The document provides a preliminary report on analyzing the Stuxnet malware from a cyber warfare perspective. A team of 26 security experts collaborated on the report. The report aims to understand how Stuxnet works, find signs of attribution, develop countermeasures, and examine its potential use in cyber warfare. The report analyzes the Stuxnet source code and variants, explains how it infiltrates systems and targets industrial control systems, and proposes a multi-layered defense-in-depth strategy as a countermeasure.
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
A quick yet expansive overview of internet security and privacy basics in plain English. The digital world can be a dangerous place, this presentation will give you the practical knowledge to protect yourself.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
A quick yet expansive overview of internet security and privacy basics in plain English. The digital world can be a dangerous place, this presentation will give you the practical knowledge to protect yourself.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008eLiberatica
This is a presentation held at eLiberatica 2008.
http://www.eliberatica.ro/2008/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
Cyber espionage attacks have been aware of for around 10 years. Security vendors keep inventing new technology to defend against attack. Many solutions look fancy, however breaches keep happening. People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful. In Taiwan, we have more than 10 years history with cyber espionage attacks. Government, enterprises, and security vendors were fighting hard with threat actors, but new victims still got compromised day by day.
In recent years, a lot of Japanese government agencies, defense industry, enterprises are suffering from cyber attacks from cyber espionage groups. We keep seeing breaches and incidents from news. We believe many victims still have no good strategy to defend and control the situation.
In this talk, cyber espionage attacks in the last decade would be discussed from Asia Pacific region’s point of view. We’ll discuss why security solutions didn’t work, how actors easily bypassed those fancy solutions and adopted countermeasures quickly with very low cost. Besides, according to our incident response’s experience for hundreds times and consulting to help victim for several years, we will try to propose a design of security model to prevent, detect, react, and remediate cyber espionage threats.
Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsVivek Venugopalan
In this work, we propose a modified DEFENSE architecture termed as xDEFENSE that can detect and react to hardware attacks in real-time. In the past, several Root of Trust architectures such as DEFENSE and RETC have been proposed to foil attempts by hardware Trojans to leak sensitive information. In a typical Root of Trust architecture scenario, hardware is allowed to access the memory only by responding properly to a challenge requested by the memory guard. However in a recent effort, we observed that these architectures can in fact be susceptible to a variety of threats ranging from denial of service attacks, privilege escalation to information leakage, by injecting a Trojan into the Root of Trust modules such as memory guards and authorized hardware. In our work, we propose a security monitor that monitors all transactions between the authorized hardware, memory guard and memory. It also authenticates these components through the use of Hashed Message Authentication Codes (HMAC) to detect any invalid memory access or denial of service attack by disrupting the challenge-response pairs. The proposed xDEFENSE architecture was implemented on a Xilinx SPARTAN 3 FPGA evaluation board and our results indicate that xDEFENSE requires 143 additional slices as compared to DEFENSE and incurs a monitoring latency of 22ns.
The global process automation market is estimated to grow at a CAGR of 6.4% b...Suresh Krishna
Industrial and specifically factory automation is the use of different control systems, software and other technologies for automation of the factory. The day to day technological advancements are helping the manufacturing process and other such tasks perform a lot faster and cost effective.
Humans of the Internet is a global movement for kindness. Using empathic communication and constructive conflict on the web to make society a better place.
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008eLiberatica
This is a presentation held at eLiberatica 2008.
http://www.eliberatica.ro/2008/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
Cyber espionage attacks have been aware of for around 10 years. Security vendors keep inventing new technology to defend against attack. Many solutions look fancy, however breaches keep happening. People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful. In Taiwan, we have more than 10 years history with cyber espionage attacks. Government, enterprises, and security vendors were fighting hard with threat actors, but new victims still got compromised day by day.
In recent years, a lot of Japanese government agencies, defense industry, enterprises are suffering from cyber attacks from cyber espionage groups. We keep seeing breaches and incidents from news. We believe many victims still have no good strategy to defend and control the situation.
