Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ICS Network Security Monitoring (NSM)

6,037 views

Published on

Robert Caldwell and Chris Sistrunk of Mandiant at S4x15 OTDay

A presentation on techniques and tools to detect attacks on your ICS.

Published in: Technology
  • You have to choose carefully. ⇒ www.WritePaper.info ⇐ offers a professional writing service. I highly recommend them. The papers are delivered on time and customers are their first priority. This is their website: ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Writing a good research paper isn't easy and it's the fruit of hard work. For help you can check writing expert. Check out, please ⇒ www.WritePaper.info ⇐ I think they are the best
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If we are speaking about saving time and money this site HelpWriting.net is going to be the best option!! I personally used lots of times and remain highly satisfied.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I can definitely recommend a website that really helped me with my essay. I found out it was due the day before I had to submit it. Went into full-on panic mode. Worst experience of my senior year by far. It’s called HelpWriting.net. The quality of the writing is passable but the completion rate is super quick. You get to pick your own writer to do your stuff and that’s also a big bonus.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

ICS Network Security Monitoring (NSM)

  1. 1. 1 You Don’t Know What You Can’t See: Network Security Monitoring in ICS Chris Sistrunk Senior Consultant Rob Caldwell Principal Consultant S4x15
  2. 2. © Mandiant, A FireEye Company. All rights reserved. 2 Agenda §  Overview of NSM §  Instrumenting an ICS §  Examples and Case Study §  Tools §  Conclusion §  Questions
  3. 3. © Mandiant, A FireEye Company. All rights reserved. If ICS are so vulnerable, why haven’t we seen more attacks?
  4. 4. © Mandiant, A FireEye Company. All rights reserved. 4 Two Key Reasons 1.  Intention 2.  Visibility
  5. 5. © Mandiant, A FireEye Company. All rights reserved. 5 Intention Why are targeted attacks different? •  It’s a “Who”, not a “What”… •  They are Professional, Organized & Well Funded… •  If You Kick Them Out They Will Return
  6. 6. © Mandiant, A FireEye Company. All rights reserved. 6 Visibility We are not looking! “Prevention is ideal, but Detection is a must…”
  7. 7. © Mandiant, A FireEye Company. All rights reserved. 7 Visibility
  8. 8. © Mandiant, A FireEye Company. All rights reserved. 8 The IOC problem There are numerous sources of IOCs, which are a means to describe threat data like evidence of compromise/activity, attacker methodology, or malware. For example, from the recent “Ongoing Sophisticated Malware Campaign” from ICS-CERT. What do you do with this? Most ICS operators have no capability to consume IOCs, much less generate them for “information sharing”. Common sources of ICS IOCs are ICS-CERT, US-CERT, and many of the recent “vendor” reports.
  9. 9. © Mandiant, A FireEye Company. All rights reserved. 9 Network Security Monitoring “The collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise.” - The Practice of Network Security Monitoring Cliff Stoll “Stalking the Wily Hacker” 1988 Todd Herberlein et al. “A Network Security Monitor” 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002
  10. 10. © Mandiant, A FireEye Company. All rights reserved. 10 The NSM Cycle Collection DetectionAnalysis •  Model for action, based on network-derived data •  Requires people and process, not just technology •  Focuses on the adversary, not the vulnerability
  11. 11. © Mandiant, A FireEye Company. All rights reserved. Methods of Monitoring §  Network tap – physical device which relays a copy of packets to an NSM server §  SPAN or mirrored ports – switch configuration which sends copies of packets to a separate port where NSM can connect §  Host NIC – configured to watch all network traffic flowing on its segment §  Serial port tap – physical device which relays serial traffic to another port, usually requires additional software to interpret data Fluke Networks Stratus Engineering
