![Page 1: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/1.jpg)
Safeguarding Civilization
![Page 2: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/2.jpg)
TRISIS
Joe Slowik & Jimmy Wylie; Adversary Hunters, Dragos Inc.
The First Safety Instrumented System Malware
![Page 3: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/3.jpg)
Introduction
• Joe Slowik, Threat Intelligence & Hunter• Current: Dragos Adversary Hunter• Previous:
• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out
![Page 4: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/4.jpg)
Introduction
• Jimmy Wylie, Reverse Engineer• Current: Dragos Adversary Hunter• Previous:
• Focal Point Academy: MA Course Dev, Instructor, Researcher
• Fortego, LLC: Malware Analyst/Reverse Engineer, Developer
• University of New Orleans: B.S. & M.S. Computer Science
![Page 5: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/5.jpg)
Agenda
• Background• Event• Malware• Response
![Page 6: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/6.jpg)
Background: By the numbers
5ICS Tailored Malware
3
• Stuxnet• Havex• Blackenergy2• CRASHOVERRIDE• TRISIS
• Stuxnet• CRASHOVERRIDE• TRISIS
Designed to Disrupt Industrial Processes
1
SIS Focused
TRISIS is tailored to impacting Triconix SIS exclusively
BACKGROUND EVENT MALWARE RESPONSE
![Page 7: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/7.jpg)
SIS Background
BACKGROUND EVENT MALWARE RESPONSE
• Failsafe for the industrial process
• Should be independent of industrial process
• Not arbitrary: • Hazard / Operability
Studies• Process Hazard Analysis• FMEA
![Page 8: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/8.jpg)
Timeline
BACKGROUND EVENT MALWARE RESPONSE
Nov 17
• Dragos finds TRISIS and begins high-level analysis
Late-November
• Dragos confirms the malicious nature of TRISIS with an understanding that it has been used at least at one victim site
• Dragos coordinates with DOE and DHS to confirm there are no considerable sensitivities given the focus of the malware and that notifications would not ruin ongoing investigations
• FireEye learns that Dragos has copies of the malware; coordination is done through interested parties to ensure sensitivities are respected
December 6
• The initial advisory is sent to Dragos ICS WorldView customers
December 8
• The in-depth Technical Report was completed and sent to Dragos ICS WorldView Customers
December 10
• Dragos prepares a public report to have available for whenever the information is leaked to the public or in case someone else publishes; focus is on nuance and defense
December 12
• FireEye publishes report on TRISIS (TRITON); Dragos follows up with its own publication
![Page 9: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/9.jpg)
TRISIS Event
BACKGROUND EVENT MALWARE RESPONSE
![Page 10: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/10.jpg)
TRISIS Event
• Unspecified gas facility in Saudi Arabia attacked, August 2017
• Infection resulted in system shut-down during intrusion• Not assessed as shut-down due to attack
• Attack focused on Schneider Electric Triconex system, 3008 PowerPC processor version
BACKGROUND EVENT MALWARE RESPONSE
![Page 11: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/11.jpg)
TRISIS Attack Path
• SIS-connected workstation compromised• Malicious compiled Python moved to
Workstation with payloads• EXE handles connectivity to and interaction
with SIS
BACKGROUND EVENT MALWARE RESPONSE
![Page 12: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/12.jpg)
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
Potential TRISIS Attack Scenario
BACKGROUND EVENT MALWARE RESPONSE
![Page 13: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/13.jpg)
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
TRISIS Attack Observed
BACKGROUND EVENT MALWARE RESPONSE
Something Breaks Here!
