SlideShare a Scribd company logo

RSAC 2021 Spelunking Through the Steps of a Control System Hack

Download as PPTX, PDF
D
Dan Gunter

An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.

Technology
1 of 40
#RSAC SESSION ID: Spelunking Through the Steps of a Control System Hack SBX4-XIL6 Tom VanNorman Co-Founder ICS Village @ICS_Village Dan Gunter CEO & Founder Insane Forensics @insaneforensics
#RSAC Tom VanNorman 11 Tom VanNorman has an extensive background in industrial controls and enjoys getting into the field and making things work. Prior to joining GRIMM Tom held various roles all focused on the operation, engineering and security of industrial control systems. Tom started his career in the U.S. Air Force, eventually retiring with a total of 24 years between Active Duty, Reserves and Air Guard. He spent the last half of his service serving on a National Mission Team in a Cyber Operations Squadron. In addition to GRIMM, Tom is the co- founder of the ICS Village and consults with SANS on the construction and operation of Cyber Ranges. The ICS Village is a non-profit educational organization that equips industry and policymakers to better defend industrial equipment through experiential awareness, education, and training. Tom calls the Lehigh Valley Pennsylvania home with his six kids. In his spare time, he enjoys outdoor activities and riding motorcycles.
#RSAC Dan Gunter 12 Dan Gunter is the founder and CEO of Insane Forensics, a San Antonio, Texas-based technology company that provides a digital Forensics-as-a-Service platform for forward, at at- home investigations, as well as tailored forensics services. Prior to Insane Forensics, Dan was an early employee at Dragos, an industrial cybersecurity startup, where he established and served as Director of Research and Development and as one of the first principal analysts executing and advising on threat hunting in power, oil & gas, mining, and other critical infrastructure environments. Before Dragos, Dan served as an officer in the United States Air Force with a variety of offensive and defensive roles across DoD. Education: Graduate Certificate, Incident Response, SANS Institute Master of Science, Computer Science, Univ of Louisville Bachelor of Science, Computer Science, Baylor Certifications: SANS: GREM, GNFA, GCFA, GCIA, GCIH, GSEC ISC2: CISSP EC-Council: CEH CompTIA: Sec+ Training: MIT Innovation Leadership Bootcamp Graduate, DoD Computer Network Operations Development Program Distinguished Graduate, AFRL Rome ACE Cybersecurity Bootcamp Publications: SANS: A Practical Model for Conducting Cyber Threat Hunting SANS: Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments
#RSAC You are an on-call industrial cybersecurity professional. And your work phone starts ringing.
#RSAC
#RSAC We’ve Observed Impact, But What Exactly Happened
#RSAC Only Default Host Logging Available But Do Have Network Monitoring
#RSAC Let’s Dive In And Troubleshoot Our Process Starting with the HMI s7comm Controlled modbus Controlled ENIP Controlled
#RSAC Modeling Modbus and EthernetIP Traffic Showed a Significant Reduction in Traffic During Event
#RSAC Spikes in Modbus and ENIP Traffic Before Steep Dive Appear between Three IP Addresses
#RSAC Context of Three IP Addresses 20 192.168.100.100 (HMI) 192.168.100.50 (Micrologix PLC) 192.168.100.20 (Axc 1050 PLC)
#RSAC T8031 - Manipulation of Control Objective Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Source: https://collaborate.mitre.org/attackics/index.php/Technique/T0831 Known Attackers Sandworm/Electrum – Ukraine 2015 & Ukraine 2016 Equation – Stuxnet
#RSAC Evolution of Attack 22 ??? T0831 (ICS ATT&CK) Manipulation of Control
#RSAC Something Happened on the HMI That Changed HMI to PLC Comms, But What Caused it?
#RSAC Traffic to the HMI During Timeframe Included Spikes in TLS and Port 3389 Traffic
#RSAC Windows Event Logs Show Spike in Network Access Logins From 192.168.100.23 Before Event
#RSAC Windows Event Logs Show Successful Login From 192.168.100.23 At Time of Event 4624 Log Username Source IP
#RSAC T1021.001 – Remote Services: Remote Desktop Protocol Objective Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence. Source: https://attack.mitre.org/techniques/T1021/001/ Known Attackers APT1 APT3 APT39 AP41 APT40/Leviathan Lazarus Group Oil Rig
#RSAC Evolution of Attack 28 ??? T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
#RSAC What Happened on 192.168.100.23 At the Time of the Event
#RSAC Remote Access Solution Logs Show New Participants Joining 2021/04/29 09:11:53.478 736 25492 G1 VoIP: Sender: Session 1513804143: VoIP streams: Participant added: "Chrome (XXX XXX XXX)" [968607818,976214507]
#RSAC T1219 – Remote Access Software Objective An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. Remote access tools may be established and used post- compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. Source: https://attack.mitre.org/techniques/T1219/ Known Attackers Sandworm Team/Electrum – Ukraine 2015 Kimsuky – Korea Hydro & Nuclear Power Carbanak
#RSAC Evolution of Attack 32 ??? T1219 Leverage Remote Access Software T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
