dragos, inc. | june 2019 · launcher start •select payload •initiate ics impact payload...
TRANSCRIPT
Joe Slowik / @jfslowik
Dragos, Inc. | June 2019
1
2
3
4
https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf
http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png
Preparatory Actions
Deny Degrade Destroy
CRASHOVERRIDE
TRISIS / TRITON
2017-2019 Electric Sector Intrusions
Launcher Start
•Select Payload
•Initiate ICS Impact
Payload Execution
•Connect to Control Systems
•Manipulate State
Wiper•Wait for Timer
•Delete Files, Remap Services, Reboot System
Post-Attack
•Leave behind “Backup” Backdoor
•SIPROTEC DDoS (Fail)
Long-Term Network Access
• Harvesting credentials over long periods
• Able to perform reconnaissance and survey environment
Insecure Environment
• Weak authentication mechanisms
• Re-used credentials
• Older operating systems on critical devices
‘Flat’ Network
• Central points of access (historians) to all ICS-managing hosts of interest
• Easy to move from IT to OT network
• Credential capture
• Native Windows commands and scripts
Stage 1
• Malicious service creation with timer
• ICS manipulation coded in malwareStage 2
What Worked
• Again penetrated ICS, produced impact
• Framework developed to scale attacks
What Could Have Been Better
• Attack was very immature
• Tools still in development stage
• Attack looks like a ‘test’
Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’)
Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools)
Utilize remote access to OT network via stolen credentials
Continue pivoting through network via credential capture
Gain sufficient access to SIS to deploy TRISIS
Media, General Infosec Companies
• WHO DID IT ???
• Where will this entity strike next?
ICS Security Community
• What was the intention/purpose?
• What are implications of targeting SIS?
• Credential capture
• Publicly- and commercially-available toolsetsStage 1
• Continuous credential capture and pivoting via same Stage 1 tools
• Develop and deploy victim-specific SIS rootkit
Stage 2
What Worked
• Yet again penetrated ICS, produced impact
• Expanded scope of possible targets for disruption to SIS
What Could Have Been Better
• Event did not appear to succeed
• TRISIS is very ‘brittle’ –only directly applicable to identical environments
Select Utility Targets
Identify Contractors,
Vendors, and Other Third Parties
Compromise Third Parties
Utilize Trusted Relationship to
Enable Access to Utility Targets
Known Victims
• United States
• United Kingdom
• Ireland?
Probable Victims
• Germany
• Switzerland?
Emerging Victims
• Ukraine
• Poland?
• Continuous Credential Capture
• Remote Logon, Leverage Native System Tools
Stage 1
• Initial Access and Survey of ICS Environment using Stage 1 Methodology
• Ultimate Intended Effect… ?Stage 2
What Worked
• AGAIN penetrated ICS
• Campaign leveraged combinations of publicly-available tools and techniques
• Provides an example of how to penetrate ICS without special tooling
What Could Have Been Better
• We’re not really sure yet!
• Increasing Avoidance of Custom Software, Malware
• Emphasis on Commodity and System Tools
• Increased Use of In-Memory Execution
Preparatory and Pre-ICS
Attack Phases
• Custom Attack Packages Tailored to Target Environment
• Limited Ability to Replay or Reuse AttacksICS Attack
STUXNET is first known and most
complex ICS malware
Subsequent events leverage
some use of vulnerabilities
Most-recent attacks rely on
underlying network
insecurity and connectivity
Ukraine 2016: ICS manipulation codified in software (CRASHOVERRIDE)
Saudi Arabia 2017: Develop product-specific rootkit to facilitate access and manipulation (TRISIS)
2017-Present: Information gathering on target systems to enable effects development?
Attackers codifying ICS manipulation in software vs. manual interaction
Intrusions will continue
Adversaries are getting smarter, more efficient
Infections may result in incidental harm
Attacker goal is mission accomplishment – not technical sophistication
Attackers will stick with “what works”
Divergence between initial access and final attack methodologies
Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment
Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT
Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities
Efficiencies and Cost Savings Result in
Increased Adoption of IT Technologies in
ICS Environments
Extending IT Attack Surface to ICS Environment
ICS Environments Lack Security and
Monitoring Options in IT Environments
Attackers are Taking Advantage of this
Trend
• “Living off the land” prevalence means ICS security problems are just like IT
• Deploy and implement IT security in ICS environments, same tools and all!
The Wrong Lesson
• IT intrusion tradecraft extends to ICS
• Portions of IT defense must be embraced, but not all
• Effective defense requires knowing subtleties of operational networks (and their purpose)
The Right Lesson
Traditional ICS Perimeter
Vendor and Contractor Access
Increased Remote Work and Administration
Cloud and Off-Prem Products
Almost no Observed Use of “Zero Days”*
Most Targeted Vulnerabilities are Windows, not ICS
Use of Publicly-Available Attack Tools, Rarely Custom Software EXCEPT Final Attack
Initial Intrusion
•Breach IT
•Expand into ICS
Dwell Time
•Maintain Access
•Continuous Data Gathering
Event Execution
•Leverage Access
•Execute Disruptive Event
ICS Capability / Research
Team
Attack Team 1
Attack Team 2
Attack Team 3
Few ICS Disruptive Events
Multiple ICS Intrusions, Survey, Reconnaissance
Many ICS-Related IT Intrusions and Initial
Access
Disruption or Destruction
Erode Confidence
Influence and Messaging
Little or No Custom Malware in Initial Intrusion
Transition from “Access” to “Effects” Team when ICS Breached
Custom Malware Deployed Codifying ICS Knowledge in Software
Increasing Reliance on IT Concepts and Equipment Magnifies ICS Impact
• CRASHOVERRIDE – Dragos (https://dragos.com/blog/crashoverride/CrashOverride-01.pdf)• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos
(https://dragos.com/whitepapers/CrashOverride2018.html) • TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)• Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)• Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-
ISAC_SANS_Ukraine_DUC_5.pdf) • German Steel Mill Cyber Attack – SANS (https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf) • Electric Sector Targeting in Context – Joe Slowik (https://pylos.co/2018/12/26/electric-sector-targeting-in-context/)• Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group – Symantec
(https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks) • Evolution of ICS Attacks and the Prospects for Future Disruptive Events – Joe Slowik, Dragos (https://dragos.com/wp-
content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)