![Page 14: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/14.jpg)
What TRISIS Means
• Deliberate targeting of SIS accepts risk:• Physical damage• Potential injury or loss of life
• New norm established in ICS targeting and operations
BACKGROUND EVENT MALWARE RESPONSE
![Page 15: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/15.jpg)
BACKGROUND EVENT MALWARE RESPONSE
Engineering Workstation
LIBRARY.ZIP + TRILOG.EXE
TRISIS Components
SIS
INJECT.BIN IMAIN.BIN
![Page 16: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/16.jpg)
TRILOG.EXE + Library.zip
• Py2Exe executable masquerading as legitimate software
• Library.zip contains external python library dependencies • Artifact of the Py2Exe process• Contains attacker written libraries along
with standard libraries
BACKGROUND EVENT MALWARE RESPONSE
![Page 17: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/17.jpg)
TRILOG.EXE Initialization
BACKGROUND EVENT MALWARE RESPONSE
![Page 18: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/18.jpg)
TRILOG.EXE – Test + Upload
BACKGROUND EVENT MALWARE RESPONSE
![Page 19: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/19.jpg)
TRILOG.EXE – Cleanup
BACKGROUND EVENT MALWARE RESPONSE
![Page 20: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/20.jpg)
TRILOG.EXE – Summary/Impact
• Summary1. Connects to Triconex using IP argument2. Concatenates inject.bin to imain.bin3. Tests for code upload4. Uploads inject+imain, removes if necessary.
• IMPACT: Provides a ‘documented’ procedure for uploading control programs
BACKGROUND EVENT MALWARE RESPONSE
![Page 21: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/21.jpg)
LIBRARY.zip – The Workhorse
• TsLow.py – Socket layer implementation of Tristation/TCM Protocol
• TsBase.py –Tristation Network Commands• TsHi.py – Uses TsBase to provide Read/Write
program functionality
BACKGROUND EVENT MALWARE RESPONSE
![Page 22: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/22.jpg)
LIBRARY.zip – The Workhorse
• Ts_cnames.py – Enumeration of TristationCode
• crc.py – Provides a variety of CRC functions • sh.py – Data dumping and changing
endianness
BACKGROUND EVENT MALWARE RESPONSE
![Page 23: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/23.jpg)
TsLow.py – Tristation Protocol
• Tristation Protocol defines the packet format to send network commands
• Options include uploading code, reading controller state, etc.
• TCM is the wrapper packet for a TristationProtocol message
• Communications occur over UDP/1502
BACKGROUND EVENT MALWARE RESPONSE
![Page 24: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/24.jpg)
TsLow.py – TCM & Tristation
BACKGROUND EVENT MALWARE RESPONSE
MessageType LengthOfData Data CRC16
TCM Wrapper
Dir Cid Cmd MsgCount Unk Checksum LengthOfCmdData CmdData
Tristation Message
![Page 25: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/25.jpg)
TsLow.py – tcm_exec
BACKGROUND EVENT MALWARE RESPONSE
tcm_result() parses the reply
![Page 26: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/26.jpg)
TsLow.py – ts_exec
Whoops!
![Page 27: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/27.jpg)
Attackers are Human Too
• ts_exec returns either a ts_result tuple or a Boolean• ts_result == (error_code, reply, cmd)• tcm_reconnect() -> Bool
• TsBase.py repeatedly calls the following sequence:
result = ts_exec(cmd, ex_reply)
return ts_cut_reply(result)
BACKGROUND EVENT MALWARE RESPONSE
![Page 28: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/28.jpg)
Attackers are Human Too
BACKGROUND EVENT MALWARE RESPONSE
First line of function can cause a program crash
![Page 29: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/29.jpg)
TsLow.py – detect_ip
BACKGROUND EVENT MALWARE RESPONSE
![Page 30: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/30.jpg)
TsLow.py – Summary/Impact
• Summary• Implements both TCM and Tristation protocol
messages• Includes ability to scan network for Triconex SIS
• Impact• Previously undocumented protocol now easily
re-implemented• Defenders benefit from attacker’s investment
BACKGROUND EVENT MALWARE RESPONSE
![Page 31: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/31.jpg)
TsBase.py – Network Commands
• Series of network commands with similar structure
