-labs.com/resources/sans-webinar-cce-inl-new-approach-securing-critical-industrial-infrastructure/
Simulating Attack Paths to Crown Jewel Assets
CyberX shows visual simulation of entire attack chain, enabling
“what-if” scenarios for remediation and mitigation
(e.g., zoning, patching)
Choose your most critical “crown jewel” assets
as targets
CyberX finds all potential attack paths, ranked by risk
Industry Unique — Automated ICS Threat Modeling
More than 1,200 Installations Worldwide
• 2 of the top 5 US energy utilities
• Top 5 global pharmaceutical company
• Top 5 US chemical company
• National energy pipeline & distribution company
• Top 3 UK gas distribution utility
• National electric utilities across EMEA & Asia-Pacific
• Largest water desalination plant in western hemisphere
• …and more
1
Ariel Litvin | CISOFirst Quality Enterprises
Consumer goods manufacturer with nearly 5,000 employees
What Manufacturing Clients are Saying About CyberX
“Reducing risk to our production operations is smart business. CyberX gives us deep visibility into our OT environment and continuous OT risk management, while
enabling unified security monitoring and governance across both IT and OT.”
35
Manufacturing Case Study
• CyberX ICS asset/vulnerability management & threat monitoring platform
• Deployed in multiple plants with 8,000+ devices monitored• Centralized management provides global command-and-
control across all facilities
• CyberX integrated with SOC workflows and security stack• IBM QRadar (SIEM)• Siemplify (security automation and orchestration)• PAN NGFW infrastructure (prevention)
36
37
CyberX Services + Support Portfolio
Technical support via phone/email
Online help & knowledge base
Case management
Monthly “tips-and-tricks” webinar
Hardware support via Dell & Arrow
Optional services
• Online & onsite training• Onboarding & Deployment Support• Network Architecture Planning• Onsite Incident Response• Forensic Analysis• SOC Enablement for ICS• 24x7 coverage & dedicated TAM
Most Mature & Interoperable Solution
STRATEGIC
Reduce RiskPrevent costly production outages, safety & environmental failures, theft of corporate IP
TACTICAL
Gain VisibilityAuto-discover all OT assets & how they communicate
Seamless IntegrationIntegrate with all OT protocols and equipment, SOC workflows & existing security stacks
Prioritize MitigationsIdentify critical vulnerabilities & attack vectors
Detect & Respond to Threats QuicklyContinuously monitor for malware, targeted attacks & equipment failures
OPERATIONAL
Zero ImpactNon-intrusive & agentless
2138
For More Information
ICS & IIoT Security Knowledge Base• Threat & vulnerability research• Black Hat research presentations• Transcripts & recordings from past SANS webinars• CyberX “Global ICS & IIoT Risk Report”• Presenting OT Risk to the Board• NISD Executive Guide
See Us at Upcoming Events• SANS ICS Security Summit & Training (Mar 18-19, Orlando)• Cyber Security for Critical Assets (CS4CA) (Mar 26-27, Houston)• ICS-JWG 2019 Spring Meeting (April 23-25, Kansas City)• ICS Cyber Security (April 24-26, London)• Public Safety Canada, ICS Security Symposium (May 29-30, Charlottetown)• Palo Alto Network IGNITE US (June 3-6, Austin)• API-IOG Cybersecurity Europe (June 19-20, London)
CyberX vulnerability research featured in Chapter 7 — free
download from CyberX
THANK YOU
Appendix
41
What Clients are Saying About CyberX
"As a UK gas distribution network, SGN relies on CyberX to deliver 24/7 visibility into our OT assets, vulnerabilities,
and threats -- across thousands of distributed networks --with zero impact on operations."
Mo Ahddoud, CISOSGN
42