Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Monitoring ICS Communications

Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.

Monitoring ICS Communications

  1. 1. S4x15( Miami, FL) www.Cri&calStack.com1 instrumenting and Monitoring ICS & Embedded Networks Liam Randall Critical Stack S4x14
  2. 2. S4x15( Miami, FL) www.Cri&calStack.com2 Liam Randall – Blue Side Liam Randall   CEO, Critical Stack   BS in Computer Science, Xavier University Current Projects   Incident Response   Teach Bro Classes Recon Detection Framework   Upcoming Conferences Jan, 2015- ICS   Bro Classes, Speaking? Feb, 2015 MAAWG Bro Classes Jan, 2015- Shmoocon LABS   IDS Team, Bro Classes Jan, 2015 Flocon Bro Classes Jan, 2015- Shmoocon Epilogue   Lab Team, Bro Classes   @Hectaman @CriticalStack #S4x15
  3. 3. S4x15( Miami, FL) www.Cri&calStack.com3 “The capital purchasing cycle and limited interface to ICS and embedded devices represents a persistent and pervasive threat to all sizes of enterprises. Advanced techniques and technologies are needed to address this threat.” Bro  Pla2orm Executive Overview – What is our purpose
  4. 4. S4x15( Miami, FL) www.Cri&calStack.com4 4Exploits   FieldDataBackground   CurrentTechniques 2 Enforcement   SampleTechniques 5 Overview   ICS&Embedded 1 Bro Platform   Overview 3 Monitoring   BroApproach 4 End   Questions 6 Agenda – Briefing Overview
  5. 5. S4x15( Miami, FL) www.Cri&calStack.com5 Internet of Things
 Device Management Networks are now dominated by non-PC based devices.
  6. 6. S4x15( Miami, FL) www.Cri&calStack.com6 0 12500 25000 37500 50000 2003 2010 2015 2020 Devices Population 62 TrendsAgainstUs   We are not only outnumbered the devices are growing in: complexity computational power variety Lack of mgmt tools--> AV, HIDS, Update, Policy Cisco IBSG Growing Device Management Gap .08X 1.84X 3.47X 6.48X Growth of Embedded Devices – We are on the wrong side of math
  7. 7. S4x15( Miami, FL) www.Cri&calStack.com7 CapitalInvestments   ICS, Embedded, Medical, Infrastructure is not easy to replace and may be designed to run for 30+ years. Embedded, TVs, mobile devices, gaming devices, packages... Hardware Details   Embedded Linux Dynamic Memory: 16- 64 Mb Flash Memory: 16 - 128 Mb 32 bit PowerPC Protocols   Sixnet, Modbus/TCP, DNP3 ARP, UDP, ICMP, DHCP, PPP... 10/100 Ethernet   1 Port Primary ( 2 MACs ) 4 Port Switch Communication   Telemetry, Telephone (dialup, leased), radio... RS232, RS485 Multiple configurations 23 Sample Device – ICS Controller
  8. 8. S4x15( Miami, FL) www.Cri&calStack.com8 SonySNC-RZ30nPTZCamera   Sony cameras come in a large number of configurations. Model appeared in 2003- similar to current models. I/O Options   3 Alarm Inputs 2 Alarm Outputs RS-232C RS-485 Protocols   ARP, HTTP, FTP, SMTP, SNMP, DHCP, TCP/IP 10/100 Ethernet   Optional Wifi Expansion Slots 25x Optical Zoom   Multiple Codecs, Frame Rates, etc. System Embedded Linux   8 MB of Storage Expansion Slots Another Embedded Target – SimilarThreat Surface
  9. 9. S4x15( Miami, FL) www.Cri&calStack.com9 Devices – Network of things?