In this talk, cyber espionage attacks in the last decade would be discussed from Asia Pacific region’s point of view. We’ll discuss why security solutions didn’t work, how actors easily bypassed those fancy solutions and adopted countermeasures quickly with very low cost. Besides, according to our incident response’s experience for hundreds times and consulting to help victim for several years, we will try to propose a design of security model to prevent, detect, react, and remediate cyber espionage threats.
Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsVivek Venugopalan
In this work, we propose a modified DEFENSE architecture termed as xDEFENSE that can detect and react to hardware attacks in real-time. In the past, several Root of Trust architectures such as DEFENSE and RETC have been proposed to foil attempts by hardware Trojans to leak sensitive information. In a typical Root of Trust architecture scenario, hardware is allowed to access the memory only by responding properly to a challenge requested by the memory guard. However in a recent effort, we observed that these architectures can in fact be susceptible to a variety of threats ranging from denial of service attacks, privilege escalation to information leakage, by injecting a Trojan into the Root of Trust modules such as memory guards and authorized hardware. In our work, we propose a security monitor that monitors all transactions between the authorized hardware, memory guard and memory. It also authenticates these components through the use of Hashed Message Authentication Codes (HMAC) to detect any invalid memory access or denial of service attack by disrupting the challenge-response pairs. The proposed xDEFENSE architecture was implemented on a Xilinx SPARTAN 3 FPGA evaluation board and our results indicate that xDEFENSE requires 143 additional slices as compared to DEFENSE and incurs a monitoring latency of 22ns.
The global process automation market is estimated to grow at a CAGR of 6.4% b...Suresh Krishna
Industrial and specifically factory automation is the use of different control systems, software and other technologies for automation of the factory. The day to day technological advancements are helping the manufacturing process and other such tasks perform a lot faster and cost effective.
Humans of the Internet is a global movement for kindness. Using empathic communication and constructive conflict on the web to make society a better place.
Il s'agit d'un mini mémoire réalisé au premier semestre de première année de licence information et communication à l'Isic (Institut des sciences de l'information et de la communication) de l'université Bordeaux Montaigne.
INFORMATION:
Author : Subhananda Bera From Mystic Wellbeing
Date : 14 - July - 2010
Pages : 15
Format : PDF
Table Of Contents
Forewords ................................ 04
To Quit or Not To Quit ................... 05
Welcome ...................................06
Why Blame Smoking Only? .................. 07
Fight for Right ...........................08
Smoking Alone Doesn’t Kill ............... 09
Special Ones? – Say “My Heart Aches…”......10
Cover Point ...............................11
Imagine … There’s No Cigarette ............12
So, You Understand? .......................14
Author’s Box ..............................15
Written By Subhananda Bera
Mysticboard.com
http://MysticBoard.com
http://tinyurl.com/mysticboard
If You Are Thinking Of Anything Mystic - Think MysticBoard.com
This was the five minute pitch that David and group pulled together at the WG2 barcamp. This will be a start for a community developed document to help field questions about oss and security within the military.
Building Trust Despite Digital Personal DevicesJavier González
Talk given at OpenIT (Tech talks at IT University of Copenhagen) in 2014. The talk covers different aspects of how to protect our privacy when using personal devices.
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
TOTEM: Threat Observation, Tracking, and Evaluation ModelJohn Gerber
Merriam-Webster defines a totem as any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe. In this presentation I will focus on how TOTEM assists in watching over and evaluating the threat an IP represents. The idea behind TOTEM is simple: compare threat information from sources such as watchlists (DShield, Emerging Threats, SenderBase, etc.) to activities with the organization (IDS/IPS, flow logs, etc.) and other locations (SANS ISC, DOE federated model, etc.). As new threat information and activity sources are added, a better evaluation can be rendered.
Deep Learning based Threat / Intrusion detection systemAffine Analytics
The article is about a Threat/Intrusion Detection System, which could be used to detect such data leaks/breaches & take a preventive action to contain, if not stop the damage due to breach.
