Dragos year in review (yir) 2018
•Download as PPTX, PDF•
1 like•394 views
Dragos’ Year in Review 2018 report provides insights and lessons learned from our team’s first-hand experience hunting and responding to industrial control systems (ICS) adversaries throughout the year, so we can offer recommendations for stronger defenses for industrial organizations and help drive change in the ICS cybersecurity community.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Dragos year in review (yir) 2018
Similar to Dragos year in review (yir) 2018 (20)
More from Dragos, Inc.
More from Dragos, Inc. (10)
Recently uploaded
Recently uploaded (20)
Dragos year in review (yir) 2018
- 3. Activity Groups Threat Hunting & Responding Vulnerabilities Executive Insights Four public reports https://dragos.com/year-in-review/
- 5. Vulnerabilities Summary • 204advisories total • 25%increase over 2017 • Average 17per month • 443individual CVEs • Relatively flat trend
- 6. Vulnerabilities Observations • 32% ofall advisories had errorsin description andscore • 80% ofadvisories providedno alternate mitigation advice other than patch • 18% ofvulnerabilities could beused togain initial access (majority require existing access) • 60%of advisories cover components which areinsecure-by-design, sopatching them does little tomitigate risk • 34% ofnetwork vulnerabilities focused on ICSprotocols – remaining were generic protocols such as http, ftp
- 7. Why does this matter? Security decisions and compliance requirementfulfillment are made based on public vulnerabilityinformation. Generic advice is not meaningful because end users maynot beable to apply patches due to scheduled patch cycles, inability to accept downtime, etc. Inaccuratevulnerabilityadvisories can potentially causeunexpected consequences, and may not reducerisk.
- 9. Vulnerabilities Likelihood • High: Perimeter-connected or even internet-connected. Typically Purdue Level 4 or Level 3. • Medium: Network devices which will cross-connect multiple networks. Typically Purdue level 2/3. • Low: Central assets on control networks. Typically Purdue Level 2. • None: Field devices. Typically Purdue Level 1
- 10. Areas of Improvement • Advisory accuracy • Advisory mitigation advice • Vendors self-reporting • Researcher-vendor collaboration • More focus on ICSprotocols and less on“generic” protocols in ICS devices • Moredetails on impact and likelihood
- 11. Threat Landscape
- 12. Threat Landscape Summary 8 ICS focused Activity Groups $ Global impact of disruptive commodity malware Supply chain infiltration Midpoint network access
- 13. Activity Groups
- 14. Activity Group Spotlight: XENOTIME • Activity groupbehind TRISIS targeting Safety Instrumented Systems (SIS). • In 2018, Dragosidentified new XENOTIME activity targeting entities in the US,and devices beyond Triconex. • Dragosidentified several compromises ofICSvendors andmanufacturers in 2018 by activity associated with XENOTIME. • The groupuses customized malwarespecifically for the targetenvironment, stolen credentials tomove between networks, legitimate but compromised servers for communication, and some Living off the Land techniques.
- 15. Disruptive IT Malware IT-focusedmalwareis easytouse,effectivewithintheenterprise,andwidely-available. Oftenuntargeted,andcanspreadtooperationsduetopoorsegmentation. Examples: • Automatedspreadingmechanisms:WannaCry,NotPetya,Ryuk • OlympicDestroyer • LockerGoga
- 16. Mid-point Network Access Malwaretargetingnetworkrouters,like VPNFilter,couldenabledatacollectionand reconnaissance,potentiallyleadingtoadamagingattack. Examples: • VPNFiltermalwareenablesinformationharvesting,credentialtheft,andDOS. • ConcerningforICSoperatorsduetotheMODBUSpacketsniffermodule. • UkrainianchemicalplantfoundVPNFilteronitsnetworkandclaimedtostopadisruptiveattack. • However,themalwarealonedoesnothaveICSdestructivecapabilities.