  10. 10. S4x15( Miami, FL) www.Cri&calStack.com10 Security Active Network Scanning (NESSUS / NMAP) Patch Management Programs End Users Syslog Anti Virus HIDS: Host Based IDS Host Based Firewalls Signatures ( Bad stuff we know about ) Flow Data Segmentation-Air, VLANs #fail Traditional Techniques – Inadequate for Embedded / ICS
  11. 11. S4x15( Miami, FL) www.Cri&calStack.com11 ICS Field Traffic RepresentativeAttacks – Sample of compromises Watering Hole Attack Carna Botnet ICS Risks
  12. 12. S4x15( Miami, FL) www.Cri&calStack.com12 ICS Field Traffic Real World SCADA Anomalies Fortune 20 Sample Attack Scenario 1 – UnauthorizedAccess from MaliciousActor
  13. 13. S4x15( Miami, FL) www.Cri&calStack.com13 CuriousAnomalies   The frequency this host is participating in the network does not make sense. Anomaly?   1 Time 1 Host 1 Command 7 Day Period Examine Modbus   Count All Participants by Exception Normal Comms   Regular polling of data 23 Specialized Traffic Modbus – 7 Days ofTraffic Modified toAnonomize Location Actual Real World Incident fromAug 2013 Count Orig Resp Errors      1 10.67.4.147 10.18.226.13 -      6 10.1.1.35 10.72.230.36 GATEWAY_TARGET_FAILED_TO_RESPOND    18 10.1.1.35 10.60.30.73 ILLEGAL_FUNCTION  5189 10.1.1.35 10.60.30.73 ILLEGAL_DATA_ADDRESS 123513 10.1.1.35 10.60.30.73 - 164312 10.1.1.35 10.60.230.36 -
  14. 14. S4x15( Miami, FL) www.Cri&calStack.com14 Watering Hole Attack Leveraging Vulnerable Infrastructure Embedded devices may be turned against their operators. Attack Scenario 2 – Demonstration from 10/13
  15. 15. S4x15( Miami, FL) www.Cri&calStack.com15 1 Authenticate to device Enable FTP: http://<IP>/command/ftpserver.cgi?FtpServerFunc=on FTP: mkdir webhome Upload resources Install: http://<IP>/command/main.cgi?System=versionup FAIL! :) 2 3 4 5 Step1:
 Recon- DefaultCreds START 11 Sony SNC RZ30n – Firmware Update Process Demo- Deploying Malicious Payload to Clients
  16. 16. S4x15( Miami, FL) www.Cri&calStack.com16 ICS Risks Leveraging Vulnerable Infrastructure Embedded devices may be turned against their operators. Attack Scenario 3 – Un-Recognized Risks
  17. 17. S4x15( Miami, FL) www.Cri&calStack.com17 Vulnerability Overview   Lot’s of vulnerabilities- this one is particularly bad. CVE-2013-2802 EXPLOITABLE IMPACT ENVIRONMENTAL TEMPORAL Access Vector Attack Complexity Authentication Confidentiality Integrity Availability Impact Collateral Damage % Vulnerable Exploitability Fix Available Vulnerability Verified ActualScore 10.0 9 CVS Scoring – CVE-2013-2802 Rank
  18. 18. S4x15( Miami, FL) www.Cri&calStack.com18 EmbeddedSystems   Systematic vulnerabilities can not be addressed in a vacuum- with in a system each component must be secured and monitored at numerous levels. Host/OS Attack   Attacker modifies firmware (OS) of device - or - Attacker uploads/downloads malware - or - Attacker maliciously reconfigures device ICS Protocol Attack   Attacker injects or modifies ICS logic Connectivity   DDOS, Man-in-the-Middle- availability effected Network Comms   Partners, controllers, or SCADA system itself maliciously modified System Attacks HMI, Historian, Management systems attacked 8 3. ICS Threat Surface – Significantly Larger than discussed
  19. 19. S4x15( Miami, FL) www.Cri&calStack.com19 ICS Honeypot 2013 TrendMicro ICS Honeypot Representative of real world conditions Attack Scenario 3 – Who is attacking ICS systems?
