CEBIT 2013 - Workshop Presentation
 

Like this? Share it with your network

Share

CEBIT 2013 - Workshop Presentation

on

  • 1,019 views

"Is antivirus an efficient tool for industrial network protection."

"Is antivirus an efficient tool for industrial network protection."

Statistics

Views

Total Views
1,019
Views on SlideShare
1,015
Embed Views
4

Actions

Likes
1
Downloads
25
Comments
0

2 Embeds 4

http://www.linkedin.com 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CEBIT 2013 - Workshop Presentation Presentation Transcript

  • 1. Workshop: Is antivirus an efficient tool for industrial network protection? Marcelo Branquinho & Jan Seidl CEBIT - March of 2013 Hannover, Germanywww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 2. Presentors Marcelo Branquinho Jan Seidl marcelo.branquinho@tisafe.com jan.seidl@tisafe.com • CEO at TI Safe. • Technical Coordinator at TI Safe. • Senior member of ISA and committee • Expert in risk analysis in member of ANSI/ISA-99. automation systems. • Researcher in security technologies to • Researcher in the field of malware protect critical infrastructure. engineering.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 3. Follow us! • Twitter: @tisafe • SlideShare: www.slideshare.net/tisafe • Facebook: www.facebook.com/tisafe • Flickr: http://www.flickr.com/photos/tisafewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 4. You don’t have to copy... http://www.slideshare.net/tisafewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 5. Workshop Agenda • Malware in automation networks • The is no silver-bullet/turnkey solution • Signature-based detection is almost useless • Bonus: Free tools can also bypass AV • IDPS and Whitelisting • Defense in depth and segmentation • Training and awareness: Educating users • Finding “Patient Zero” and regaining control through “Divide and Conquer” • Closing comments • Audience Q&Awww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 6. Malware in SCADA networkswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 7. Vectors of infection • Exploits • Removable media (Pen Drives, External HD) • Shared Networks • External networks (connections with other company´s networks) • 3G networks • Virtual Private Networks (VPNs) • Disgruntled employees • Lack of user’s expertise (click on links and attachments ...)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 8. The “Happy clicker” user I should click here!www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 9. Vectors of spreading • Exploits • Removable media (Pen Drives, External HD) • Shared Network Drives • External networks (connections with other company‘s networks) • 3G networks • VPNswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 10. Possible infection impacts • Unavailability of engineering and supervisory workstations. • Unavailability of control servers. • Unavailability of controllers (PLCs, IEDs, RTUs). • Disruption of control network. • Loss of data. • Intellectual property theft. • Physical damage. • Loss of human lives. • Environmental damage.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 11. Impactwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 12. Documented Incidents in Brazil Incidents # Cases Malware 5 In most cases of contaminations Human error 14 observed in our customers, there Device failure 7 Others 4 was an antivirus solution installed Incidents in Brazil on the infected hosts... … that wasnt able to detect and Picture: Documented industrial incidents in prevent the spread of infection Brazil until December of 2012. throughout the network. Source: TI Safe Knowledge Base.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 13. There is no silver-bullet / turn-key solution :( and there will never be.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 14. Why? Security is a concept not a monolithic solution. Many solutions working together build up security. Dont trust “all-in-one” solutions (UTMs, applications that work in multiple areas, etc.)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 15. Why? You need the best solution for each area. Each vendor has expertise in its own area and probably wont master all of them at the same time. Security is not only for your hosts but also networks and personnel.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 16. Signature-based detection is almost uselesswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 17. Why? Signatures are based in known patterns in files. What about unknown threats? Polymorphism isnt something new. A wide variety of malware has its source code available. Anybody can change it, recompile it and... VOILÁ!www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 18. Why? Remember: Hackers dont follow patterns!www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 19. Why? We tested some free hacking tools against antivirus software from popular vendors...www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 20. Why? … and got some interesting and alarming results.