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
1. www.csfi.us “The Price of Freedom is Eternal Vigilance”
Thomas Jefferson
Preliminary STUXNET Report V1.0
DISCLAIMER
This document may contain proprietary and controlled unclassified information requiring
protection from disclosure. Ensure proper safeguarding. The following notice may apply - "FOR
OFFICIAL USE ONLY - PRIVACY SENSITIVE – PROPRIETARY – Any misuse or unauthorized
disclosure can result in both civil and criminal penalties."
CSFI All Rights Reserved
2. Our CSFI Project Team
A team of twenty-six Information Security professionals, Intelligence Analysts and Engineers
collaborated in a private portal towards this deliverable. CSFI believes in collaboration and
sharing of knowledge as a way to shine light on the darkness in the cyber domain. Our goal is to
minimize speculation through research and logical thinking. This is a preliminary foundational
report from a Cyber Warfare perspective. Some of our volunteers made the choice to serve in
silence due to the sensitivity of their jobs. We thank them for their contribution and hard work.
Special thanks and credit to our CSFI volunteers:
Amr Ali, Malware Analyst, OSINT
EGYPT
Chris Blask, VP Marketing, AlienVault
USA
Joel Langill, TÜV FS-Eng ID 1772-09, CEH, CPT, CCNA
Control Systems Security Consultant
USA
Joseph Patrick Schorr, CEH, CISSP
Manager, Attack and Penetration Testing Practice
USA
Jim Mulholland
OSINT Fusion/Research/Analysis - Web/Social Media Intelligence - CT Researcher/Analyst
CANADA
Jesus Oquendo
C|EH, CHFI, SGFA, SGFE, CPT IACRB, OSCP
Chief Security Engineer
USA
Izar Tarandach
Principal Security Engineer
USA
CSFI All Rights Reserved
3. David Simpson
Federal Cyber Security Subject Matter Expert
USA
Charles A. Penn, Jr.
Network Administrator and Systems Analyst
USA
Avv. Stefano Mele
ICT Law, Intelligence & Security
ITALY
Bill Varhol
IT Specialist, Department of Defense
USA
Ehab Fahmi
Information Security Consultant
EGYPT
Our Project Scope
1- Find the source code of the attack.
2- Reverse engineer the malware code in order to understand how it works and find signs of
attribution, possibly linking the code to a nation-state actor (or actors).
3- Create a solid countermeasure for this form of attack along with recommendations on how to
secure systems against this form of attack.
4- Understand the political motivations behind this attack.
5- Explain how such a piece of malware could be used in a cyber warfare scenario.
6- Can Iran retaliate using the same form of cyber attack? What are the chances of such an
attack from Iran taking place against the US and allies?
CSFI All Rights Reserved
5. “Stuxnet is arguably the first cyber attack specifically targeting ICS devices. It is actually an
engineering attack against physical processes using IT as a vector into the controllers. It is a very
sophisticated attack that gets around multiple security barriers and has defeated two-factor
authentication by utilizing compromised digital keys and the default Siemens password which
cannot be changed. Stuxnet has been in the wild since June 2009 and upgraded at least once in
early 2010. It is not clear who developed Stuxnet, what Stuxnet is trying to accomplish, or when
or how often the Stuxnet payload is to be activated. It is possible this approach could target
other ICS vendors as other control system suppliers including Rockwell also utilize default
passwords in some legacy systems that cannot be changed. The national security concerns are
that this weaponized approach can be used against many infrastructures and many of these
infrastructures use the same controllers.”
Joe Weiss, CSFI member and CSFI STUXNET Project Contributor
Mr. Weiss provided expert testimony to the October 17, 2007 House Homeland Security Subcommittee and
provided control system cyber security recommendations to the Obama Administration
Source Code
Our studies have concluded there are variations of the STUXNET code on the Internet, which
creates confusion for readers when trying to understand the threat.
Our research concludes that there are 4 variants of STUXNET matching with Symatec’s research.