  20. 20. S4x15( Miami, FL) www.Cri&calStack.com20 Data Breakdown   Threat  Classifica&on   Reconnaissance- 100% Unauthorized Access- 77% Unauthorized Modification- 15% Information Disclosure- 69% Device Malware- 23% ICS Protocol- 15% By  the  Numbers   18 Hours Until First Attacks 39 Documented Attacks 12 Unique Targeted Attacks 13 Repeated Attacks from Multiple Sources Link   www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/ white-papers/wp-whos-really-attacking-your-ics-equipment.pdf 3. TrendMicro ICS Honeypot –Threat type x GEO IP
  21. 21. S4x15( Miami, FL) www.Cri&calStack.com21 Carna Botnet Largest publicly known embedded worm aka “Alien Worm” aka Internet Census 2012 Attack Scenario 4 – Global Embedded worm discovered by Bro Platform
  22. 22. S4x15( Miami, FL) www.Cri&calStack.com22 Tracking Carna Botnet –TheTeam Aashish Sharma   Lawrence Berkeley National Lab   Works with an incredible team of IR.   Incredible speaker. Bro Power User   Catch and Release with Bro   System acts as an Internet Telescope   Sample of Anomalies   June 2011- Morto Worm   June 2012- “Alien Worm”   June 2012- CVE-2012-2122-mysql-authentication- bypass   Link   http://ee.lbl.gov http://www.lbl.gov Image 1 - Aashish Sharma
  23. 23. S4x15( Miami, FL) www.Cri&calStack.com 420,000   Devices Scan  Stuff Default   Credentials 23 Carna Botnet – ”Port scanning /0 using insecure embedded devices” ? ACCESS SCOPE PAYLOAD  25% /0 “..we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials.” “..insecure devices are located basically everywhere on the Internet. They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon.” “The binary on the router was written in plain C. It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture.” hJp://internetcensus2012.bitbucket.org/paper.html
  24. 24. S4x15( Miami, FL) www.Cri&calStack.com24 Carna Botnet– Lets look at the payload.... DirectoryListingCompromisedDevice   This is from one sample device- there would be minor differences between the 9 different architectures. Custom Payload   4 ARM Binaries Revision Jun 28, 2012 Activity Back to May 30, 2012 “Hilinux” Busybox   Linux (none) 2.6.24-rt1-hi3520v100 #2010033002 Wed Mar 31 13:05:50 EST 2010 armv6l unknown Default Password   root / <blank> root / 123456 Daemon tcp/210   https://isc.sans.edu/ port.html?port=210 4K Payload   Scanning files Logs -rwxr-xr-x 0 root root 8610 Jun 28 19:19 t2.arm_v6k -rwxr-xr-x 0 root root 13492 Jun 28 04:44 sp.arm_v6k drwxr-xr-x 0 root root 0 Jul 23 2007 run/ -rw-r--r-- 0 root root 33 Jun 28 04:02 response -rw-r--r-- 0 root root 371 Jun 28 04:02 readme -rw-r--r-- 0 root root 49152 Jul 5 09:19 pz -rw-r--r-- 0 root root 0 Jul 3 13:01 j -rw-r--r-- 0 root root 33 Jun 28 04:02 idhash -rwxr-xr-x 0 root root 5013 Jun 28 19:19 ht.arm_v6k -rw-r--r-- 0 root root 33 Jun 28 04:02 challenge -rwxr-xr-x 0 root root 10938 Jun 28 04:05 b.arm_v6k -rw-r--r-- 0 root root 10 Jul 3 13:21 1.run -rw-r--r-- 0 root root 10 Jul 3 13:21 0.run
  25. 25. S4x15( Miami, FL) www.Cri&calStack.com25 Device – What do the devices look like? Dozens of Vulnerable Models   Consider where in your network these resources would be deployed. - Sensitive area’s - Behind your firewall   One “Chinese” OEM   Production traced by to single OEM Initially very concerning   Retailed By   Meier Grocery Store Sams Club Amazon.com Costco 100’s of Retailers online Link   https://www.q-see.com/ http://wansview.net/ Image 1 - Vulnerable Wansview PTZ Camera Image 3 - Vulnerable Smarteye PTZ Camera Image 2 - Vulnerable Q-See DVR
  26. 26. S4x15( Miami, FL) www.Cri&calStack.com26 APicture – is worth 420,000 devices.... Carna Botnet Details   Most camera’s on Asian based networks. Scattered activity, single origin. SYN Packets Only   Top ASN (4134) = 25% of Infections ASN 4134 (CN)- China Telcom Top 5 ASN- 50% of Infections   -ASN 3462 (TW)- Data Communications Business Group -ASN 4837 (CN)- China Unicom -ASN 9121 (TUR)- Turk Telcom -ASN 4788 (MY)- TM Net   Top 16 = 60% of Infections   Long Tail of Infections   Global in Scope   hJp://internetcensus2012.bitbucket.org/paper.html
  27. 27. S4x15( Miami, FL) www.Cri&calStack.com27 Bro Platform
 Overview Capabilities, use cases, and direction.