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 21. Antivirus solutions tested • McAfee Antivirus Plus 2012 • F-Secure Antivirus 2012 • Kaspersky Antivirus 2012 • avast! Pro Antivirus 6 • Panda Antivirus Pro 2012 • AVG Anti-Virus FREE 2012 • Trend Titanium Maximum • Sophos Anti-Virus 7 Security 2012 • Microsoft Security Essentials • Norton Antivirus 2012 • E-SET NOD32 Antivirus 5 All antivirus software tested (except for the free ones) were obtained from the websites of All antivirus software tested (except for the free ones) were obtained from the websites of their manufacturers in their 32-bit evaluation version (English). their manufacturers in their 32-bit evaluation version (English). All antivirus solutions were installed on the Recommended‘ setting. All antivirus solutions were installed on the Recommended‘ setting.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 22. Test Results Matrix Soluções de Antivirus Testadas McAfee Antivirus Plus Kaspersky Antivirus Panda Antivirus Pro Trend Titanium AVG Anti-Virus FREE Microsoft Security Ataques Executados Norton Antivirus 2012 F-Secure Antivirus 2012 avast! Pro Antivirus 6 Sophos Anti-Virus 7 E-SET NOD32 Antivirus 5 2012 2012 2012 Maximum Security 2012 Essentials1 EICAR EICAR test file EICAR-Test-File EICAR-AV-TEST-FILE Eicar_test_file EICAR Test String Trojan.Generic.6567028 EICAR Test-NOT virus!!! EICAR_Test EICAR-AV-Test DOS/EICAR_Test_File Eicar test file Metasploit EXE Default Template (no a variant of Win32/Rozena.AA2 Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/EncPk-ACE Trojan.Win32/Swrort.A encryption) trojan Metasploit EXE Default Template a variant of Win32/Rozena.AH3 Swrort.d Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Metasploit EXE Notepad Template (no a variant of Win32/Rozena.AA4 Swrort.f Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A encryption) trojan Metasploit EXE Notepad Template a variant of Win32/Rozena.AH5 Swrort.d Trojan.Win32.Generic Trj/Genetic.gen - - Backdoor.Shell.AC Win32:SwPatch Win32/Heur Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Metasploit EXE SkypePortable Template a variant of Win32/Rozena.AH6 Swrort.d Trojan.Win32.Generic - - - Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AA7 Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (no encryption) trojan Metasploit LOOP-VBS Default Template a variant of Win32/Rozena.AH8 Swrort.f Trojan.Win32.Generic Script Blocked TROJ_SWRORT.SME Packed.Generic.347 Backdoor.Shell.AC Win32:SwPatch - Mal/Swrort-C Trojan.Win32/Swrort.A (shikata_ga_nai) trojan Trojan.Win32.Genome Win32/ShellcodeRunner.A9 Shellcodexec Default w/ VBS launcher Generic.tfr!i Trj/CI.A - Trojan.Gen Trojan.Generic.6567028 Win32:Malware-gen Trojan Generic22.KPM Mal/Generic.L - .vrrg trojan TI Safe Modded Shellcodeexec (w/ VBS10 - - Script Blocked - - - - - - - - launcher) TI Safe Modded Shellcodeexec (Custom11 - - - - - Backdoor.Shell.AC - Trojan Generic22.SND - Trojan.Win32/Swrort.A - EXE w/ embedded payload)12 TI Safe Custom Payload Launcher - - - - - - - - Mal/FakeAV-FS - - Bloodhound.Exploit.2113 Metasploit PDF (adobe_utilprintf) Exploit.PDF.bk.gen Exploit.JS.Pdfka.cil - HEUR_PDFEXP.B Exploit.PDF-JS.Gen JS:Pdfka-gen Script/Exploit Troj/PDFJs-B Trojan.Win32/Swrort.A JS/Exploit.Pdfka.NOO trojan 3 Metasploit PDF14 Swrort.f Trojan.Win32.Generic Suspicious File TROJ_SWRORT.SME Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen Win32:SwPatch Exploit.PDF Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFW trojan (adobe_pdf_embedded_exe) Metasploit PDF15 Swrort.f Trojan.Win32.Generic Suspicious File TROJ_PIDIEF.SMEO Bloodhound.PDF.24 Exploit.PDF-Dropper.Gen PDF:Launchr-C Exploit Mal/Swrort-C Trojan.Win32/Swrort.A PDF/Exploit.Pidief.PFT trojan (adobe_pdf_embedded_exe_nojs)16 Metasploit Java Applet - - - - - - - - - - - FILLED RED BLOCKS = OWNED! www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 23. Test Results AVs cant stop targeted attacks and custom malware. Java-based malware is even tougher to detect.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 24. Test Results Most of the antivirus solutions were unable to detect the threat in memory. Remember: antivirus were developed for home and corporate use, not for automation plants.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 25. Test results: Infections and detections by malware typewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 26. Test results: Detection and Infection rateswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 27. Test results: our final ranking # Antivirus Score F-Secure 2012 1 13 Sophos 7 McAfee Plus 2012 Kaspersky 2012 Avast! Pro 6 Microsoft Security Essentials 2 E-SET NOD32 5 12 3 Panda Pro 2012 11 Norton 2012 4 AVG FREE 2012 9 5 Trend Titanium Maximum Security 8www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 28. Detect behaviours, not patterns Use up-to-date network-based and host-based IDPS Yes, they also use pattern-based signatures but most of them also have behavior detection schemes Some antivirus products are shipped with a Host IDPS to work together.