- 17. Supply Chain / 3rd-Party Compromise Supplychaincompromiseleveragestrustbetweenpartiesandbypassespartsofthe securitystack.Includescompromisingcontractors,websites,vendors,suppliers. Examples: • XENOTIME compromisedseveralICSvendorsandmanufacturers. • ICSwateringholes. • Enterprisedatatrackingandsharingservice compromised,affectingbusinessoperationsacrossoilandgasandelectricutilityfirms. • APT10 campaignsagainstmanagedserviceproviders(MSPs). • ASUS/ShadowHammer
- 18. 01 Security Best Practices Toolassessments,restrictinginternetconnectivitywithinOT, increasevisibilityintohostandICSprocesses. 02 Defend EntireKill Chain A“WholeofKillChain”approachmeans identifyingadversary behaviorsfromStage1 intrusionstoStage 2 impacts.Utilizediverse threatdetectionstrategies. 03 Anticipate Threats ICSthreatintelligenceprovidesactionableinformationforidentifying anddefendingagainstthreats. Use Threat Behavior Analytics Identifypatternsinbehaviorandmaliciousactivitytocreateanalytics thatcan alertdefenderstomaliciousactivity. 04 Defensive Recommendations
- 19. Threat Hunting & Response
- 20. Threat Hunting & Response – Services Overview
- 21. Threat Hunting & Response - Events
- 22. Threat Hunting & Response - Summary • 55% ofDragos’ DragosTOC engagements in 2018 focused on energy (oil, gas, electric, transmission, generation, management, andrenewables) • 44% equally split between engineering andproduction ofchemical, biomedical, andpharmaceutical products; manufacturing; transportation andshipping; water utilities andwastewater treatment • 80% of engagements were proactive & focused on helping customers gain an understanding of their industrial environments (positive trend in the industry) • 32% ofIR engagements involved an initial vector dating over 365 days
- 23. Areas of Improvement • Formalizing Threat Hunting (proactive) procedures • Identifying gaps in collection using a CMF (Collection Management Framework) • Preparation andaction planning for IRevents in ICSnetworks
Editor's Notes
- [insert introductory notes]
- First slide, I promise is not a product pitch. All I want to do here is illustrate the Dragos team feels uniquely qualified we can be up here speaking with you about this important topic. Honestly, I believe that a security company is really only as good as the intelligence it provides and this is a core component of our business. Sergio, our VP of Intelligence created the diamond model for intrusion analysis, and our adversary hunters and intelligence analysts provide ICS threat reporting both for technical and executive functions on a weekly basis. Our Intel team works closely with our threat operations center, which is our services team - they help companies with things like threat hunting, table top exercises, and incident response. They are taking what they learn from the field, bring that knowledge in-house, and also allow us to create a product that is specifically built to help the Industrial community.
- In 2018 Dragos released our first YIR reports, which there were three, reflecting upon events and data collected in 2017. The reports provide insights and lessons learned from our team hunting and responding to ICS threats throughout the year. This allows us offer recommendations for stronger defenses within industrial organizations and help drive change in the ICS cybersecurity community. This year we have added a fourth report geared toward Executives. The reason for doing this is pretty simple: Generally as an industry there is a lack of meaningful metrics You cannot manage or improve what you cant measure Lastly, at Dragos, our tagline is securing civilization and we are hoping to set an example and inspire the greater community to move forward
- Let’s start with a summary of vulnerabilities. Dragos collects and independently analyzes product vulnerability data from private and public sources including various CERT’s such as ICS-CERT, as well as uncovers product vulnerabilities and collaborates with vendors on disclosure.
- - On average, organizations disclosed 17 product vulnerabilities a month through 2018. This was slightly greater than the 14 vulnerabilities a month disclosed in 2017 - While this is a ~22% uptick, we see this as a relatively flat trend - still something that needs to be addressed regardless.
- Key statistics to note in this area: As far as the public CVSS advisories were concerned, we found that 32% had errors in description and score (vs 18% error rate in vendor produced CVSS scoring) -> One 3rd party bug handling organization we analyzed had 56% of their CVSS scores incorrect. Also about a third of of network vulnerabilities focused on ICS protocols – the other two-thirds were generic protocols such as http, ftp, which is likely caused by the lack of testing tools in the ICS network as well as researcher skill.
- many organizations use public advisory data to either reduce risk or satisfy compliance requirements. Inaccurate advisories mean that these efforts are wasted and that relying upon advisories to prioritize patching or other remediation is not meeting the goal of reducing risk. Advisories continue to provide generic advice for network-exposed and local-access security vulnerabilities: “Deploy firewalls and use only trusted networks.” However, if end users cannot apply patches due to scheduled patch cycles, inability to accept downtime, or various other reasons, this generic advice is not meaningful. Deploying new firewalls or changing network architecture is less likely to happen than patching for most facilities, and without clear guidelines on HOW to deploy firewalls it doesn't really help anyway. Instead, advisories must provide reasonable alternative options. The advice mentioned above does not make sense for local vulnerabilities and is not actionable for network-exposed vulnerabilities. Advisories should contain information pertaining to the service exposing the vulnerability and provide a list of networked systems that require access to the service for proper functionality, either in the advisory or via references to technical documentation in 2018 it ~60% of advisories that impacted HMI+Field Device+EWS categories, so mitigating those vulns would have little affect on overall security due to the insecure-by-design nature of control systems protocols. these are bugs that affect systems which use insecure protocols. basically if an attacker is at a place on the network where they can even try to use one of these vulnerabilities, it's likely that they could just issue commands directly to the controllers.