  28. 28. S4x15( Miami, FL) www.Cri&calStack.com28 Bro – is short for Big Brother Broisthreethings...   The hardest part about Bro is that there are so many distinct use cases for the Bro Platform Turing Complete PL Event on traffic, files, protocols Syntactically like Python Utilities to manage Bro API, Intefaces, etc. 2 1 Bro Apps BPL Bro Programming Language Bro Platform Bro-IDS Monitoring, Vulnerability Mgmt, DLP, Analysis, File Analysis ( Really just Bro Scripts ) 3
  29. 29. S4x15( Miami, FL) www.Cri&calStack.com29 Bro Platform – Dozens of use cases Brohasusecasesin..   Security,Monitoring,Reliability,Discovery,Compliance
  30. 30. S4x15( Miami, FL) www.Cri&calStack.com30 Bro Functions –Three things Bro does ProtocolLogs   Detailedprotocollogsforeach networkprotocol;includinglogsfor tunnels,IPv4/6,filesandmore Alerts   Bro-IDSispreconfiguredwitha varietyofsignatureandanomaly notifications Actions   BroProgrammingLanguageistherealpower; pivottoexternalapplications,takeadvanced protocolbaseddecisions&more.
  31. 31. S4x15( Miami, FL) www.Cri&calStack.com31 Bro Functions –Three things Bro does ProtocolLogs   Detailedprotocollogsforeach networkprotocol;includinglogsfor tunnels,IPv4/6,filesandmore Alerts   Bro-IDSispreconfiguredwitha varietyofsignatureandanomaly notifications Actions   BroProgrammingLanguageistherealpower; pivottoexternalapplications,takeadvanced protocolbaseddecisions&more. Devices Servers Tap: Bro Sensor Sensor Components
  32. 32. S4x15( Miami, FL) www.Cri&calStack.com32 Bro Functions –Three things Bro does ProtocolLogs   Detailedprotocollogsforeach networkprotocol;includinglogsfor tunnels,IPv4/6,filesandmore Alerts   Bro-IDSispreconfiguredwitha varietyofsignatureandanomaly notifications Actions   BroProgrammingLanguageistherealpower; pivottoexternalapplications,takeadvanced protocolbaseddecisions&more. Ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service Time string addr port addr port enum string 1355284742 AZIHpPIejvi 192.168.4.138 68 192.168.4.1 67 udp - 1326727285 K4xJ9AKH56g 192.168.4.148 55748 196.216.2.3 33117 tcp ftp-data 1326727283 Jd11tlLtlE 192.168.4.148 58838 196.216.2.3 21 tcp ftp 1326727287 bVQHYKEz2b4 192.168.4.148 54003 196.216.2.3 31093 tcp ftp-data 1326727286 5Dki82HwJDk 192.168.4.148 58840 196.216.2.3 21 tcp ftp 1355284761 YSJ6DDKEzGk 70.199.104.181 8391 192.168.4.20 443 tcp ssl 1355284791 BqLVVfmVO6d 70.199.104.181 8393 192.168.4.20 443 tcp ssl 1355284761 ya3SvH6ZxX4 70.199.104.181 8408 192.168.4.20 443 tcp ssl 1355284812 sxrPWDvcGQ2 192.168.4.20 48433 67.228.181.219 80 tcp http 1355284903 vlvQgRiHE54 192.168.4.20 14655 192.168.4.1 53 udp dns 1355284792 gn5FV4jeOJ4 70.199.104.181 8387 192.168.4.20 443 tcp ssl 1355285010 uEb3j6nYBS7 59.93.52.206 61027 192.168.4.20 25 tcp smtp 1326962278 SE2LJ7PLwIg 189.77.105.126 3 192.168.4.20 3 icmp - 1326962279 T6rMQFaMCie 95.165.30.73 3 192.168.4.20 3 icmp - 1329400936 qtNmAmHhDM4 192.168.4.20 14419 65.23.158.132 6668 tcp irc 1329400884 cOctAcZusv2 192.168.4.20 32239 89.16.176.16 6666 tcp irc
