detecting, fingerprinting and tracking …€¦ · by olivier cabana, amr m. youssef, mourad...

DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS

By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba

Outline

Introduction

Methodology

Results

Conclusion

June 17, 2019 Detecting, Fingerprinting and Tracking ICS Campaigns 2

3

INTRODUCTION


Motivation

• Used in the smart grid, smart city, smart devices, building automation

• Sharp rise in the number of internet-connected devices

• Internet is a huge attack surface against ICS and IoT

Industrial Control Systems (ICS) are vital pieces of our infrastructure

• Huge financial cost to any successful attack against ICS

• Consequences in the physical world: blackouts, destroyed equipment, …

ICS are attractive and vulnerable targets

• Industroyer, BlackEnergy, Triton, …

• These attacks require sophisticated knowhow and knowledge of their targets

Rise in the use of sophisticated attacks

June 17, 2019 Introduction 4

Problem statement

With the onset of Internet-driven cyber attacks…

• Need for accurate, timely & reliableintelligence on incoming cyber attacks

• To mitigate & prevent attacks before they occur

As reconnaissance campaigns are precursors to cyber attacks…

• Need for a tool to identify campaignsaccurately and in near real-time

• Identifying sources, targeted ICS devices & scanning techniques


Contributions

Near real-time detection of ICS probing campaigns

Tracking, characterization & identification of campaigns

Intelligence on campaigns sources & targeted ICS infrastructure


7

METHODOLOGY


Overview

June 17, 2019 Methodology 8

Network telescope (darknet) data

• Originates from a /13 network telescope▪ 11 subnets from 12 countries▪ About ½ million IP addresses▪ Live stream of network traffic: over 28 GB per day

• Packets batched in PCAP-formatted files arrive in real-time

• Contains traffic from ICS/IoT devices

• Monitors 27 ICS/IoT protocols

June 17, 2019 9Methodology

Features

• Extracts primary features from packets, ▪ Header fields & payload

• Extracts secondary features from groups of packets


Primary Features

Total Length Payload IHL Fragment Offset

IPv4 Flags TTL ToS IPv4 Options

Identification TCP Flags TCP Options Urgent Pointer

Offset Window Size Sequence # Acknowledgement #

Secondary Features

Destination Overlap Packet to Destination Ratio Packet Interval

Classification

• Core component of the campaign identification process


Storing packet information in node data structures

Pairwise node comparison using stored packet information

Partitioning weighted graph based on edge weights

Removing outliers from cluster

Using common packet information shared with all nodes in the cluster

Packet AggregationUsing Source IP and Protocol

Graph Generation Using Header Features Matching

Cluster FormationUsing Graph Theory Metrics

Campaign IdentificationUsing Temporal Features Matching

Signature GenerationBased on Characteristic Features

Calculating the weights

• Weight calculation used for graph generation

▪ 𝑤𝑖 : the weight of the ith feature

▪ A : set of values representing the number of times all values of the ith feature appear

▪ 𝑎𝑗 : represents the number of occurrences of the jth value of the ith feature

▪ 𝑁 = σ𝑖=1𝑛 𝑎𝑖 : the sum of all values in A

▪ d : exponent in the range [0, 1]


𝑤𝑖 = (

𝑎𝑗∈ 𝐴

−𝑎𝑗𝑁

log 𝐴

𝑎𝑗𝑁

)𝑑

Feature weight calculation


Similarity score

•Compares:▪ The features in the packets from each source IP

oFeatures represented as vectors of probabilities

oCalculating distance between vectors

▪ Adding the scores for each feature together


ttl

source port

“32” : 3“64” : 10“128”: 2“256”: 5

“80” : 1“102” : 2“502” : 1“8080”: 1

……

tcp_flags

“100000” : 5“110000” : 2“000000” : 1

…

Calculating the similarity score

• Similarity score between two nodes for a feature i▪ si : similarity score for feature i