• ”Exploit” Interaction
BACKGROUND EVENT MALWARE RESPONSE
![Page 32: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/32.jpg)
TsBase.py – Impact
• Documents subset of available Tristationnetwork commands• Built-in ability to upload/download
programs and functions• ”ExecuteExploit” reveals which function the
BIN files attempt to hook
BACKGROUND EVENT MALWARE RESPONSE
![Page 33: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/33.jpg)
TsHi.py – SafeAppendProgramMod
• Fairly involved control flow:1. Enumerates Functions and Programs2. Reads last program in SIS’s program table3. If program contains custom TRISIS codesign,
it will overwrite that program with argument4. Otherwise, it will allocate a new program
appending the TRISIS codesign5. Runs program and checks state
BACKGROUND EVENT MALWARE RESPONSE
![Page 34: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/34.jpg)
TsHi.py – Exploit Interaction
BACKGROUND EVENT MALWARE RESPONSE
![Page 35: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/35.jpg)
TsHi.py – Summary/Impact
• Summary• Provides semi-automated function/program
upload/download and enumeration• Can query SIS state
• Impact• Template of ordering and use of TS protocol
for SIS modification – Exploit not required!• Exploit Funcs could be used for detection
BACKGROUND EVENT MALWARE RESPONSE
![Page 36: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/36.jpg)
IMAIN.BIN + INJECT.BIN
• Schneider Electric provided a deep-dive at S4x18 • Summary
• inject.bin leverages 0-day to hook a TristationCommand, likely GetMPStatus, with imain.bin
• imain.bin adds extra functionality to command allowing R/W/E
• Removal from program table does not remove rootkit - reboot required
BACKGROUND EVENT MALWARE RESPONSE
![Page 37: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/37.jpg)
TRISIS RAT?
• Current reporting suggests IMAIN is a RAT• Given that it hooks an OS command, it
functions more like a memory resident rootkit• RAT connotes more reachability than is
present• No custom C2, only TS protocol• It’s as accessible as the SIS
• Trilog.exe doesn’t support remote C2 either
BACKGROUND EVENT MALWARE RESPONSE
![Page 38: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/38.jpg)
Open Questions
• Does the rootkit bypass the keyswitchsetting once installed?
• What is the nature of the exploit? • No CVE published
• What crashed the SIS?• We are currently exploring these issues
BACKGROUND EVENT MALWARE RESPONSE
![Page 39: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/39.jpg)
TRISIS Mysteries
• TRISIS capability implies expert knowledge of the Triconex SIS
• Implications event was a test: ‘script_test.py’• But why test in target environment – if
hardware access required to develop TRISIS?• Why not confirm rootkit presence in TRILOG
checks?
BACKGROUND EVENT MALWARE RESPONSE
![Page 40: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/40.jpg)
TRISIS Defense
• Unique attack:• Tied to specific Triconex System and
configuration• 3008 PowerPC-based system
• Malware is not SIS scalable• Attack capabilities do not resemble standard
Windows malware
BACKGROUND EVENT MALWARE RESPONSE
![Page 41: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/41.jpg)
TRISIS Detection - AV
• Standard antivirus inadequate• Heuristics are focused on Windows malware• Behavioral heuristics only applicable at EWS• Signatures are backward-looking
• Typical antivirus is not designed for threats such as TRISIS
BACKGROUND EVENT MALWARE RESPONSE
![Page 42: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/42.jpg)
TRISIS AV Detection
BACKGROUND EVENT MALWARE RESPONSE
![Page 43: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/43.jpg)
TRISIS Detection - Anomaly
• Anomaly detection lacks appropriate context• Scope of SIS events may be small• But baseline will be narrow• Any ‘not normal’ activity will trigger
• Anomalous SIS activity is alarming• But single anomaly data point insufficient• Lack of context and evidence impedes
investigationBACKGROUND EVENT MALWARE RESPONSE
![Page 44: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/44.jpg)
TRISIS Current Guidance
• Keep keyswitch in ‘Program’ mode• Deploy SIS on isolated networks• Terminals should never be connected to any