#RSAC We Know Attackers Used Remote Access Software To Access HMI. But How Did They Gain Initial Access
#RSAC HTTPS/TLS Traffic Seen To Suspicious Domain
#RSAC Attacker Spear Phished User To Gain Initial Access and Took Screenshot that Included Remote Access Creds Access ID Password
#RSAC The Spearphishing Campaign Simulated the Following MITRE ATT&CK Tactics & Techniques
#RSAC T1566.002 – Phishing: Spearphishing Link Objective An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. Remote access tools may be established and used post- compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. Source: https://attack.mitre.org/techniques/T1566/002/ Known Attackers APT1 APT28 APT29 APT32 APT33 APT39 Dragonfly 2.0 Leviathan/APT40 OilRig
#RSAC T1113 – Screen Capture Objective Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture. Source: https://attack.mitre.org/techniques/T1113/ Known Attackers APT28 APT29 APT39 Dragonfly 2.0 OilRig
#RSAC Evolution of Attack 40 T1566.002 Spearphishing Link • T1113 Take Screenshot T1219 Leverage Remote Access Software T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
#RSAC How Do We Prevent, Detect, and Respond to this Type of Scenario
#RSAC Four main questions from this incident What happened? What could have happened? What did not happen? What can be done to reduce the risk of this happening again?
#RSAC What happened? • An attacker successfully compromised a network using real world TTP's. • The attacker gained access to the Industrial Control System by discovering an HMI with Remote Desktop enabled that they were able to pivot to the HMI. • The attacker changed critical setpoints of the control system via the HMI. • An intrusion did indeed happen and should not be taken lightly.
#RSAC What could have happened? • Nothing. The operator could have not opened the email and the intrusion would not have happened. • Attacker could have deployed ransomware. • Attacker could have destroyed files or caused a denial of service condition. • Attacker could have impacted health, life, safety, and quality issues by changing setpoints on the HMI.
#RSAC What did not happen? • A lot • No loss of health, life, safety, or quality issues. • While the process was not designed with Cyber Physical security features it was designed with industry practice in mind. •Good Engineering Practices (GEP) •Good Engineering Practice (GEP) consists of proven and accepted engineering methods, procedures, and practices that provide appropriate, cost-effective, and well-documented solutions to meet user-requirements and compliance with applicable regulations. •Good Engineering Practices, Recognized And Generally Accepted Good Engineering Practices (RAGAGEP) •PSM Standard, 29 CFR 1910.119, directly references or implies the use of RAGAGEP.
#RSAC What can be done to reduce the risk of this happening again? • Let's take a look at what happened step by step
#RSAC Defending Against The Attack 47 Technique What We Saw How To Prevent How to Detect T8031 - Manipulation of Control • Video of effect on ICS equipment • Significant increase then drop in ICS protocol network traffic between HMI and PLCs • Limit control traffic to/from essential zones • Regularly audit and harden critical systems • Validate industrial protocol monitoring depth • Review retention strategy T1021.001 – Remote Services: Remote Desktop Protocol • Attacker pivoted from entry point to HMI with RDP • Audit remote desktop user group • Limit RDP traffic to/from essential zones • Monitor Windows Event 4624 records • Profile user access behaviors across network and host logs T1219 – Remote Access Software • Attackers used remote access software for initial access • Monitor and limit scope (where practical) of remote access • 2FA • Audit access software network and host logs • Look for secondary behavior (i.e. other attacker actions) T1566.002 – Phishing: Spearphishing Link • Initial access gained via spearphishing • User awareness training • Monitor outbound and inbound email traffic to OT zones • Monitor for newness and odd DNS/HTTP traffic • Monitor user account usage for compromise T1113 – Screen Capture • Screen capture contained remote access credentials to access network • Very challenging to prevent due to being built in feature • Very challenging to detect • Monitoring clipboard might help but doesn’t scale • Look for binaries with screen shot capabilities on OT network
#RSAC Make Sure You Can Observe Deep Enough Into the Process and Correlate Process and Security Data
#RSAC Take-Aways 49 Immediate Action: – Understand current defense collection and analysis scope – Assess the strengths and improvement areas of your people, process & technology balance – Understand what you need to protect and how your process works – Develop a relationship with the operations and engineering department – Security training for all personnel 3 Months From Now – Improve collection and/or analysis scope to one more attack scenario – Invest in additional people, process, or technology to improve your security program
#RSAC SESSION ID: Thank You For Joining Us! SBX4-XIL6 Tom VanNorman Co-Founder ICS Village @ICS_Village Dan Gunter CEO & Founder Insane Forensics @insaneforensics