  12. 12. © Mandiant, A FireEye Company. All rights reserved. Types of Data Collected §  Full content data – unfiltered collection of packets §  Extracted content – data streams, files, Web pages, etc. §  Session data – conversation between nodes §  Transaction data – requests and replies between nodes §  Statistical data – description of traffic, such as protocol and volume §  Metadata – aspects of data, e.g. who owns this IP address §  Alert/log data – triggers from IDS tools, tracking user logins, etc.
  13. 13. © Mandiant, A FireEye Company. All rights reserved. Difficulties for NSM §  Encrypted networks §  Widespread NAT §  Devices moving between network segments §  Extreme traffic volume §  Privacy concerns Issues that most ICS do not face!
  14. 14. © Mandiant, A FireEye Company. All rights reserved. Example ICS 14 Enterprise/IT DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
  15. 15. © Mandiant, A FireEye Company. All rights reserved. Anatomy of an Attack 15 Over all Mandiant attack investigations, only a little more than half of victim computers have malware on them. While attackers often use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks. EVIDENCE OF COMPROMISE Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Move Laterally Maintain Presence Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files
  16. 16. © Mandiant, A FireEye Company. All rights reserved. 16 Attacker Objectives Attacker’s goals: §  Damage equipment §  Affect or steal process info §  Cause safety or compliance issue §  Pivot from vulnerable ICS to enterprise Attacker’s options: §  Gain physical access to an ICS host §  Gain remote access to an ICS host §  Compromise a highly-privileged client machine with access to the ICS network Enterprise/IT Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  17. 17. © Mandiant, A FireEye Company. All rights reserved. NSM Collection 17 •  Firewall Logs •  Netflow Data •  NIDS/HIDS •  Full packet capture or NetFlow •  Windows Logs and syslog •  SNMP (CPU % etc.) •  Alerts from security agents (AV, whitelisting, etc.) DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs Enterprise/ITEnterprise technology collectors Logs and/or Agent Network sensors Logs only
  18. 18. © Mandiant, A FireEye Company. All rights reserved. 18 What Are We Looking For? §  Exceptions from baseline (e.g. A talks to B but never C) §  “Top Talkers” §  Unexpected connectivity (to Internet, Business network) §  Known malicious IPs and domains §  Logins using default accounts §  Error messages that could correlate to vulnerabilities §  Unusual system and firewall log entries §  Host-based IDS or other security system alerts §  Unexpected file and firmware updates §  Antivirus alerts §  And others….
  19. 19. © Mandiant, A FireEye Company. All rights reserved. •  IDS alerts •  Anomaly detection •  Firmware updates, other commands •  Login with default credentials •  High CPU or network bandwidth •  Door alarms when nobody is supposed to be working •  Devices going off-line or behaving strangely 19 NSM Detection Analyst looks at detected anomalies or alerts then escalates to IR Enterprise/IT DMZ Plant Control HMI PLCs, Controllers, RTUs, PACs ! DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
  20. 20. © Mandiant, A FireEye Company. All rights reserved. 20 NSM Analysis Incident responders analyze the detected anomalies to find evil Enterprise/IT DMZ Plant Control HMI PLCs, Controllers, RTUs, PACs •  Application exploitation •  Third-party connections (ex. ICCP or vendor access) •  ICS-specific communication protocol attacks (ex. Modbus, DNP3, Profinet, EtherNet/IP) •  Remote access exploitation •  Direct network access due to poor physical security •  USB-delivered malware DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
  21. 21. © Mandiant, A FireEye Company. All rights reserved. 21 Top Talkers FlowBat characterizes NetFlow data, showing which nodes have the most traffic Web traffic Web traffic NetBios NTP
