Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Stu t18 b
1. Session ID:
Session Classification:
▶ Slide▶ of 26
xxx-xxxx
xxxxxxxxxxxx
Stuxnet Lessons for
Defenders
William Cheswick
cheswick.com
http://www.cheswick.com/ches
1
Monday, February 18, 13
2. ▶ Presenter
Logo
▶ Slide▶ of 762
▶ I have never mounted a
sophisticated cyber attack, nor have I
been cleared for official training.
The observations here come from
twenty years of evil thoughts and
pondering offensive cyber activities.
Note:
Monday, February 18, 13
3. ▶ Presenter
Logo
▶ Slide▶ of 763
▶ “Security people are paid to think bad
thoughts”
▶ - Bob Morris
Monday, February 18, 13
4. ▶ Presenter
Logo
▶ Slide▶ of 26
Goals
Espionage
Damage
Loss of confidence
False flag operations
4
Monday, February 18, 13
5. ▶ Presenter
Logo
▶ Slide▶ of 26
Damage
Soft damage
Can be very subtle, and disrupt operations for
years.
Hard damage
best if replacement equipment is scarce
massive attack can overwhelm supply chains
It is also much harder to do
5
Monday, February 18, 13
6. ▶ Presenter
Logo
▶ Slide▶ of 26
Soft Damage
Erasing or changing data
Subverting or destroying backups.
Make operators take the wrong
action
Perhaps convince management
that the project is not worthwhile
6
Monday, February 18, 13
7. ▶ Presenter
Logo
▶ Slide▶ of 26
Hard Damage
Destroying hardware
disk crashes?
Flash has a limited number of writes
Damage or destroy equipment
Take out a dam, blow
transformers, etc.
7
Monday, February 18, 13
8. ▶ Presenter
Logo
▶ Slide▶ of 26
“Gremlin attack”
Reduce confidence in the venture
Make them reject certain
approaches
“Cursing” a technique, certain
equipment, or people
8
Monday, February 18, 13
9. ▶ Presenter
Logo
▶ Slide▶ of 26
False flag operations
Attribution is the major problem
in information warfare these days
Make it look like someone else is
doing something bad
9
Monday, February 18, 13
10. ▶ Presenter
Logo
▶ Slide▶ of 26
Exploits
Day 0 exploits are rare,
expensive, and have a shelf life
Standard attacks still work
Crypto
BBB
“social engineering” i.e. spy
techniques
10
Monday, February 18, 13
11. ▶ Presenter
Logo
▶ Slide▶ of 2611
software hacks
day 0 exploits
expensive, single use, has a shelf life
well-known exploits on old software
(which is common)
email/web injection
USB sticks
Gain access
Monday, February 18, 13
13. ▶ Presenter
Logo
▶ Slide▶ of 26
People
network administrators
key engineers/scientists
13
Monday, February 18, 13
14. ▶ Presenter
Logo
▶ Slide▶ of 26
the Official Map
ping/traceroute
SNMP dumps
reverse DNS
passive packet monitoring
activity of people (see above)
14
Network
Monday, February 18, 13
15. ▶ Presenter
Logo
▶ Slide▶ of 26
industrial controllers
network gear
client hosts
misc. devices
often not updated
15
Devices
Monday, February 18, 13
16. ▶ Presenter
Logo
▶ Slide▶ of 26
Feedback
Operational progress, i.e.
debugging
Espionage
16
Monday, February 18, 13
17. ▶ Presenter
Logo
▶ Slide▶ of 26
Exfiltrating Data
To the Internet
VPNs
stego: TCP headers, web requests, email, etc.
Depends on the volume, which can be huge
Over the cell network
USB sticks/laptops/cell phones?
strip search on your way out?
17
Monday, February 18, 13
18. ▶ Presenter
Logo
▶ Slide▶ of 26
Attacker’s concerns
Getting noticed
Getting caught
Expending exploits
Misleading information
the double agent problem
Wasting time and money
18
Monday, February 18, 13
19. ▶ Presenter
Logo
▶ Slide▶ of 26
Attacker’s concerns
Controlling exponential growth
Morris worm
Stuxnet got away, after a while
19
Monday, February 18, 13
20. ▶ Presenter
Logo
▶ Slide▶ of 7620
▶We know these attacks are real, and we know
that you don’t have to be separating uranium
isotopes to be worth all this effort.
Monday, February 18, 13
21. ▶ Presenter
Logo
▶ Slide▶ of 2621
You may well be a target
Attacks, even APT attacks, are
relatively cheap
There is virtually no downside for
the attackers
Monday, February 18, 13
22. ▶ Presenter
Logo
▶ Slide▶ of 26
There are weak points in
these attacks
Discovery phase can create brief
signatures on the network and in
hosts.
Secret honeypots and sentinels
can force attackers to show their
hand
Deception toolkits
22
Monday, February 18, 13
23. ▶ Presenter
Logo
▶ Slide▶ of 26
Some thoughts
Require deep monitoring of your
own people
Data exfiltration could be
detectable
Boot from clean operating
system sources
23
Monday, February 18, 13
24. ▶ Presenter
Logo
▶ Slide▶ of 26
Network monitoring
Detect all SNMP activity
Low TTL packets are highly
suspect (traceroute of any kind)
Any usual net activity
High-entropy packets and flows
Day 0 backups for comparisons
24
Monday, February 18, 13
25. ▶ Presenter
Logo
▶ Slide▶ of 26
Network topography
Internet gateway? Really?
Bulkheads and enclaves.
25
Monday, February 18, 13
26. Session ID:
Session Classification:
▶ Slide▶ of 26
xxx-xxxx
xxxxxxxxxxxx
Stuxnet Lessons for Defenders
William Cheswick
cheswick.com
http://www.cheswick.com/ches
26
Monday, February 18, 13