# v1: Installer component had a size of 513,536 bytes.
# v2: An exact copy of v1 + 4KiB of junk data.
# v3: An exact copy of v1 + 4KiB of junk data + 80KiB of nulls.
# v4: Is significantly different from v1. As for C&C URLs, it has the original set and corresponding
lPs
NOTE: V2-V3 is widely accepted as being the same with the only difference being the addition of
junk and nulls to the files, which does not typically qualify them as a variable. V1 and V4 are in
fact different with a file size difference of roughly 100kb in both the installer component and the
payload DLL.
More detailed information on the variants from Symantec:
http://www.symantec.com/connect/blogs/w32stuxnet-variants
CSFI All Rights Reserved
6. Stuxnet had 1 “known” variant; the original worm used the drivers signed by Realtek while the
variant released within days of the first being discovered had the same drivers signed by
JMicron. Verisign revoked the first certificate on July 16 and the variant was found on July 17.
STUXNET is a complex attack code with a variety of files, including some files that are signed.
HERE ARE SOME IMAGES OF THE SIGNING AND VERSIONS:
c:windowssystem32driversMRXCLS.SYS
CSFI All Rights Reserved
13. The 4 main files which constitute the STUXNET attack are:
1- .lnk file
2- ~WTR4141.tmp
3- ~WTR4132.tmp
4- Encoded payload .dll file with 13 functions and a variety of files (.dll, .exe, .lnk, .dat, .sys and
.tmp)
The main encoded payload is a UPX packed .dll file.
NOTE: UPX is a free, portable, extendable, high-performance executable packer for several
executable formats.
The UPX packed .dll is contained inside one of the files present on the infected removable drive.
How it Works
One of the best explanations on the Internet for understanding the details of how STUXNET
works has been published by Liam O. Murchu (Supervisor of Security Response Operations for
NAM at Symantec, CSFI-CWD – Cyber Warfare Division Member).
http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components
CSFI has released an educational video of how STUXNET works in a lab environment:
http://www.csfi.us/?page=stuxnet
Attack Countermeasures
Many experts, some with and some without any relevant control systems experience are
offering up advice on how to handle Stuxnet and Stuxnet-like attacks. While there are many
different opinions1, a point of general agreement is that a multi-layered approach is necessary
to defend against an attack like Stuxnet.
Knowing this in advance means any mitigation needs to be based on a solid defense-in-depth
strategy that utilizes multiple, independent layers of protection. The idea is that flaws can more
easily be found in any one solution, but it should be increasingly difficult to find flaws in a
comprehensive solution that depends on multiple protective measures.
A developing concept breaks the situation down into two distinct phases. The first set of
countermeasures should be preventative in nature and designed to minimize the likelihood that
a control system could be infected by such an attack. The second, and equally important, set of
countermeasures should be reactive in nature, and designed to minimize any negative
consequences to the control system should the system be compromised. Each of these sets of
countermeasures should also possess both passive and active components that utilize direct and
indirect methods in responding to the event. These countermeasures are then implemented in
CSFI All Rights Reserved
14. real-time based on the severity of the attack (impact) and the duration the system has been
under attack (correlating directly to the likelihood of greater damage or more negative
consequences).
This is shown in the figure below:
This concept is further explored as countermeasures are now applied. This list is meant to be
used as guidance to possible countermeasures that could be deployed and should not be
interpreted as a list of which all items are required for every installation.
Preventative – Passive
These “preventative” countermeasures have revealed the general lack of an existing strong
security policy within the control systems environments and reflect security controls that should
be implemented on all systems prior to a Stuxnet-like event. These countermeasures include:
• Effective security policies and procedures (that cover all aspects of a security program,
including training, security awareness, forensics, business continuation, etc.) are the first step to
securing control systems. These policies and procedures then need to be reviewed and updated
as part of a continuous improvement program.
• Implement a security awareness program within the organization that provides a
baseline level of education relating to control systems security and includes regular re-training
as risks and technologies change.
• Disabling of USB devices within the more secure control systems “zones” (security
“zones” as defined by ISA-99). Not allowing external USB devices in these critical areas should be
common knowledge, and hopefully Stuxnet will justify the need to become more diligent in use
of these deadly little demons!
