paul coggin - digital energy bpt (basic persistent threat)
TRANSCRIPT
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
1 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
www.dynetics.com
1 V## Goes Here
Digital Energy – BPT
BSidesAugusta 2013
Paul Coggin Internetwork Consulting Solutions Architect
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
2 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Digital Energy – Basic Persistent Threat
• APT default excuse for any compromise • Default passwords • Little to no separation of control, management and data planes • Layer 2 security issues • Lack of Perimeter Egress filtering • Lack of Perimeter Egress authentication • Trust Relationships • Integration • Interdependencies • Dependencies • Vendor remote access • Default database client/server protocol configuration • Lack of security policies driving network and security infrastructure
configuration • Flat earth network architecture philosophy
Talented attackers exploiting critical infrastructure using basic attack
vectors are not an APT.
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
3 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Residential
Branch Office
MPLS/IP, DWDM, SONET, ATM
Internet
Video Headend IPTV/VOD
SIP Proxy
Residential Telecommuter
SOHO Energy Distribution
Provisioning Servers
Assurance Servers
Online and Internal Billing Servers
Public Network Infrastructure Overview
Water / Sewer Treatment Plant
Web server
VoIP GW
Si
Si
Si Si
Si Si Si Si Si Si
Enterprise
Policy Server
DHCP Server
AAA Server
Lawful Intercept
ICS / SCADA
Cell Tower
DWDM
Situational Awareness Servers
- Vendor/Mfg. Remote Support - Internal Tech Staff VPN - Customer online bill payment - Misconfigured Backdoor
GPON GigE SONET
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
4 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions 0000-00-yymm
UNCLASSIFIED
0000-00-yymm UNCLASSIFIED
www.dynetics.com 4
ANSI/ISA99 ICS – Industrial Control Systems SCADA – Supervisory Control and Data Acquisition PLC – Programmable Logic Controller RTU – Remote Terminal Unit IED – Intelligent Electronic Device Historian HMI – Human Machine Interface Protocols - Modbus, ICCP, DNP3, Others
In many networks there is not a firewall securing the integration between the Enterprise and ICS/SCADA
network. A multi-homed Windows system is commonly integrates the two networks
Typically, the ICS/SCADA network utilizes a flat network architecture. The vendors have VPN, Telnet and/or SSH holes punched through the
firewall with weak authentication in most cases.
Older systems will have back door modem connections for vendor remote access.
Reference: www.isa.org - ANSI/ISA99 Standard
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
5 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Voice Soft Switch Network
Voice Transport Network
Management Network
Internet
EMS
The service provider transport and soft switch vendors commonly provide a EMS for their solution.
The EMS server commonly is multi-homed with one interface connected directly to the Internet and a second connected to the management network. The transport and voice technical staff may have the system installed without the protection of a firewall or VPN. A number of soft switch EMS systems have been hacked using SSH brute force attacks. In some cases the EMS is installed behind a firewall with ACL’s trusting any inbound IP connection destined to the SSH service.
Backup EMS
Internet
Backup Soft Switch
Soft Switch
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
6 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
What Kind of Ring is It?
Ring Topology
Collapsed Ring Topology
Any disruption to the single physical fiber run disrupts the
logical ring.
End point devices such as DSLAMs are configured to form a ring on both ends of
the fiber run.
One service provider had their fiber cut between CO’s by copper thieves.
Logical Ring for Regulatory Requirements
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
7 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Dual Purposed Online Bill Paying Web Server & Internal Billing System
AAA
Si Si
Provisioning & Monitoring
EMS
Video On Demand Services
Voice Services
IPTV
Internet Middleware
Internal Enterprise LAN
Internal Billing System & Online Billing Web Server
NetMgt Directory Traversal led to root access to Internal billing system that was also the online billing system for customers. A billing system vendor designed architecture. The billing system vendor argued this architecture was secure even after their system was hacked. Billing system hack exposes
provisioning, network management, IPTV Middleware etc. to being compromised through trust relationships.