  33. 33. S4x15( Miami, FL) www.Cri&calStack.com33 Bro Functions –Three things Bro does ProtocolLogs   Detailedprotocollogsforeach networkprotocol;includinglogsfor tunnels,IPv4/6,filesandmore Alerts   Bro-IDSispreconfiguredwitha varietyofsignatureandanomaly notifications Actions   BroProgrammingLanguageistherealpower; pivottoexternalapplications,takeadvanced protocolbaseddecisions&more. #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note #types time string addr port addr port enum 1359673187 TLDtWBOrstk 192.168.0.120 61537 50.76.24.57 8443 tcp SSL::Invalid_Server_Cert 1359673187 L4bDTmPqvs2 192.168.1.8 49540 174.143.119.91 6697 tcp SSL::Invalid_Server_Cert 1359673187 JAvYksFW1Qb 207.188.131.2 5373 160.109.68.199 8081 tcp SSL::Invalid_Server_Cert 1359673188 - 192.168.0.57 62220 216.234.192.231 80 tcp Rogue_Access_Point 1359673188 5OYpDdtlnfd 192.168.0.147 45009 93.174.170.9 443 tcp SSL::Invalid_Server_Cert 1359673188 - 192.168.0.147 36511 74.125.225.194 80 tcp Rogue_Access_Point 1359673188 - - - - - - Software::Vulnerable_Version 1359673188 93CIvevOuxk 192.168.0.147 51897 98.136.223.39 8996 tcp SSL::Invalid_Server_Cert 1359673209 YpCOvC9p4Ef 208.89.42.50 48620 207.188.131.2 22 tcp SSH::Login 1359673210 SaKFGzmdXLl 207.188.131.2 11175 23.5.112.107 443 tcp SSL::Invalid_Server_Cert 1359673214 XLE8fYl5Tvg 207.188.131.2 11677 208.66.139.142 2145 tcp SSL::Invalid_Server_Cert 1359673214 - 192.168.1.120 60141 74.125.225.195 80 tcp Rogue_Access_Point 1359673218 NyPHd3qjIKe 208.89.42.50 43891 207.188.131.2 22 tcp SSH::Login 1359673223 0skn2N4oYbj 192.168.1.116 49249 15.201.49.137 80 tcp HTTP::MD5 1359673224 Q83ji8AFOO1 192.168.1.116 49250 15.192.45.26 80 tcp HTTP::MD5 1359673229 WU57HOSwkEj 208.89.42.50 62165 207.188.131.2 22 tcp SSH::Login
  34. 34. S4x15( Miami, FL) www.Cri&calStack.com34 Bro Functions –Three things Bro does ProtocolLogs   Detailedprotocollogsforeach networkprotocol;includinglogsfor tunnels,IPv4/6,filesandmore Alerts   Bro-IDSispreconfiguredwitha varietyofsignatureandanomaly notifications Actions   BroProgrammingLanguageistherealpower; pivottoexternalapplications,takeadvanced protocolbaseddecisions&more. Devices Servers Tap: Bro Sensor Sensor Components Extracted File Analysis Signature Analysis • Active Analysis! Malware Hash Registry • Intel Comparison ! OSINT, FS-ISAC, DOE CIRC… Active Analysis • www.Malware-Tracker.com • Static & Dynamic Analysis • Cuckoo Box? Volatility Long Term Analysis • Coverage for Mobile Devices, Embedded • Post Compromise Research • Analysis- copy of every EXE in Company Predicative Analysis • AV, Malwarebytes! Open a Ticket • Content Analysis- Keywords, Files:
  35. 35. S4x15( Miami, FL) www.Cri&calStack.com35 Atomic Intel
