Purple Teaming ICS Networks
•Download as PPTX, PDF•
1 like•3,549 views
Austin Scott, Principal ICS Security Analyst, presents the role of purple teaming in ICS environments at DEFCON 2019.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Purple Teaming ICS Networks
Similar to Purple Teaming ICS Networks (20)
More from Dragos, Inc.
More from Dragos, Inc. (13)
Recently uploaded
Recently uploaded (20)
Purple Teaming ICS Networks
- 1. Purple TeamingICSNetworks Austin Scott (GICSP, CISSP, OSCP) Dragos Threat Operation Center Principal
- 2. Agenda 01 DEFINITIONS ICSassessmenttypes 02 ICSSpecificChallenges Howto safelyassessanICSnetwork 03 StoryTime A tale of twoICSassessments
- 4. White-Box, Grey-Box, Black-Box Testing All information is provided up front Someinformation is provided up front Zero information is provided up front
- 5. ICS Assessment Types ICSVulnerability Assessment Apassivereviewofdocumentationandopportunistic samplingofrawdata (networkcapture,host information)toidentifyvulnerabilitiesandpotential impact,oralignmenttoa setofstandardsacrossthe ICSnetwork(s). ICSPenetration Test AWhiteboxorGreyboxactiveassessmentwhere systems(devices,controls,configurations,protocols) aretestedtoidentifyvulnerabilities,exploitation potential,andsecuritycontroleffectivenesstypically workingwiththeBlueTeam. ICSRed Team ABlackboxadversarysimulationassessmentwhere weevaluatetheexploitationpotential,detection capabilityandsecuritycontroleffectivenesswhen attacking a predeterminedtargetorobjective.
- 6. ICS Purple Teaming Red Team + Blue Team = PurpleTeam Cybersecurity Team, Engineering Team, Site Operations Team
- 7. ICS Purple Team: Role of the Blue Team • Provide pertinent information which can help the to progress through the network quickly and efficiently
- 8. ICS Purple Team: Role of the Red Team • Communicate enumerations, attacks, network pivots and privilege escalations • Assist the Blue Team in troubleshooting detection
- 9. ICS Assessment Specific Challenges Safety& Reliability Communication Specialized Cultural Dangerous environments thatrequirea culture of safety and have zerotolerance fordowntime. Operators want toknow exactly what you aredoing, when you aredoing it and have theoption to shut it all down. Each ICSenvironment is unique with its own technologies and challenges. Engineering, Process Control, IT,Cybersecurity and trust issues. !?
- 10. Performing ICS assessments with the plant operator standing over your shoulder
- 11. A Tale of Two ICS Assessments The Red Teaming Assessment The Purple TeamingAssessment • EnergyCompany • 24/7SOC,SIEM,EndPoint,ICSNetworkMonitoring • Objective: Pivotinto anyICS network(thereweredozens) • EnergyCompany • Completed a multi-year cybersecurity program • Objective: Pivot to specific ICS network
- 12. Red Team Assessment 01 FOOTHOLD Corporate Network 02 ESCALATION Open File Share 03 PIVOT SSHTunnel 04 PIVOT Credential Reuse 05 SUCCESS ICS Network
- 13. Purple Team Assessment 01 FOOTHOLD Mousejack 02 ESCALATION LAPS 03 ESCALATION BackupService 04 PIVOT AD VM 05 FAILURE Only1 Port Open
- 14. The Purple Team Advantage 01 Low Chanceof Impacting Safety or Reliability 02 03 Testingand Tweaking Detectionsin Realtime Leveraged OT and IT Team Knowledge
- 15. Purple Teaming and the ICS Specific Challenges Safety& Reliability Communication Specialized Cultural Engineering and operations areactively involved which reduced theoverall risk. Ongoing opencommunications with operations teamand daily update calls. Working with operators and engineers who understand thetechnologies and site specific architecture. Building trustacross theteamsastheycollaborate openly towardsa common goal ofcyber risk reduction. !?