Power distributors may utilize the transport and access
network for smart grid services.
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
8 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Video On Demand Services
Voice Services
IPTV
Internet Services
Secure Visualiza-on and Instrumenta-on Deep Inspec-on and Monitoring of Network Flows /
Packets Diagnosed Configura-on Issue
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
TV
IP Phone
GPON
Residential Customer
Separation of Service/ VLANs
• Malware existed on Data (ISP) user computers – Malware sends ICMP packets to DOS target.
• Transport equipment encapsulated DOS packets into multicast packets.
• Transport equipment replicated DOS in hardware to all users.
Private Virtual Circuits
• Customer with SVI was alerted to unusual traffic on multicast VLAN for video.
• Called for remote Incident Analysis/ Forensics on Network Packets showed multicasting of “bad Info” and misconfiguration of network logical data flows
Transport Network Disrupted by Accidental Misconfiguration
SiSi
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
TV
IP Phone
SM
SM Service Provider Employee Mistakenly Integrated
Data and Video Networks
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
9 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Video On Demand Services
Voice Services
IPTV
Internet Services
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
TV
IP Phone
GPON
Residential Customer
Separation of Service/ VLANs
Private Virtual Circuits
CPE Router Hijacking
SiSi
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
TV
IP Phone
SM
SM
• Hacker attacked DSL Modems.
• Changed DNS address to Relay Box.
Deep Inspection and Monitoring of Network
Flows / Packets
Hijacked web requests and web traffic redirected to
rogue site
• 6K DSL Routers hacked before stopped • Router management access with open trust • Unknown default router password
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
10 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Video On Demand Services
Voice Services
IPTV
Utility CATV Head End Scenario
Vendor aggregates customer VPN’s to HQ site. The customer inherits the
security risk of the vendor through the VPN trust relationship.
Vendor was hacked enabling billing system integration
server to be hacked. No Segmentation No PVLAN, VACL
Middleware
Billing System Integration
TV
SM
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
Internet Vendor
VPN Router
Vendor HQ
Dedicated VPN for Remote Mgt
Fiber Node
Cable Modem Termination System (CMTS) Cable Routers
Routers downstream
upstream
RF Combiner
CM
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
11 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Video On Demand Services
Voice Services
IPTV
Utility CATV Head End Scenario 2
No Segmentation No PVLAN, VACL
Freely Pivot between Vendors & Head End
Exploit Enterprise
Trust Relationships
Middleware
Billing System Integration
Fiber Node
Cable Modem Termination System (CMTS) Cable Routers
Routers downstream
upstream
RF Combiner
CM
TV
SM
On-‐Line Message Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
Internet
Vendor VPN
Routers
Vendor 2
Dedicated VPN for Remote Mgt
Vendor 1
Enterprise
If a vendor network, the CATV head end or the enterprise network is exploited. The trust
relationships can then be easily used to pivot between networks.
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
12 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Transport Network – Remote Support
OSS / NOC
Optical EMS
Enterprise
Internet Services
Multi-homed EMS Server SSH Access for Transport and Access Vendor
Firewall Physically Bypassed Open Trust Relationship for SSH
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
13 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Layer 2 Security Issues Prevalent
Routers
Rogue Insider Crafted HSRP coup packet
with higher priority
• STP / BPDU • VTP • VLAN Hopping • ARP Poisoning • FHRP • Rogue DHCP Server • Horizontal and Vertical Pivoting
Common Issues Suggested Remediation • BPDU and Root Guard • Secure VTP • Disable Dynamic Trunking • Dynamic ARP Inspection • Limit MACs per Port • Secure FHRP • DHCP Snooping, Disable DHCP Trust • PVLAN’s, VACL’s, DHCP Option 82 • L2 NetFlow • Secure Information Flow Trust Relationships
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
14 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Bottom Line
Whitelist the Applications
Whitelist the Network Trust Relationships
Whitelist Trusted Information Flows in Monitoring
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
15 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Ques-ons?
[email protected] @PaulCoggin