 Network Monitoring Advanced Atomic Intelligence Application
  36. 36. S4x15( Miami, FL) www.Cri&calStack.com36 Terms & Definitions – Signature Detection vs.Anomaly Detection ClassicallySpeaking...   In the literature you will typically find IDS’s broken into two distinct categories- Signature or Anomaly based Detection. Bro is designed to face Next Generation Challenges. Signature Detection   atomic indicators   domains, file hashes, IPv4/6 Traditional Signatures Algorithms
 Anomaly Detection   Traffic Analysis Flow Analysis Protocol Analysis Bro Platform   Hybrid System   Best of Both Worlds + a programming language Bro Deployment   Today we concentrate on that
  37. 37. S4x15( Miami, FL) www.Cri&calStack.com37 4 ICSI SSL
 Notary Team CYRMU Malware Hash Internal Feeds? AlertsActionProtocol OSINT Abuse.ch Malware Domain List Spamhaus Drop Bro Intelligence Framework –Actual Indicators CRITs::Mul&ple_Campaign_Hits   Recently  2  items  on  the  zzAPT  campaign  were  hit  CRITs  UIDs:   504f88abe0742e059a424144,  509697c6e0742e4d547a907d
  38. 38. S4x15( Miami, FL) www.Cri&calStack.com38 5 Protocol Location Intel Type IP Connection Address DNS Request, Reply Address, Domain File Hashes Generated Hash File Name Name HTTP- HEADER HOST Domain HTTP- HEADER REFERER Domain HTTP- HEADER X-FORWARDED-FOR Domain HTTP- HEADER USER-AGENT Software SMTP-HEADER FROM Domain SSL / TLS X-509 Certificate CN Domain .. exhaustive to list all the permutations! Bro Intelligence Framework – More effective use of atomic indicators
  39. 39. S4x15( Miami, FL) www.Cri&calStack.com39 Signature Evasion –Threat actors modify theirTTPs to evade detection efforts Each file, ip, domain, etc.. can be modified. Overly simplified example to communicate concept. 58 Signature   UserAgent=“DirBuster” Evasion   “UserAgent=“DirBreaker” SignatureEffectiveness   Despitetheirevadabilitysignaturesarestillan effectiveweaponagainstparticulartypesof threatsandthreatactors. Moreadvancedthreatactorsareactively monitoringdefensiveTTPs,measuringattack successrates,andactivelyworkingtoevade detectionefforts. +   evasion
  40. 40. S4x15( Miami, FL) www.Cri&calStack.com40 Socratic Ideal–Anomaly Detection Whatshouldyournetworklooklike?   You can not secure what you do not understand. Green   HTTP Pink   FTP-DATA Red   FTP Payload   Upload Normal
  41. 41. S4x15( Miami, FL) www.Cri&calStack.com41 Viewing ICS & Embedded
 Network Monitoring Defending ICS & Embedded Systems More Bro 37
  42. 42. S4x15( Miami, FL) www.Cri&calStack.com42 Payload   Upload Normal $ less conn.log | bro-cut service|sort| uniq -c | sort -n 11 ftp 15 http 158 ftp-data $ less conn.log | bro-cut service|sort| uniq -c | sort -n 14 http Bro  -­‐  conn.log 38 Whatshouldyournetworklooklike?   You can not secure what you do not understand. “Ground Truth” –Areal record of communication
