Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems
• Matt Luallen , Co-Founder,
Dragos Security LLC
• Robert M. Lee, Co-Founder,
Dragos Security LLC
• Peter Welander, Conten...
Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems
Matt E. Luallen and Robert M...
1. Identifying a Compromise
• How to determine you’ve been hacked
– What are simple things you can do NOW to
detect
– Capa...
Hacked – assumptions
• At this time you must assume two things
– Your communications and capabilities are being
eavesdropp...
2. What’s Next?
• After you’ve been compromised:
– Tools available to identify and analyze
intrusions
– Handling “too much...
Trustworthiness Validation
• Interview personnel for history of odd behavior
– (e.g. strange emails, system behavior, phon...
3. How Do We Prepare?
• Preparing before or after the compromise
– Tools for monitoring traffic
– Creating chokepoints and...
Follow on discussions at:
www.DragosSecurity.com
• Matt Luallen , Co-Founder,
Dragos Security LLC
• Robert M. Lee, Co-Founder,
Dragos Security LLC
• Peter Welander, Conten...
Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems
Upcoming SlideShare
Loading in …5
×

Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems

648 views

Published on

Companies that have had their industrial networks attacked from the outside usually don’t realize it at all, or if they do, that knowledge probably comes a year or more after the initial incident. Why? Companies don’t understand their own networks well enough to know when something is happening that shouldn’t be happening. There is no practical way to apply concepts of digital forensic investigation if you don’t understand your own networks. Robert M. Lee and Matthew E. Luallen will discuss how you can analyze and document your systems well enough to perform incident response and learn from those attacks. Your ability to know every detail about your systems is the biggest advantage you have when trying to secure your systems. Put that knowledge to work.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems

  1. 1. Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems
  2. 2. • Matt Luallen , Co-Founder, Dragos Security LLC • Robert M. Lee, Co-Founder, Dragos Security LLC • Peter Welander, Content Manager, Control Engineering, CFE Media Speakers:
  3. 3. Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems Matt E. Luallen and Robert M. Lee
  4. 4. 1. Identifying a Compromise • How to determine you’ve been hacked – What are simple things you can do NOW to detect – Capabilities of hackers and general attack scenario • Be cautious in performing an active response immediately! – Keep in mind that the indication may be an outcome of months of backdoors or possibly just a false indicator
  5. 5. Hacked – assumptions • At this time you must assume two things – Your communications and capabilities are being eavesdropped upon – Your assets can be denied service or misused • Does the hack immediately appear as if it can impact the entire operation? Could there be loss of life? Are you authorized to perform any changes such as the extreme situation of taking the operations offline? Do you have an out of band communication capability?
  6. 6. 2. What’s Next? • After you’ve been compromised: – Tools available to identify and analyze intrusions – Handling “too much” data – Contact the right people • Internal • Trusted Peers • Vendors • Government
  7. 7. Trustworthiness Validation • Interview personnel for history of odd behavior – (e.g. strange emails, system behavior, phone calls, control operations) • Physical facility inspections – Any devices and attributes that are abnormal • Review and compare system baselines to active host settings – Host images (Windows, *nix, Applications) – Processed logic – Device firmware – Network communications • Review operational logs for indicators – Historian, OPC, HMI, IT system logging and any other log-enabled device • Do you have mechanisms to compare active systems to known good images and communication profiles? • What if you do not have the capabilities in house? – Do you have an outsourcing agreement in place to manage incidents?
  8. 8. 3. How Do We Prepare? • Preparing before or after the compromise – Tools for monitoring traffic – Creating chokepoints and understanding – Questions to ask to determine your readiness • Future Efforts and Research Needed – PLC/PAC/Embedded Device specific tools – Validation, customization, and testing of known methodologies/tools
  9. 9. Follow on discussions at: www.DragosSecurity.com
  10. 10. • Matt Luallen , Co-Founder, Dragos Security LLC • Robert M. Lee, Co-Founder, Dragos Security LLC • Peter Welander, Content Manager, Control Engineering, CFE Media Speakers:
  11. 11. Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems

×