▪ wi : weight of the ith feature

▪ 𝑉𝑥 = σ𝑗=1|𝑁𝑥|𝑛𝑗, (i.e. the total number of packets in node x)

▪ Nx : set of all different values for feature i in node x

▪ nxj : number of occurrences of the value j in node x

▪ 𝑈 = 𝑁1 ∪ 𝑁2


𝑠𝑖 = 𝑤𝑖 × (1 −𝑚𝑖𝑛 𝑉1,𝑉2

𝑚𝑎𝑥 𝑉1,𝑉2×

1

2× σ

𝑗=1𝑈 𝑛1𝑗

𝑉1−

𝑛2𝑗

𝑉2

2)

Calculating the similarity score

• Similarity score between the payloads of two nodes

▪ spayload : similarity score for the payload feature

▪ wpayload : weight of the payload feature

▪ |Px| : size of payload x

▪ bxi : the ith byte in Px


𝑠𝑝𝑎𝑦𝑙𝑜𝑎𝑑 = 𝑤𝑝𝑎𝑦𝑙𝑜𝑎𝑑 ×

𝑖=1

𝑚𝑖𝑛(|𝑃1|,|𝑃2|)(𝑏1𝑖 == 𝑏2𝑖)

𝑚𝑎𝑥(|𝑃1|, |𝑃2|)

Graph generation


Belonging degree & conductance

▪ 𝛣 𝑢, 𝐶 : belonging degree between u and C

▪ C : set of nodes in the cluster

▪ u : node adjacent to C

▪ Nu : set of nodes neighboring u

▪ wux : weight of the edge between nodes u and x

▪ 𝛷 𝐶 : conductance of C

▪ 𝑐𝑢𝑡(𝐶, 𝐺/𝐶) : sum of the weights of edges between nodes in C and outside of C

▪ wc : sum of the weights of all edges in C


𝛣 𝑢, 𝐶 =σ𝑣∈𝐶𝑤𝑢𝑣σ𝑡∈𝑁𝑢

𝑤𝑢𝑡

𝛷 𝐶 =𝑐𝑢𝑡(𝐶, 𝐺/𝐶)

𝑤𝐶

Cluster formation


Campaign Formation

• Pairwise comparison of nodes inside the cluster▪ Calculating similarity score using secondary features (temporal characteristics)

▪ Removing outliers


Signature Generation

• Building identifying signature▪ Listing of all primary features

▪ Vector quantization of secondary features

o Using hierarchical agglomerative clustering


22

RESULTS


ICS & IoT Protocols

• Categorizes packets by source IP & protocol

• Retains traffic from ICS/IoTprotocols

June 17, 2019 Results 23

Protocol Port(s) Protocol Port(s)

