Cyber impacts are typically viewed in isolation - yet paired with secondary effects or specific process targeting, they can result in outsized physical or reputational impacts. This talk will examine such attacks, their execution, and how Purple Teaming can incorporate these events in testing.
Cyber events are typically viewed in isolation as information-centric events, perhaps with some secondary effects in terms of victim organization finances or reputation. Yet this perspective ignores both the increasing physical consequences of cyber manipulation, greater inter-organization dependencies leading to expanded attack surface, and the potential for targeting operational or procedural “weak points” to propagate impacts to more secure or sensitive areas. Essentially, just as the idea of network isolation or “airgaps” no longer makes sense for defense, the idea of network defense as being limited only to the defended organization’s “border” no longer applies either.
This talk will examine how critical operational dependencies, perceptions, and third-party relationships can be used to achieve not just initial network access, but potentially network or even physical disruption. Examples to illustrate this concept will include sequenced cyber impacts combined with information operations to create panic or reduce confidence in critical infrastructure; targeting up- or down-stream dependencies as a mechanism to bypass security to achieve outsized impacts; and leveraging proper timing to increase the impact of a cyber intrusion or disruption event.
The above will cover attack scenarios and their impacts, but the talk will conclude with how organizations must expand scope for security testing, evaluation, and auditing to include such scenarios. Essentially, red (and purple) teaming no longer stops at the network border, but instead must include dependencies and external influencing factors to adequately map out true security risk. By designing intrusion scenarios to simulate such conditions, implementing wide-ranging table-top exercises, and incorporating third-parties (from suppliers to vendors to service providers) in testing activity, organizations can prepare for sequenced, dependency-focused attacks increasingly used by advanced adversaries. Failure to recognize and adapt to these trends will leave organizations unaware of and ill prepared for an increasingly expanded attack surface based on modern network and operational inter-dependencies.
7. Take-Away
7
Attackers Desire to
Cause Disruption
Complex Systems
Require Identification
of Specific Pain-Points
Attackers are Learning
where these Weak
Points Exist – and are
Trying to Exploit Them
8. Agenda
8
❑ Process and Operational Dependencies
❑ Targeted, Disruptive Attacks
❑ Implications and Risk
❑ Defense and Recovery
❑ Future Expectations
11. Functional Weaknesses
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 11
Complex Operations & Processes Feature Multiple
Dependencies
Operational Disruption is Simplified by Targeting a
Critical Dependency
Need to Understand the Operation – but Once
Achieved, Attacks Become more Focused,
Economical
16. 2014 Ukraine – Media Dependency
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 16
Compromise
legitimate resources
for election results
Attempt to post
fraudulent results to
create disruption,
confusion
Amplify fraudulent
results via other
media platforms to
increase impact
18. 2015 Ukraine: Targeting Recovery
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 18
Disrupt Electric
Distribution
Inhibit Control
through Serial-to-
Ethernet Converter
Firmware Update
Eliminate Control
Center UPS
Wipe Operator
Workstations with
KillDisk
20. 2016 Ukraine: Targeting Protection
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 20
Induce
Transmission
Outage
• Cause disruptive event
• Anticipate rush to
restoration
Remove
Operator View
of Environment
• Deploy wiper malware,
knowing operators will
manually recover
• Wiper becomes a “loss of
view” condition
Remove Relay
Protection via
DoS
• DoS on Protective Relays
to remove line protection
• Sets stage for destructive
conditions on
reconnection
24. 2018 United States: System Dependencies
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 24
ERP enables pipeline transfer operations through
resource tracking and billing
Disabling or modifying ERP reduces operational
effectiveness, system integrity
Results in disruption to physical operations while
diagnosing problem, recovering due to critical
path dependency
26. Pipeline operations
require “just in time”,
continuous operations to
fulfill needs
Removal or disruption of
logical view and control
inhibits operator control
Cyber attack on pipeline-
adjacent systems
removes operational
view and control,
resulting in inability to
operate in a safe,
controlled manner
2019 United States: Impacting JIT Supply
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 26
27. Consequences for Defenders
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 27
Defenders are Comfortable
Protecting Networks
But - Network Defense is
Frequently Process Agnostic
Adversaries attack Networks
to Disrupt Processes
28. The Attacker Mindset
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 28
Adversaries have
Goals
Nature and
Purpose of Goal
Determines Type
of Attack
Cyber-Focused
Attacks are a
Means to the Goal
Identifying Routes
to Goals Guides
Attacker Behavior
How a Goal is
Achieved is Often
Immaterial
Attackers
Ultimately Judged
on Results
30. Full-Scope Defense
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 30
First Step in
Defense:
Understand the
Organization
Map Defense to
Process &
Organizational
Dependencies
Build Out
Detections,
Resilience, and
Recovery to Match
Possibilities
31. First Step: Identify Value
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 31
• Simple: How does the organization make (or not lose) money?