• Implementation of Software Restriction Policies (SRP) that prevent the execution of
code on remote and removable media (USB, CD/DVD, network shares, etc.). Exceptions can be
granted on a limited basis when required to support software maintenance and upgrades.
Microsoft introduced this with Windows XP for a reason, yet few know it exists let alone
CSFI All Rights Reserved
15. implement its policies. Until the control systems world is completely off of Windows 2000 and
Windows XP platforms (which may take a very long time), this is a very viable countermeasure.
• Security Policies should be created that address specific host-to-host, and zone-to-zone
communication requirements, including protocols, ports, etc. This information is vital and will
be used in subsequent countermeasures to identify suspect traffic and is a basic requirement in
complying with ISA-99 standards.
• Follow the vendor’s recommendations for disabling of all unnecessary services.
• Confirm that any default username/passwords have been removed or modified.
• Utilize active vulnerability scanners on these systems (during testing or other times of
non-production use) to evaluate and document the configuration against known vulnerabilities
and predetermine compliance guidelines. The fact that Stuxnet is using MS08-067 shows that (1)
vendors may not even be aware of the power of exploiting this vulnerability, or (2) they are
assuming that no one will target these systems and there is not a need to address this patch.
This vulnerability is showing up on many systems and is one of the most common vulnerabilities
used to exploit control systems.
Preventative – Active
• If allowed by the system vendor, all hosts should be installed with applicable host-based
firewall, anti-virus and anti-malware applications.
• Host-based intrusion detection applications should be utilized where allowed.
Unfortunately, many vendors are not embracing the value of HIDS on control systems, yet some
tests have shown that certain activities of Stuxnet would have triggered HIDS alerts, including
DLL injection and rootkit installation attempts.
• “Whitelisting” based applications should be considered over “blacklisting” or “heuristic”
based solutions whenever possible to increase the likelihood that zero-days will be detected.
Again, it will take customer influence to drive vendors in this direction.
• Firewall rules should be implemented to deny by default all outbound traffic from the
control system networks and zones. Justification needs to be given for outbound access, just like
it is required for inbound, and when outbound traffic must be allowed, it should be between
specific hosts AND for specific services.
• Outbound SMB traffic should not be allowed.
• Utilize code signing of all critical systems (in addition to whitelisting). Updates and
changes should go through a unique traceable process at which code should be compared to an
out-of-band provided signature from the vendor. Unless verified, code should not be allowed to
run on the system.
Reactive – Passive
Identification of a threat is a valuable aspect of minimizing negative consequences of an attack.
It may not be possible to eliminate completely all threats that exploit zero-days, but it should be
a goal to be able to identify suspect activity that could signify an attack and minimize the
consequences.
• Implement intrusion monitoring sensors within the control systems network(s) that are
designed to evaluate data traffic patterns between system components. For example, a SCADA
server should never be attempting an external file share (SMB) connection. Use the data
obtained from the security policy to map out the allowed data paths that should exist within the
system architecture. These sensors can also detect traffic that is not typically allowed between
CSFI All Rights Reserved
16. nodes and could signify a rogue peer-to-peer network within the system or a possible backdoor
or callback resulting from an attack.
• Implement passive vulnerability scanners on the control systems network that can be
used to observe any unusual traffic patterns and correlate this against previous patterns, and
provide an alert mechanism to signal deviations from normal. PVS can be used in conjunction
with IDS.
• Review the system logs in the various computer hosts and network appliances. A lot can
be learned by simply reviewing these log files because if logs are not reviewed, then the
realization of being under attack may not happen until it is too late.
• A security information event monitoring application needs to be installed that can
automatically analyze and correlate the data generated and stored in system logs and event
journals throughout the system. Without SIEM, it is next to impossible to (1) analyze all this data
and (2) make any logical correlation of the data between various hosts.
• Set up test and validation systems that mimic the production systems (at least for all the
critical components), and implement a recurring comparison process between the production
and test systems. This is something that financial institutions have been doing for a long time
and is about time to get into critical infrastructure as well.