- Vulnerabilities are classified in two ways - impact and likelihood We define impact as a loss of view (unable to view/read state) or a loss of control (inability to modify system state). Vulnerabilities which lead to both a loss of view and control occur in the core of traditional control networks affecting both field devices (PLCs, RTUs, etc.) as well as management devices such as human-machine interface (HMI) systems and engineering workstation (EWS) software. This means that over half (60%) of ICS-related vulnerabilities can cause an operations outage, at least for the component affected by the advisory.
- We attribute likelihood to network location – given that the primary attack vector will come from within the enterprise network High: These are Perimeter-connected or internet-connected and accessible by a non-ICS network. These systems will be connected to Level 4 or Level 3 on the Purdue Model. Historians and firewalls. Medium: Network devices which will cross-connect multiple networks and are managed from one of the connected networks. Most often occur Purdue Level 2, 3, or a special management network Low: Your HMIs, EWSs etc. These map to Purdue Level 2 networks. None: Assets generally several steps from another network, your PLCs, RTUs - Purdue Level 1 networks. So, the likelihood of these vulnerabilities affecting assets in the Medium, Low, and None categories, your most important assets, is 80%.
- Improve advisory accuracy to better inform end users to help make risk mitigation and compliance decisions. Provide additional, actionable mitigation advice beyond patching or generic security advice to better enable end users who cannot patch due to various restrictions can mitigate vulnerabilities and improve security until patching is practicable. In 2018, vendors self-reporting vulnerabilities increased in 2018, and the frequency and accuracy improved. Vendor-reported vulnerability advisories tend to be more accurate, so vendors should work internally and cooperate/collaborate with external researchers to provide comprehensive vulnerability advisories. Most advisories covered generic protocols such as HTTP, FTP, and proprietary but not ICS-specific protocols. This is likely because security testing tools exist for generic IT protocols. There is still a lack of tools for assisting testers in ICS-specific testing. Vendors and researchers should increase focus on control systems protocol issues and development of ICS protocol testing tools.
- Dragos creates ICS threat intelligence from a mix of public and private sources and conveys to our customers via reports and IOC’s
- I will focus on four areas of the ICS threat landscape Activity Groups Non-ICS specific targeting malware Midpoint network access and Supply Chain Infiltration
- Dragos categorizes behavior by “activity group,” which is fundamentally a collection of observable elements that include an adversary’s methods of operation, infrastructure used to execute actions, and what targets they focus on. We currently publicly label eight ICS-focused activity groups and track more unlabeled activity of interest. In 2017, we identified 5 groups. In 2018, we added 3 more, XENOTIME, ALLANITE, and RASPITE. High level - - RASPITE is linked to newly-identified behavior targeting US electric utilities. ALLANITE also targets electric utilities in the US, in addition to UK XENOTIME, the activity group associated with TRISIS, expanded its operations beyond the Middle East - also concerning here is that compromises of ICS vendors beyond Triconix with activity associated with XENOTIME. - MAGNALLIUM: victimology expanded to additional targets, including entities in Europe and North America. Uses phishing emails purporting to be job advertisements relating to oil and gas companies to gain access to victims’ machines. - CHRYSENE: Dragos uncovered multiple samples of CHRYSENE-related malware and other activity, indicating the group remains active and is evolving in more than one area, including revising and updating its malicious software toolkit. CHRYSENE aims to evade existing anti-virus and other detection mechanisms. - DYMAOLLOY: Dragos identified multiple new malware infections matching DYMALLOY’s behavior. May indicate a potential resurgence of DYMALLOY activity, or a different entity leveraging similar toolsets. This is concerning; the malware Dragos recently identified as part of new activity is only associated with known intrusions into ICS networks.
- XENOTIME, the activity group associated with TRISIS, expanded its operations beyond the Middle East, and is now into the US - also concerning here is that in 2018 Dragos identified several compromises of ICS vendors and manufacturers, beyond the Triconex system, by activity associated with XENOTIME
- Numerous campaigns leveraged one of several automated mechanisms to spread: an exploit for WANNACRY, credential capture and reuse for NotPetya, and self-propagating first-stage malware to deliver RYUK. This remains a continuing threat. In August 2018, an operational error during software installation at Taiwan Semiconductor Manufacturing Company caused a WannaCry infection and affected over 10,000 machines, leading to a financial impact of at least $250 million. Olympic Destroyer — the malware known for causing a network disruption during the PyeongChang 2018 Winter Olympic Games — represented another IT-focused malware with the potential to bridge the IT-ICS gap. Although not an immediate threat to ICS networks, Olympic Destroyer provides an example for exploit-less propagation within a victim network paired with a disruptive effect that could cause significant disruption in ICS environments. In 2019, we saw a new type of ransomware called LockerGoga that impacted operations at multiple ICS-related entities. The infection spread in a new way, by compromising the Microsoft Active Directory service and pushed malicious software to hosts connected to the AD via a Group Policy Object (GPO).
