Emulating Adversary Tactics Safely in Industrial Networks

Robert M. LeeTwitter: @RobertMLee

Email: rlee@dragos.com Web: www.dragos.com

Emulating Adversary Tactics Safely in Industrial Networks

Robert M. LeeTwitter: @RobertMLee

Email: rlee@dragos.com Web: www.dragos.com

How Not to be an Asshole in ICS

Agenda

• Intel and Red Teaming • Dymalloy, Electrum, Covellite:• Industrial Threat Background • Doing it Wrong • Achieving Success

Agenda

• Intel and Red Teaming (Indicators Aren’t Intel)• Dymalloy, Electrum, Covellite:• Industrial Threat Background (What You’ll Emulate)• Doing it Wrong (Asshole Moves)• Achieving Success (How Not to be an Asshole)

@_LittleBobby_www.LittleBobbyComic.com

Intelligence and Red Teaming

The Making of an Activity Group

6

IntrusionsIntrusion

SetsCampaignsGroup

Group

Campaign 1

Victim Organization

Intrusion Analysis

Victim Organization

Intrusion Analysis

Campaign 2

Victim Organization

Intrusion Analysis

Victim Organization

Intrusion Analysis

Campaign 3

Victim Organization

Intrusion Analysis

Victim Organization

Intrusion Analysis

The Diamond Model

Victim

Capability/TTPsInfrastructure

Adversary

Ref: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Dymalloy

DYMALLOY

• North American electric operators• Turkish energy providers• Western Europe electric operators

Multi-State Adversary Interests

• Malicious docs w/ credential harvesting via external SMB connections

• RATs from publicly available toolkits• Custom-developed information

theft toolkits built on public tools• One non-public toolkit

• Compromise ISP IPs• Compromised business

connections for initial infection and subsequent implants

Links: Dragonfly 2.0Not Dragonfly 1.0Industrial Threat Background

Doing it Wrong

• Electric Utility Story• Scanning non-common ports• SMB lateral movement• Aggressive scanning

Achieving Success

Leverage Known RATs

Hardcoded IPs pulling down PNGs

Exfiltration of HMI info via DNS

Success: Leveraging the Right Detection

Environment Threat

Modeling Threat Behavioral Analytics

Configuration Analysis Indicators

Covellite

COVELLITE

• Electric utility companies in the United States

North Korean State Interests

• Sophisticated implant with secure communication channels

• Similar features to malware used against South Korean targets

• Specific session key used for payload and second encrypted layer

• 41 minute and 30 second sleep

• Legitimate infrastructure• University IPs for C2

Links: Unknown

Industrial Threat Background

Doing it Wrong

• Gas Pipeline Story:• Not getting authorization for

each new system• Gaining access and not

emulating the threat• Thinking you understand the

engineering

Achieving Success

• Properly themed phishing email• Encoded Payload in .Doc

• Access IT systems and pivot to OT• Leverage self-registered C2 servers themed to

universities• Leverage implant with anti-forensic features and

41 minute sleep• In OT environment (with approval and

Operations oversight) exfiltrate HMI screenshots

Success: Test Their Collection Management Framework

EndpointProtection

System

Windows Systems Network Firewall

Data Type System Alert Host Based Logs Netflow System Alert

Kill Chain Coverage

Exploitation & Installation

Exploitation,Installation, and

Actions on Objectives

InternalReconnaissance, Delivery, and C2

InternalReconnaissance, Deliver, and c2

Follow on Collection

Malware sample Files and timelines Packet Capture Netflow

Typical Storage in Days 30 days 60 days 23 days 60 days

Electrum

ELECTRUM

• Ukrainian Utility Companies• Electric • Water

Russian State Interests

• Long term access to ICS• CRASHOVERRIDE• ICS Specific Modules• Operations Knowledge

• Dual-use infrastructure such as TOR to host C2

• Internal proxies setup

Links: Development team for Sandworm

Industrial Threat Background

CRASHOVERRIDE

What Not To Do

• Energy Company:• Conducted the test 100% right• Recommendations 100% off• Over-hyped the importance

such as CRASHOVERRIDE IOCs

Achieving Success

Understand Detection Type

Understand the Business Unit

Goals

Recommendations to a Threat Model

Do Not Touch Final Control

Elements

Success: Tailoring Their Threat Model

Questions?

Robert M. LeeTwitter: @RobertMLee

Email: rlee@dragos.com Web: www.dragos.com