Reactive - Active
At this point in the attack, when all the other countermeasures have failed, it is very important
to not destroy forensic data that can be used for a variety of purposes. Most of these security
measures are used for forensic purposes in learning what failed and what can be done to
prevent a similar attack in the future.
• Once the attack has been confirmed, all non-essential communication conduits should
be terminated to contain the attack.
• Incident Response and Business Continuity procedures should be in place and initiated
to maintain or re-establish essential operations while recovering from an attack.
• Care needs to be taken in following established and rehearsed forensic procedures to
maintain the integrity of the data contained within the infected systems.
• Plans should be in place, tested on a recurring basis, and updated in order to be
effective in the event of an attack.
• As a last resort, it may be necessary to initiate a shutdown of the manufacturing process
to minimize the potential for environmental or loss-of-life resulting from a potential control
system failure.
Political Motivations behind the Attack
Our research points to the fact that the motivations behind the attack are of a destabilizing
nature with less focus on destruction of data and more focus on disruption of operations and
PsyOps. The coordinated nature of this attack, the choice of exploits and the main targets are
strongly indicative of state sponsored activities.
“More and more I am convinced of the psychological effect as being the central point of this
‘exercise’.”
--Izar Tarandach, Principal Software Engineer
CSFI All Rights Reserved
17. Cyber attacks of this nature have a “one shot, one kill” approach to things, due to the fact that
after the attack takes place the security community will rush to create countermeasures and
dissect the code. The attacker most likely accomplished its mission of infiltrating the Iranian
nuclear facility and creating possible delays in the nuclear program and also creating uncertainty
in the victim’s mind.
We believe this cyber attack to be a successful attack and not only as an attempt, like many
other analysts may believe.
STUXNET in a Cyber Warfare Scenario
Due to heavy scrutiny with NERC CIP compliance, attackers may not target the grid directly or
any other critical infrastructure component. The attacker would most likely keep the noise level
down by creating a flanking strategy and target the level below the grid, which is not currently in
the spotlight and is more vulnerable. For example, something has to feed these gas-fired power
plants with fuel using the same control systems. They would target LNG re-gasification and
distribution systems, which would cripple the power generation plants and produce the same
end result. The attacker may target strategic refineries that would cripple not only civilians with
fuel shortages, but would also affect the military - the Navy may be nuclear but the Army and Air
Force need petroleum-based fuels. Many refineries have control systems that are extremely
vulnerable to cyber attacks.
In case of Cyber Warfare, the US critical infrastructure and the critical infrastructure of its allies
would be prime targets to well crafted and coordinated attacks resembling STUXNET.
Can Iran retaliate using the same form of cyber
attack? What are the chances of such an attack
taking place against the US and allies?
As long as there is a gap between policies and technical controls, this type of attack will be
possible. Some organizations currently have no policies and no technical controls, others have
strict policies with nothing technical enforcing the policy, and some (rarely) have both. For
example, the location of the initial infection may have had a policy that stated USB drives are
not allowed but nothing that actually prevented them from being used. All that to say that
anyone, Iran included, could attempt such an attack by throwing a few bad USB drives in a
parking lot and waiting to see who picks them up or making up some "informational" DVDs and
leaving them on a table at a conference.
Since the exploit code is widely available and 2 vulnerabilities remained unpatched, we believe
the U.S. is at a moderate risk level. Immunity has released exploit code for the 2 unpatched
vulnerabilities, so this is easily available to an attacker of any skill level.
A large percentage of the people really do not understand STUXNET; therefore, special care
should be taken at this time.
CSFI All Rights Reserved
18. We believe that the worm would need to be modified in some manner to fool signature-based
detection systems that seem to be the primary means of detection at this level. However, since
many have not implemented a solid defense-in-depth strategy, the attack could be launched
successfully.
The leading suppliers of distributed control systems for North America are Emerson, Honeywell
and Invensys. Much attention must be placed on how secure these systems are. Variants of
STUXNET could be developed to penetrate such systems.