  22. 22. © Mandiant, A FireEye Company. All rights reserved. 22 Address Spoofing NetworkMiner can find potential ARP spoofing (as well as many other indicators)
  23. 23. © Mandiant, A FireEye Company. All rights reserved. Bro IDS Logs Modbus DNP3 Bro parses Modbus and DNP3 packets, ELSA consolidates Bro logs
  24. 24. © Mandiant, A FireEye Company. All rights reserved. 24 IDS GUIs Alerts in Sguil of scanning activity
  25. 25. © Mandiant, A FireEye Company. All rights reserved. 25 Malformed Modbus Deep packet inspection of Modbus by Wireshark
  26. 26. © Mandiant, A FireEye Company. All rights reserved. Syslog Syslog can be configured to send to the SO server, or detected in network traffic if sent elsewhere.
  27. 27. © Mandiant, A FireEye Company. All rights reserved. 15 minutes of network traffic capture data revealed external DNS requests (to some dubious hosts…) Case Study – ICS Operator 27
  28. 28. © Mandiant, A FireEye Company. All rights reserved. 28 Abnormal DNS Traffic “Strange” DNS requests originating from within the ICS
  29. 29. © Mandiant, A FireEye Company. All rights reserved. 29 Abnormal DNS Traffic DNS requests shown in ELSA
  30. 30. © Mandiant, A FireEye Company. All rights reserved. NSM Tools Security Onion Linux distribution ‒  Easy to install and lots of documentation §  Full packet capture – Tcpdump/Wireshark/NetworkMiner §  Extracted content – Xplico/NetworkMiner §  Session data – Bro/FlowBat §  Transaction data – Bro §  Statistical data – Capinfos/Wireshark §  Meta data – ELSA (Whois) §  Alert data – Snort, Suricata, Sguil, Snorby Peel Back the Layers of Your Network
  31. 31. © Mandiant, A FireEye Company. All rights reserved. Security Onion Tools
  32. 32. © Mandiant, A FireEye Company. All rights reserved. 32 Security Onion Implementation §  Test in a lab first §  Select suitable hardware platform ‒  More RAM is better ‒  Bigger hard drive is better (longer retention) §  Mirrored/SPAN port on router/switch or a good network tap §  Select proper placement of SO sensor ‒  The Practice of Network Security Monitoring ‒  Applied Network Security Monitoring §  Work with the right stakeholders if placing in production
  33. 33. © Mandiant, A FireEye Company. All rights reserved. 33 NetFlow Tools SiLK & FlowBAT §  Install on Security Onion with 2 scripts §  www.flowbat.com
  34. 34. © Mandiant, A FireEye Company. All rights reserved. 34 Takeaways § You can implement NSM in ICS today – without impacting your operations § ICS IoCs are becoming more common – need tools to look for them
  35. 35. © Mandiant, A FireEye Company. All rights reserved. People… …the most important part of NSM! §  Gigabytes of data and 1000s of IDS alerts are useless without interpretation §  Analyze data collected to understand what’s normal – and what’s not §  Identify adversary TTPs and act to disrupt them Remember, adversaries are a “Who”, not a “What
  36. 36. © Mandiant, A FireEye Company. All rights reserved. 36 Set the Right Goal DETECT ICS network instrumented with security technology and monitored by security personnel RESPOND Effective process for response to ICS cyber security incidents CONTAIN Business continuity and DR planning consider ICS asset compromise Showing evidence of conformance/compliance Finding indications of compromise
  37. 37. © Mandiant, A FireEye Company. All rights reserved. Redefine the Win Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf Halting the attacker anywhere in the cycle stops them from achieving their objective
  38. 38. © Mandiant, A FireEye Company. All rights reserved. §  The Cuckoo’s Egg by Cliff Stoll https://www.youtube.com/watch?v=EcKxaq1FTac 1-hour NOVA Special (1990) §  The Practice of Network Security Monitoring by Richard Bejtlich http://www.nostarch.com/nsm §  Applied Network Security Monitoring by Chris Sanders & Jason Smith http://www.appliednsm.com/ §  The NSM Wiki http://nsmwiki.org §  Security Onion distribution http://securityonion.net NSM References/Resources 38
  39. 39. © Mandiant, A FireEye Company. All rights reserved. 39 Questions? chris.sistrunk@mandiant.com @chrissistrunk robert.caldwell@mandiant.com @robac3

×