FL-net 55000 to 55003 Modbus 502, 802

PROFINET 34962 to 34964 OMRON FINS 9600

DNP3 19999, 20000 PCWorx 1962

GE-STRP 18245, 18246 CoAP 5683, 5684

MELSEC-Q 5006, 5007 EtherNet/IP 2036, 2221, 2222, 44818Niagara Fox 1911, 4911

BACnet 47808 to 47823 CODESYS 2455

Emerson ROC 4000 Red lion 789

EtherCAT 34980 ProConOS 20547

Hart-IP 5094 Zigbee 17754 to 17756

ICCP102

Emerson ecmp 6160

Siemens S7 Foundation Fieldbus 1090, 1091, 3622

IEC 60870-5-104 2404, 19998 OPC UA 4840, 4843

Johnson Controls 11001 MQ Telemetry 1883

Legitimate organizations

• 3 legitimate research organizations▪ Well-known research objective

▪ No effort to obfuscate their scans


Organization Protocol Packets

Kudelski security MQTT 3,176,785

Modbus 3,225,764

Niagara Fox 3,338,688

BACnet 3,186,966

Project sonar BACnet 1,408,866

MQTT 1,365,953

EtherNet/IP 749,032

CoAP 673,405

Censys Modbus 14,546,546

DNP3 8,674,021

BACnet 14,472,089

Niagara Fox 11,027,247

S7 Comm 6,001,835

EtherNet/IP 41

Legitimate campaign signature

• Against the BACnet protocol▪ Includes the entire darknet

▪ Conducted multiple times

o Over a period of 9 months

▪ 242 source IPs involved


Stats Transport protocol UDP # of destinations Entire darknet

Protocol BACnet # of packets 5,562,890

Destination port 47808 Start 05-08-18, 20:59:52

# of sources 242 End 02-19-19, 20:56:33

Signature Source port 47808 Identification 54321

ToS 72 Fragment offset 0

TTL 254 Packet interval 87ms

IHL 5 Packet/destination ratio 1.0

Total length 77 Destination overlap 0.0

IPv4 options None Flags None

Payload810a002301040005000e0c023fffff1e094b09780979092c090c094d0946091c093a1f

Legitimate ampaign date histogram

• Regular (weekly) traffic

• Several missing spikes of data, when the algorithm returned a false negative


Malicious campaign signature

• Against the EtherNet/IP protocol▪ Included parts of the darknet

o Visiting IPs more than once

▪ Multiple spikes of activity

▪ 21 source IPs involved


Stats Transport protocol UDP # of destinations 160,000

Protocol EtherNet/IP # of packets 1,653,444

Destination port 2222 Start 10-07-18, 13:19:06

# of sources 21 End 02-19-19, 21:48:51

Signature Source port * Offset 5

ToS 40 Window Size *

TTL 128 Urgent Pointer 0

IHL 5 TCP Options None

Total length * TCP Flags SYN

IPv4 options None Sequence # *

Flags None Acknowledgment # 0

Payload None Packet interval 552 ms

Identification 256 Packet/destination ratio 1.0

Fragment offset 0 Destination overlap 0.0

Malicious campaign date histogram

• Traffic is irregular, no discernable pattern


Malicious campaign details

• Geo-localization of source IPs ▪ Most IPs are from China

▪ Rest from the United-States



• A circular scanning pattern

• IPs had ties with several fast-fluxing domains

• IPs had ties with malware▪ Including Trojans, miners, DDoS



• Found 32 domains associated with the 21 IPs▪ All had neutral or poor reputation

▪ 8 domains known for spamming

▪ Found 160 IP addresses associated with the domains

o Out of the 70 IP addresses investigated at random, 45 were fast-fluxing



• Cross-correlation between malware files detected in campaign sources and malware stream from Farsight▪ During spikes in campaign activity

• Strong presence of Trojan malware▪ Possible attempt to increase botnet size


Names # of Hits

Trojan.Win32.Generic!BT 1,397,819

Trojan:Win32/Skeeyah.A!rfn 29,681

Virus.Win32.Virut.ce 22,623

Trojan:Win32/Tiggre!rfn 7,395

Backdoor:Win32/Zegost 830

Virus:Win32/Ramnit.J 225

Trojan-Downloader.Win32.Agent 200

DDoS:Win32/Nitol.B 137

Virus:Win32/Virut.BN 108

DDoS:Win32/Nitol.A 78

VirTool:Win32/Ceeinject.TD!bit 67

DDoS:Win32/Nitol.P!bit 39

TrojanDownloader:Win32/Farfli.F!bit 30

DDoS:Win32/Nitol!rfn 13

Trojan:Win32/Togapy.A!bit 2

Virus:Win32/Parite.C 2

33

CONCLUSION


Conclusion

• Built a Threat Intelligence generation platform for ICS threats

• Leveraged the platform to analyze over 10 months of darknet data

• Found several campaigns by legitimate organizations

• Found evidence of malicious campaigns

• Future Work▪ Extending our tool to deal with campaigns spanning several ports

▪ Extending the range of ports covered by our application

June 17, 2019 Conclusion 34

detecting, fingerprinting and tracking …€¦ · by olivier cabana, amr m. youssef, mourad...

Documents