- 16. Thank you! Austin Scott (GICSP, CISSP, OSCP) Dragos Threat Operation Center Principal
Editor's Notes
- In ICS, the capabilities of the Blue team can vary wildly depending on the level of maturity of the organization. Some customers we work with are able to detect our attacks in real-time and we work with them to fine-tune their ICS detection capabilities. Other customers lack capabilities and are interested in finding as many problems as possible in an effort to secure remediation budget. These teams often join our red team and help provide insider information to maximize our findings. At the very least, constant communication with the customer about what activities are going on and setting the expectation up front that they will be part of the assessment and critical to its success is very important. Customers (usually) understand their network far better than we possibly could within the span of a 1-week engagement, so recruiting them into your penetration testing team is very important. Customers enjoy the experience of taking an adversarial view of their own network and the opportunity to learn from ICS penetration testing experts. Building trust and a stronger customer relationship is often a byproduct of assessment work. In my presentation, I will share some stories about our experience performing assessments and penetration tests against the ICS networks of fortune 500 companies (names have been changed to protect the innocent) and empathize the importance of a collaborative approach to ICS assessments rather than an adversarial one.
- Dragos is a US-based software products company – We have a solution called the Dragos Platform which provides passive monitoring and visibility into ICS networks. Our product secret sauce is its Threat Based analytics which are curated by our Dragos Worldview Item team and its Playbooks which provide guidance and a step by step triage methodology when ICS specific threats are detected. Austin Scott, (GICSP, CISSP, OSCP) is a Principal in the Dragos Threat Operations Center (TOC) team and is focused on performing assessments, penetration tests and red teams within industrial control networks. Prior to Dragos, Austin worked as part of the industrial cybersecurity team at Sempra and as an industrial cybersecurity consultant at Accenture. Austin is a published author with two books on PLC Programming: Learning RSLogix 5000 – PACKT Publishing - ISBN 9781784396039 - 2015 PLC Programming RSLogix 5000 - PACKT Publishing - ISBN 1849698449 – 2013 Austin is a SANS Cybersecurity Difference Maker (2015) winner for his industrial cybersecurity contributions. In August 2018, Austin and his teammate won the DEFCON ICS Village HACK THE PLAN(3)T competition and were awarded the DEFCON UBER black badge. The Dragos platform incorporates the intelligence from Dragos WorldView – ICS threat intelligence, and the Dragos Threat Operations Center - ICS threat hunting, assessments, incident response and hands-on training - so that the ICS security teams have access to the ongoing intelligence and latest experience of the Dragos team.
- Cybersecurity assessment types are typically categorized in shades of boxes. White being all the data is shared prior to or during the assessment. Black being none of the data is shared prior to or during the assessment. Grey-box testing simulates an activity groups that has access to an environment for an extended amount of time. This is typically referred to as an activity group’s dwell time in an environment.
- An ICS assessment is a passive review of documentation and sampling of raw data (network capture, host information) to identify vulnerabilities and potential impact, or alignment to a set of standards across the ICS network(s). An ICS Penetration test is a Whitebox or Greybox, Active assessment where systems (devices, controls, configurations, protocols) are tested to identify vulnerabilities, exploitation potential, and security control effectiveness. An ICS red team is a Blackbox adversary simulation assessment where we evaluate the exploitation potential, detection capability and security control effectiveness when attacking a predetermined target or objective. Blue Team – Network Defenders monitor SIEMs, ICS visibility tools
- An ICS Purple Team is a collaborative assessment between the Red Team and the Blue Team rather than an adversarial assessment. It is important to note that the ICS Blue Team is comprised of not just the ICS cybersecurity team in (if one exists) but often involves the site Operations team, Engineering team and IT team. It is nearly impossible to book all of these resources for an entire week long or multiweek engagement, but it is sufficient to have them available at critical times or on call during the assessment. Is Purple Teaming Cheating? Some might argue that Purple Teaming is cheating a bit. Providing information that may or may not be available to an attacker does give the Red Team an advantage and does take some of the sport out of the exercise. However, there are often situations where a customer does not necessarily want the Red Team to produce many critical findings. For example, after completing a multi-year or multi-million dollar cybersecurity upgrade, the blue team may be looking for a way to show senior leadership a return on their investment. In my opinion, the ultimate goal of any cybersecurity assessment should be maximizing cyber risk reduction. If all parties involved are not working toward that common goal, I would consider that to be a lost opportunity to reduce cyber risk.
