Long Term Packet Capture in Critical Infrastructures

Creating a Circle of Goodness for Security Operations

Introduction Michael Meason, Manager of Technical Service - Western Farmers Electric Cooperative

Telecommunications Engineering

Network Engineering/Operations/Maintenance

Cyber Security Operations and Critical Infrastructure Protection

Letters

BS in CIS, MS in Telecommunications, CISSP, CSFI-DCOE, NSTISSI 4011 4015, CNSSI 4012 4013 4014 4016

Others

Husband/Father, KG5DQA, Aviation, @SigmetXray

Employer Slide Western Farmers Electric Cooperative

WFEC supplies the electrical needs of more than two-thirds of the

geographical region of Oklahoma, part of New Mexico, as well as small portions of Texas and Kansas

The Circle of Goodness (C.O.G.)

Industrial Control Systems.. That’s What We do.

This is what we protect, but…..

Lessons learned can be applied to any infrastructure that is critical to your business or operations

Don’t dismiss the methodology as inherent to control systems

Imagine if You Could……..

Go back in time 2-8 weeks when an intrusion event occurs

Set the needle pre-event

DeLorean + Flux Capacitor + 1.21 Gigawatts = Network Data Recorder

Security Value

Reconstruct the Sequence of Events (SOE)

Incident response

Situational Awareness

Packet Analysis

Packet Retention

Protocol Analysis

Operational Malfunctions

Evasion Techniques

Baseline Traffic

IOC Replay

Operational Value Identify operational misconfigurations

High frequency low impact operational events

ILO & DRAC (DHCP Request Broadcast)

Other awesome examples

Low frequency high impact events

Monday night outages (sending sys logs for all file opens and closes and old syslog servers)

The Circle of Goodness (C.O.G.)

Organizational Value

Importance of relationship between SOT and operations (OT/IT)

The NDR is a relationship “enhancer”

Help OT/IT help themselves

The Circle of Goodness (C.O.G.)

Survey of the Tools: Commercial Network Data Recorders (NDR)

Wildpackets

GigaStor - Network Instruments

Solera DeepSee Blackbox Recorder

Survey of Tools: Open Source

Wireshark

TCPDump

DaemonLogger (Martin Roesch)

Moloch

Commercial -VS- Open Source How is commercial different from TCPDump and Uber Storage?

Color coded results

Easily filtered

Easily searched

Organized by timelines

Forensic search capabilities

Packet analysis capabilities

Commercial -VS- Open Source

Integration of hardware/software

Front end/back end integration challenges

You need ninja level foo

There is however, possibly a down-and-dirty solution

Not a Silver Bullet

A tool in the belt

Noce Te Ipsum (Literally)

Systems don’t secure systems

Active hunting

Link between controls and reality

The Circle of Goodness (C.O.G.)