network other than dedicated safety network• Removable media and laptops should be
scanned prior to introducing to safety network
BACKGROUND EVENT MALWARE RESPONSE
![Page 45: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/45.jpg)
TRISIS Current Guidance
• Unfortunately…• Uncertain if keyswitch can mitigate existing
infection• Network isolation may not be possible• Proper function likely requires some
connectivity• Scanning introduced media will use standard AV
– not effective against new, ICS-specific threats
BACKGROUND EVENT MALWARE RESPONSE
![Page 46: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/46.jpg)
Threat Behavior Focused Defense
• Adequate defense against TRISIS-like attacks requires a threat-focused approach
• Identify:• Pre-requisites for SIS access and attack• Necessary steps to impact SIS• Critical path nodes between IT, ICS, and
SIS
BACKGROUND EVENT MALWARE RESPONSE
![Page 47: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/47.jpg)
Focus on General Behaviors
• TRISIS as observed will never happen again• Specific to the target environment• Will not scale or port to future attacks
• TRISIS as a potential method can be re-used• Focus on general behaviors in attack• Defend against variances and permutations
BACKGROUND EVENT MALWARE RESPONSE
![Page 48: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/48.jpg)
TRISIS Defense in Depth
BACKGROUND EVENT MALWARE RESPONSE
Initial Intrusion & C2
• Identify suspect items at IT-ICS link
• Minimize IT-ICS communications to known, monitored paths
ICS Intrusion & Lateral Movement
• Identify and monitor critical path links to SIS, other sensitive areas
• Know existing network communication pathways and identify new, suspicious items
SIS Activity
• Limit communication to SIS to subset of hardened, generally isolated devices
• Record and monitor firmware and configuration changes
![Page 49: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/49.jpg)
Monitor Strategic Nodes
BACKGROUND EVENT MALWARE RESPONSE
![Page 50: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/50.jpg)
Search for Suspicious Artifacts
BACKGROUND EVENT MALWARE RESPONSE
rule compiledPython{
meta:
description = "Identify compiled Python objects - Should be rare to
non-existent in ICS environments”
author = "Dragos Inc."
strings:
$s1 = "PyImport_" nocase wide ascii
$s2 = "PyErr_" nocase wide ascii
$s3 = ".pyd" nocase wide ascii
$s4 = "py2exe" nocase wide ascii
$a1 = "cyberoam" nocase wide ascii fullword
$a2 = "plctalk" nocase wide ascii fullword
$a3 = "greenbow" nocase wide ascii fullword
$a4 = "mbnet" nocase wide ascii fullword
$a5 = "mbconnect" nocase wide ascii fullword
….
$a** = "trilog" nocase ascii wide fullword
condition:
uint16(0) == 0x5a4d and 2 of ($s*) and 1 of ($a*)}
![Page 51: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/51.jpg)
Developing Knowledge from Data
BACKGROUND EVENT MALWARE RESPONSE
• Any of the previous items in isolation is an anomaly
• But when correlated with other events and knowledge in the environment, yields a behavior
• Focus on identifying threat behaviors at earliest possible moment
![Page 52: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/52.jpg)
Enrichment to Identify Behavior
BACKGROUND EVENT MALWARE RESPONSE
• Identifying possible firmware binary = data point
• Proper response requires enrichment:• Source and path for binary in network• Communications path to SIS, SIS
controller• Nature and means of SIS interaction
![Page 53: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/53.jpg)
Architecting SIS Defense
BACKGROUND EVENT MALWARE RESPONSE
Identify Required Adversary Behaviors
Determine Necessary Visibility to Detect Adversary
Actions
Align Defense and Monitoring to Requirements
Train and Educate Security Personnel
on Threat Environment
Emphasize Root Cause Analysis
when System Fail
![Page 54: TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for code upload 4. Uploads inject+imain, removes if necessary](https://reader030.vdocuments.site/reader030/viewer/2022020204/5adb5c0a7f8b9a6d318df759/html5/thumbnails/54.jpg)
Initial Intrusion
Gain Persistence
Survey Network
Identify Objective
Deliver Effect
Complete Effect
Defense has the Advantage