• Where are the sources of value generation and their
dependents?
Monetary
• What processes does the organization rely on to produce value?
• What are the critical path nodes necessary for process
functionality?
Functional
• What type of disruption can an organization withstand?
• Are there “acceptable losses” that can be sustained?Reputation
32. Next: Identify Cyber Overlap
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 32
What information systems map to critical value sources?
What IT capabilities are necessary to maintain and sustain
value generation?
Does defensive capability & IT visibility overlap with critical
assets?
33. Defense Includes Resilience, Recovery
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 33
Purely preventative
defense is insufficient
Organizations must
plan for disruption and
interference
Network defenders
must build in recovery
and resilience to
minimize value loss,
down-time
35. Blue vs. Red
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 35
Defensive
Measures &
Recovery Plans
Comprehensive
Attack
Scenarios
36. Blue vs. Red
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 36
Defensive
Measures &
Recovery Plans
Comprehensive
Attack
Scenarios
Identify Gaps,
Missed Vectors!
37. Attackers are Getting
Smarter, Bolder
Intrusions are
Becoming More
Targeted with Greater
Potential for Disruption
(or Damage)
Organizational Defense
Must Evolve with
Adversaries to Meet
these Challenges
Future Expectations - Attackers
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 37
38. Future Expectations - Defenders
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 38
Cyber Defense is More Than Just the Network!
Requirement to Understand how Information
Systems Control, Impact, or Enable Organizational
Value Creation
Wider-Scope Necessary to Implement and
Maintain Necessary Level of Defense
40. Conclusion
DEPENDENCIES ATTACKS IMPLICATIONS DEFENSE FUTURE 40
Organization Defense
is More than Cyber
However – Cyber is
Increasingly
Connected to Multiple
Sources of Value
Understanding Links
and Dependencies is
Key to Achieving
Defense
Adversaries
Understand these
Weaknesses, and are
Attacking Them
Defense Must Evolve,
and Cyber become
More Contextually
Aware
41. References
41
• Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS and E-ISAC (https://ics.sans.org/media/E-
ISAC_SANS_Ukraine_DUC_5.pdf)
• WIN32/Industroyer: A New Threat for Industrial Control Systems – Anton Cherepanov, ESET
(https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)
• CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik,
Dragos (https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf)
• TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping – FireEye
(https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-
detections.html)
• Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial
Environments – Joe Slowik, Dragos (https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-
Based-ICS-Attacks.pdf)
• Attack on Natural Gas Network Shows Rising Cyberthreat – E&E News
(https://www.eenews.net/stories/1060078327)
• Cyberattack Impacts MTSA Facility Operations – US Coast Guard
(https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf)
• Ransomware Impacting Pipeline Operations – CISA (https://us-cert.cisa.gov/ncas/alerts/aa20-049a)
• Kicked While Down: Critical Infrastructure Amplification and Messaging Attacks – Joe Slowik
(https://pylos.co/2019/08/13/kicked-while-down-critical-infrastructure-amplification-and-messaging-attacks/)
• Cyber and Information Operations – Joe Slowik (https://pylos.co/2019/07/31/cyber-and-information-operations/)