If we look now at regions of interest like the Middle East, one player is very strong in key
infrastructure control systems, and that is Yokogawa out of Japan. A lot of this is politically
motivated, because the Muslim-based countries post-2001 have tended to move away from U.S.
and U.K.-based companies, leaving only Yokogawa, ABB (Switzerland) and Siemens (Germany) as
potential players. We already know Siemens position, but Yokogawa is one of interest. Most of
the design and engineering decisions come out of Japan, and according to our intelligence they
do not really seem to place security as a priority for their system design. They focus more on
reliability and functionality.
Yokogawa is also installed in Iraq. Knowing that Siemens and Yokogawa are the two primary
players in the region, there is a 50/50 chance of a successful attack if one targeted one of these
systems. If the attacker had targeted Emerson or Honeywell, they would have had little if any
penetration in Iraq. This is one piece of data that justifies the argument that this was most likely
a targeted attack.
Protection against Stuxnet-Like Attempts
1. Vital points for Stuxnet success
1.1. Intelligence
1.2. "0 day" vulnerabilities
1.3. Kernel manipulation
1.3.1. Rootkit
1.3.2. Digitally signed certificates
1.4. SCADA systems weaknesses
1.4.1. Lack of proper monitoring and check points
1.4.2. Lack of proper standards
1.4.3. Security as an additional feature
2. How to mitigate Stuxnet and the like
2.1. Blacklist vs. whitelist approach
2.2. Monitoring and incident response
2.3. Virtual and physical security policies
2.4. Operating system choice
2.5. Humans
CSFI All Rights Reserved
19. 1. Vital points for Stuxnet success
The important aspect that made Stuxnet successful was the intelligence in its preparation.
Security thorough obscurity is a concept that rarely holds strong and often fails.. Stuxnet
creators exhibit thorough research and a great depth of knowledge of the schematics and
internal workings of Siemens SCADA systems components, which ultimately resulted in the
discovery of a hard-coded passphrase in Simatic WinCC. This is what allowed complete access to
servers running the server. Vendors and administrators still have not learned to remove default
settings.
1.2. "0 day" vulnerabilities
The collection of "0 day" vulnerabilities in Stuxnet is considered to be the biggest collection for
any worm to have in the history of computer viruses. Although there is speculation as to the
exact amount of undiscovered vulnerabilities, speculation about the initial and post-discovery
payload, in the end it contained multiple unique vulnerabilities. Many perceive this to be a sign
of great funding and/or great skill. Here the concept of security thorough obscurity might be an
element in making the discovery of vulnerabilities a difficult task; however, once found, the
authors of Stuxnet (or any other group of people that would like to make use of discovered
vulnerabilities) will most likely not report these issues to the vendor.
1.3. Kernel manipulation
Stuxnet was discovered to contain a very simple yet effective rootkit that allowed the worm to
be hidden completely from user-space applications. Add the methods of detecting installed AVs
in the system, and the rootkit might be capable of disabling any AV installed, which effectively
renders the whole system to be wide open to other types of malware. While reliance upon
Antivirus is not a full-proof solution, many vendors and administrators still believe "updated"
signatures to save their networks.
1.4. SCADA systems weaknesses
1.4.1. Lack of proper monitoring and check points
The Stuxnet incident showed how monitoring of such phenomena was, at the very best,
minimal. Stuxnet had the capabilities of infecting PLC units from WinCC servers, which shows
that WinCC had no restrictions or any kind of authentication required for such process. This
raises a lot of concerns towards machinery connected to these PLC units. A solution has been
presented by Chris Blask by implementing SEIM/SIM monitoring. Had SEIM/SIM monitoring
been enabled along with proper "lowest privilege" access along with auditing, the discovery of
Stuxnet would have likely come earlier.
NOTE: The remote instance of SQL Server has the default “WinCCConnect’ account enabled with
its account enabled with its default password set. An attacker may leverage this flaw to execute
commands against the remote host, as well as read the content of the WinCC database if
present.