- In May, researchers identified malware targeting small office/home office (SOHO) network devices and some commercial equipment that harvested information, stole credentials, and could cause a denial of service. While this malware does not appear to be targeted towards ICS, a Ukrainian chemical plant reportedly identified the malware on its network. The malware alone does not have destructive capabilities, however information gathered could further lead to a damaging attack. Unfortunately, Dragos assessments occasionally identify SOHO-type equipment in ICS environments as part of “shadow IT” operations. Ensuring a complete and accurate inventory of network devices will aid ICS asset owners and defenders in determining if such equipment is present. Furthermore, such equipment should never be Internet accessible – however, if one is partaking in “shadow IT” operations, an inappropriate or insecure installation is highly probable, with the corresponding possibility of Internet connectivity.
- Third-party access to OT networks is a common and necessary component of modern operations. However, when access is granted to vendors and others, can also expose an asset operator to significant risk. Third-party or supply chain compromise leverages explicit trust between parties and bypasses a large part of the security stack, to gain access a target. Other significant activity of interest involves the compromise of legitimate websites enabling exploitation and access of networks when engineers and operators access these sites or download legitimate-looking software (e.g., ICS watering holes). Activity groups including DYMALLOY and ALLANITE use this method. Further underscoring potential for third-party infections, the Department of Justice in December indicted alleged members of the APT 10 hacking group in part for accessing companies’ Managed Service Providers (MSPs) to gain access into primary victim networks to steal sensitive information. Additionally in 2019, we saw the ShadowHammer hacking operation which compromised an ASUS update server and pushed out malicious updates.
- Organizations can lower their risk profiles and proactively protect against common attack techniques by performing security best practices. Implement proper security hygiene and the principle of least privilege based on a deep knowledge of the environment. Defending against a dynamic threat landscape requires adopting a “Whole of Kill Chain” approach, keying in on adversary behaviors from the initial intrusions through second-stage impacts. Defenders can use a mix of modern threat detection strategies including indicator- or behavior-based methods, or approaches relying on modeling and configuration. Identifying patterns in behavior and malicious activity alongside static operations – can help improve identification of malicious activity within the environment. TBAs help define activity groups, providing analytic identifiers that allow defenders to detect malicious behavior. ICS threat intelligence can give asset owners and operators actionable information to anticipate and defend against threats by providing visibility into the current landscape, trends, and targeting. Threat intelligence combines information from various sources and expert assessments to form conclusions that decision-makers can use to implement vertical-specific controls that result in effective security postures.
- Lastly, lets jump into threat hunting and response.
- The Dragos Threat Operations Center (TOC) provides a synopsis of lessons learned in 2018 while proactively hunting for adversaries in industrial environments and responding to industrial intrusions among oil and gas, electric, advanced manufacturing, water, mining, and transportation industries.
- - 20% of Dragos engagements were responsive (rapid response and IR retainers leveraged for an incident). These engagements were launched due to suspicion or confirmation an active engagement was underway and response assistance was requested. - 80% were proactive (assessments, tabletop exercises, MDR, and IR retainers that were not leveraged for an incident). These engagements were launched with no indication or prior suspicion the network was compromised Why this is important: validates the threat of ICS network compromise, while also showing a proactive trend in industries’ desire to improve and learn more about their environment and defenses
- - Dragos’ engagement types throughout 2018 demonstrate the industry is focused on hunting for adversary tradecraft and is also focused on increasing knowledge of their own networks Allocation of engagement types demonstrates a wide gap in maturity– we’re encouraged by the increasing number of organizations aiming to strengthen defensibility. Communities are sharing information about what works and what doesn’t Verticals are getting better, networks are becoming more defensible due to proactive stance Areas of Improvement: Formalizing Threat Hunting (proactive) procedures Identifying gaps in collection using a CMF (Collection Management Framework) Preparation and action planning for IR events in ICS networks
- - Adversaries are ‘living off the land’ with dwell times over a year in many cases Proactive assessments help detect unknown threats and gaps in collection & detection IR plans should be “battle ready” and tested often