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 29. Whitelisting is better than Blacklisting Photo credit: Codinghorrorwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 30. Whitelisting is better than Blacklisting Because you cant relate ALL malicious URLs and/or keywords. Stop your internal dialog! You CANT! Get over it :)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 31. Whitelisting is also not bulletproof “No Tools? No Problem! Building a PowerShell Botnet” Christopher “@obscuresec” Campbell at Shmoocon Firetalks 2013 http://bit.ly/150V4fMwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 32. The defense in depthwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 33. The defense in depth Firewalls, IDPS, Data Locks, cameras etc diodes Segmentation, VLANs, port-mirrored IDSWhitelisting software, HIDPS,central logging WAFs, strong architechture Photo credit: Sentrillion Encryption and access controlwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 34. Network Segmentation The zones and conduits model as proposed by ANSI ISA-99www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 35. Educating Users Promote workshops and “security days” to promote awareness. Your users dont really know the impact of using a 3G modem to check their personal email or Facebook wall. Even less that they can ruin plants processes by clicking on a link sent by that hot girl hes been chatting for weeks.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 36. Never forget what your users means to your securitywww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 37. Containing an outbreakwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 38. Finding patient zerowww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 39. Finding patient zero You´d better have monitoring! Find hosts that are communicating with ports and hosts that shouldnt, performing unusual network noise. Perform forensic analysis on suspected hosts to confirm infection date. Find the first infection point (Mark Zero). Try to determinate how it happened. Close the hole.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 40. Cleaning by dividing & conqueringwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 41. Cleaning by dividing & conquering Isolate clean networks from infected ones. Create a clean copy of the infected network structure. Reinstall infected hosts from known-good backups and place them in the clean network copy to avoid reinfection. Destroy and set fire to infected network. (fire actually not needed).www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 42. Closing Commentswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 43. Closing Comments Sophisticated Malware or unknown vulnerabilities (zero-day) easily overcome the protection provides by most antivirus solutions. We can assure that no market anti-virus solution is able to provide complete protection for automation networks. These solutions lead companies to have a "false sense of security". Its absolutely necessary to use complementary controls.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 44. Closing Comments We recommend the following security practices: Segment your network according to the zones and conduits model as specified by the ANSI/ISA-99 standard. Perform periodic reviews of firewalls and IPS rules that protect automation networks, driven by the best practices. Configure your protection software with customized SCADA signature packages (IT rules are almost useless in automation networks).www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 45. Closing Comments We recommend the following security practices: Enforce control over any device that is connected to the SCADA network (third party laptops, removable media, modems, etc.). Perform deep inspection of new software before they are installed can increase the security level and prevent infections. Do not allow the use of e-mail and web access from inside the automation network by any means and, where possible, update critical computer security patches according to vendors recommendation.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 46. Closing Comments Our experience shows that the disinfection of a contaminated SCADA network is time and resource costly, complex and depends on the cooperation of manufacturers for success, rendering this process slow. We encourage the international community to create a best practices guide for automation network disinfection that will serve as a baseline for companies that are experiencing this problem to regain control over their control networks on a planned and fast way.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 47. Closing Comments Companies should be prepared for the worst and have a contingency plan. Its essential to have automated backup tools installed on servers as well as redundant critical automation network.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 48. Audience Q&A ???www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
  • 49. We can help you! Marcelo.branquinho@tisafe.com Jan.seidl@tisafe.com Rio de Janeiro: +55 (21) 2173-1159 São Paulo: +55 (11) 3040-8656 Twitter: @tisafe Skype: ti-safe Opening first office in Europe Next Q2/2013www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.