- The Blue Team assists the Red Team with pertinent information which can help the to progress through the network quickly and efficiently. This information could take an activity group weeks or months to figure out on their own but is provided to the Red Team on the spot as required.
- The Red Team assists the Blue Team in communicating the enumerations, attacks, network pivots and privilege escalations in real-time. Furthermore the Red Team can assist the Blue Team in fine-tuning and troubleshooting their detection mechanisms by making recommendations for detection improvements and running the attacks multiple times.
- ICS Safety and Reliability Safety & Reliability is of paramount importance within ICS environments. Quite often there is a strong safety culture that within ICS environments that must be aligned with. Any behavior that is considered to be unsafe can get a contractor barred for life from a site. Safety infractions can include: Improper Personal Protective Equipment (PPE) for the area you are working (Safety glasses, H2S sensors, Steel Toed boots) Not having the required safety training (H2S alive, Confined Space training, First Aid) to access a site Wondering into restricted areas Taking photos (as fire eye sensors can be triggered by a camera flash) without permission Taking your phone or electronics in a Class I, Division 1 area (an area where ignitable concentrations of flammable gases exist) Not holding hand rails when ascending or descending stairs Touching industrial equipment without the authorization of the site Operators (touching ANYTHING without permission really). Speeding in parking lots or site access areas The site operations team and engineering team are very sensitive to the reliability of the system. Putting an ICS system into an unknown or unrecoverable state can be: Dangerous to the people at the site Damaging to equipment Can cause costly outages (each hour of downtime is sometimes measured in millions of dollars) Performing any action that even has a remote possibility of tripping the process is out of the question. Most sites we work in do not allow us to introduce any packets into the ICS Perdue Level 1 or Level 2 network. We have alternative “Passive” methods of effectively collecting and reporting on data in critical ICS network. We will use “Active” methods opportunistically if we can guarantee the running process will not be impacted and have explicit permission from the site operations team. If testing ICS Networks is so darn risky, why do it at all? We perform assessment on ICS network because Activity Groups are actively targeting them. It does require, careful planning, experience working in these environments and constant communicate to be successful in these engagements. Sometimes we can find ways of mitigating risk such as: Testing in a lab / training environment where possible Setting up a test environment or virtualized environment Testing during an outage when possible ICS Specialized Equipment There are plenty of proprietary protocols, engineering tools, wireless and OT technologies that are unique to ICS. It is critical for the Red Team to understand these technologies and the risk they could pose to the operating assets and the company as a whole. During our assessment, we will work with the Operations and Engineering team to identify the crown jewel assets of a site. A Crown Jewel assets is a piece of equipment that is of critical importance to the safety, reliability or profitability of the site. For example at an oil and gas site, if there was a critical vulnerability at a Disposal Well, the operations team is not likely to care as much as if there was a critical vulnerability at their Custody Transfer Metering Systems. Communication is critical during an ICS assessment
- Reliability of the system – Requires careful planning and communication. Test in a lab environment where possible Test up to the ICS environment Use more passive methods for information gathering / test offline where possible. Specialized: Proprietary protocols, engineering tools, wireless and OT technologies. Why would you do it if its so risky? Because the adversary groups are targeting those environments.
- Some in the cybersecurity industry refer to this as Purple Teaming (Red team + Blue team = Purple team). In ICS, the capabilities of the Blue team can vary wildly depending on the level of maturity of the organization. Some customers we work with are able to detect our attacks in real-time and we work with them to fine-tune their ICS detection capabilities. Other customers lack capabilities and are interested in finding as many problems as possible in an effort to secure remediation budget. These teams often join our red team and help provide insider information to maximize our findings. At the very least, constant communication with the customer about what activities are going on and setting the expectation up front that they will be part of the assessment and critical to its success is very important. Customers (usually) understand their network far better than we possibly could within the span of a 1-week engagement, so recruiting them into your penetration testing team is very important. Customers enjoy the experience of taking an adversarial view of their own network and the opportunity to learn from ICS penetration testing experts. Building trust and a stronger customer relationship is often a byproduct of assessment work. In my presentation, I will share some stories about our experience performing assessments and penetration tests against the ICS networks of fortune 500 companies (names have been changed to protect the innocent) and empathize the importance of a collaborative approach to ICS assessments rather than an adversarial one.