  43. 43. S4x15( Miami, FL) www.Cri&calStack.com43 Whitelistorblacklistactivity,behavioronyournetwork?   Bro gives you access to the internals of each protocol in real time as it happens. Payload   Upload Normal 1 /command/all-configuration.cgi 1 /command/ftpserver.cgi 1 /command/main.cgi 11 /command/inquiry.cgi 1 /command/inquiry.cgi?inqjs=camctrlright 1 /command/ptzf.cgi?AreaZoom=94,35,158,62 2 /command/inquiry.cgi?inqjs=tvstandard 2 /command/ptzfctrlright/inquiry.cgi 3 /command/inquiry.cgi?inqjs=sysinfo 64 /command/ptzf.cgi hJp.log    URI’S { } 40 Deeper Inspection – Protocol and Payload Details
  44. 44. S4x15( Miami, FL) www.Cri&calStack.com44 Knowthyself:PartII   You do need to have an understanding what normal means to you. Normal host device_type 58.107.168.125 Known::MODBUS_MASTER 58.107.168.121 Known::MODBUS_SLAVE 58.107.168.123 Known::MODBUS_MASTER 58.107.168.119 Known::MODBUS_SLAVE 58.107.168.121 Known::MODBUS_MASTER modbus.log   Normal? 41 ICS Specific Protocols – Protocol and Payload Details
  45. 45. S4x15( Miami, FL) www.Cri&calStack.com45 Knowthyself:PartII   You do need to have an understanding what normal means to you. 58.107.168.121 6350 53774 48652 0.515266 58.107.168.121 6352 8002 13124 0.515266 58.107.168.121 6354 16244 26487 0.515266 58.107.168.121 6368 52973 28967 0.515266 58.107.168.121 6370 14484 22486 0.515266 58.107.168.121 5020 8884 0 0.021755 58.107.168.121 5021 548 0 0.021755 58.107.168.121 5022 8840 0 0.021755 modbus_register_change.log   43 ICS Specific Protocols – Protocol record; what actually happened in the SCADASystem.
  46. 46. S4x15( Miami, FL) www.Cri&calStack.com46 Bro Policies
 Bro Policies Pinning embedded & ICS Behavior More Bro 44
  47. 47. S4x15( Miami, FL) www.Cri&calStack.com47 2 46 const known_modbus: set[addr, ModbusDeviceType] &redef; global rogue_modbus: set[addr, ModbusDeviceType]&redef; if ( [master, MODBUS_MASTER] !in known_modbus && [master, MODBUS_MASTER] !in rogue_modbus) NOTICE([$note=Rogue_Modbus, $msg="Rogue modbus master detected", $sub="MODBUS_MASTER", $id=c$id]); add rogue_modbus[slave, MODBUS_SLAVE]; Who? – Should be there?
  48. 48. S4x15( Miami, FL) www.Cri&calStack.com48 known_modbus_pairs[58.107.168.123]= table(); add known_modbus_pairs[58.107.168.123][58.107.168.121]; add discovered_modbus_pairs[master][slave]; 47 if (master in known_modbus_pairs && slave in known_modbus_pairs[master]) ICS Peer Groupings – Partner Pinning
  49. 49. S4x15( Miami, FL) www.Cri&calStack.com49 51 add approved_comms[192.168.0.236, Analyzer::ANALYZER_HTTP] if ([c$id$resp_h, atype] !in unapproved_comms) { add unapproved_comms[c$id$resp_h, atype]; Files::add_analyzer(f, Files::ANALYZER_EXTRACT); Real Time Response – On Violation, Extract Files.
  50. 50. S4x15( Miami, FL) www.Cri&calStack.com50 Questions? ? 55
  51. 51. S4x15( Miami, FL) www.Cri&calStack.com51 Thank you! BYE!

×