Source: http://www.nessus.org/plugins/index.php?view=single&id=47759
CSFI All Rights Reserved
20. 1.4.2. Lack of proper standards
Currently there are no "de-facto" defined standard for SCADA systems applications, physical,
network or product security solely guidelines. How an environment so mission critical can end
up using hard-coded passwords in software and/or hardware is boggling. Situations like these
will be persistent until vendors are pressured and/or discouraged from these practices;
however, even with hardcoded passwords, proper Role Based Access undertaken on the
network and physical level could have mitigated against this. Summarily, a SCADA systems
security standardization group must be formed and establish security standards for software,
network and physical security of SCADA systems.
1.4.3. Security in general is thought of as an additional feature
In critical infrastructures and environments, security MUST always be the number one concern.
Security is compromised of all layers: physical, network, application, session and hardware.
Stuxnet was effective at attacking the low hanging fruit—default passwords and the lack of
updated patches in the Windows platform, which ultimately exploited the SMB service in the NT
kernel. Such service should have never been used or enabled in the first place; however, this is
the default installation parameter for Windows. It should have been double checked post
deployment. This suggests that security is an afterthought, and this type of thinking MUST
change in the near future.
2. How to mitigate Stuxnet and the like
Stuxnet cannot be treated by an AV, as AVs are not practical in responding to new threats,
especially when the threat is against a zero day (0 day) attack. Vendors are not aware of the
vulnerability, hence no signatures being available. Immunity from such threats must be sought
out by modifying policies and behavior, enforcing security training and enhancing security
standards. While SEIM/SIM was mentioned before, HIPS (Host Intrusion Prevention Systems)
would have alerted the administrator(s) to the changes in the checksums of the file system that
was infected by Stuxnet. Layered approaches to security make compromising a machine more
difficult as there are more layers to attack, which increase the risk of detection.
2.1. Blacklist vs. whitelist approach
Foreign traffic must not be tolerated in a SCADA system. Most applications are static as is the
traffic necessary to operate those applications and or services. Baselines can dictate what is
normal and what is anomalous. While a white or a black list of software and or connections may
be created, the reality is this list may be difficult to maintain and/or subject to tampering. A
network IPS configured to allow only the minimal needed traffic inside the network should be
MANDATORY with alerting to those in an emergency response team. Because many ERTs can be
tricked with false positives and false negatives, constant reviewing of parameters need to be
enforced otherwise administrators and engineers will learn to ignore alerts.
2.2. Monitoring and incident response
CSFI All Rights Reserved
21. Traffic must be logged at all times on a separate hardened system, which should have the
capabilities of performing data, network and application correlation. If available, "flow-tools"
like implementations can be deployed where entire sessions may be replayed, analyzed and
assessed. This minimizes the response time, drives down the potential cost of forensics and
maintains a good level of validity for evidentiary purposes when applicable.
2.3. Virtual and physical security policies
The lack of clear, definite security policies has been a major player in Stuxnet's success; policies
must be in place to limit both physical and virtual access. Stuxnet exploited SMB on Windows
machines, which means whoever made Stuxnet has collected information that SMB is enabled in
quite a large number of machines. Of course, SMB has no use whatsoever in such environments,
and even if they do, they should have isolated these weak services from the critical region of the
environment because SMB is a main entry point to any Windows system.
2.4. Operating system choice
In an environment that has computers control very sensitive machinery, stability and reliability
are very important, but security shares the same importance. Windows was made first and
foremost for desktop users. As for stability, Windows is far from it; usually a BSD system or Linux
should replace Windows on all machines that are responsible for the industrial machinery or
anything related to it.
2.5. Humans
The human factor is a very important security aspect; many studies have shown that the easiest
way into any organization is not their computers, but rather their employees. In Stuxnet design,
it has been seen that it had an exploit for a Windows vulnerability and a technique developed to
exploit a human vulnerability of curiosity by simply dropping a handful of USB flash drives
around a facility. Proper security training must ensue for employees working in such facilities,
along with raising their general security awareness. Regular security checks on what people
bring in and out of the facility are very important.
CSFI All Rights Reserved