Recommended

CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
bayshorenet
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
Kaspersky
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
James Collinge, CISSP
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go Wrong
OnBoard Security, Inc. - a Qualcomm Company
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
ijfls
 

Recommended

CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
bayshorenet
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
Kaspersky
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
James Collinge, CISSP
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go Wrong
OnBoard Security, Inc. - a Qualcomm Company
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
ijfls
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?
OnBoard Security, Inc. - a Qualcomm Company
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and Challenges
OnBoard Security, Inc. - a Qualcomm Company
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security Solution
DLT Solutions
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
Radware
 
Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
Sigfox
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
Tom K
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
[GITSN] wireless data security system
[GITSN] wireless data security system[GITSN] wireless data security system
[GITSN] wireless data security system
운상 조
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi Security
IRJET Journal
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
Huntsman Security
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
Pramod M Mithyantha
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYA NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
IJCI JOURNAL
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
nicfs
 
Nice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasureNice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasure
IEEEFINALYEARPROJECTS
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise Network
Okehie Collins
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
Eng. Mohammed Ahmed Siddiqui
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
F-Secure Corporation
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
IRJET Journal
 

More Related Content

What's hot

Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
Sigfox
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYA NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
IJCI JOURNAL
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise Network
Okehie Collins
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
Eng. Mohammed Ahmed Siddiqui
 

What's hot (20)

Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and Challenges
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security Solution
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
[GITSN] wireless data security system
[GITSN] wireless data security system[GITSN] wireless data security system
[GITSN] wireless data security system
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi Security
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYA NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
 
Nice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasureNice network intrusion detection and countermeasure
Nice network intrusion detection and countermeasure
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise Network
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
 

Similar to RSAC 2021 Spelunking Through the Steps of a Control System Hack

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
praveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
 

Similar to RSAC 2021 Spelunking Through the Steps of a Control System Hack (20)

Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
CEH Domain 4.pdf
CEH Domain 4.pdfCEH Domain 4.pdf
CEH Domain 4.pdf
 
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter HackingDomain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

RSAC 2021 Spelunking Through the Steps of a Control System Hack

  • 1. #RSAC SESSION ID: Spelunking Through the Steps of a Control System Hack SBX4-XIL6 Tom VanNorman Co-Founder ICS Village @ICS_Village Dan Gunter CEO & Founder Insane Forensics @insaneforensics
  • 2. #RSAC Tom VanNorman 11 Tom VanNorman has an extensive background in industrial controls and enjoys getting into the field and making things work. Prior to joining GRIMM Tom held various roles all focused on the operation, engineering and security of industrial control systems. Tom started his career in the U.S. Air Force, eventually retiring with a total of 24 years between Active Duty, Reserves and Air Guard. He spent the last half of his service serving on a National Mission Team in a Cyber Operations Squadron. In addition to GRIMM, Tom is the co- founder of the ICS Village and consults with SANS on the construction and operation of Cyber Ranges. The ICS Village is a non-profit educational organization that equips industry and policymakers to better defend industrial equipment through experiential awareness, education, and training. Tom calls the Lehigh Valley Pennsylvania home with his six kids. In his spare time, he enjoys outdoor activities and riding motorcycles.
  • 3. #RSAC Dan Gunter 12 Dan Gunter is the founder and CEO of Insane Forensics, a San Antonio, Texas-based technology company that provides a digital Forensics-as-a-Service platform for forward, at at- home investigations, as well as tailored forensics services. Prior to Insane Forensics, Dan was an early employee at Dragos, an industrial cybersecurity startup, where he established and served as Director of Research and Development and as one of the first principal analysts executing and advising on threat hunting in power, oil & gas, mining, and other critical infrastructure environments. Before Dragos, Dan served as an officer in the United States Air Force with a variety of offensive and defensive roles across DoD. Education: Graduate Certificate, Incident Response, SANS Institute Master of Science, Computer Science, Univ of Louisville Bachelor of Science, Computer Science, Baylor Certifications: SANS: GREM, GNFA, GCFA, GCIA, GCIH, GSEC ISC2: CISSP EC-Council: CEH CompTIA: Sec+ Training: MIT Innovation Leadership Bootcamp Graduate, DoD Computer Network Operations Development Program Distinguished Graduate, AFRL Rome ACE Cybersecurity Bootcamp Publications: SANS: A Practical Model for Conducting Cyber Threat Hunting SANS: Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments
  • 4. #RSAC You are an on-call industrial cybersecurity professional. And your work phone starts ringing.
  • 6. #RSAC We’ve Observed Impact, But What Exactly Happened
  • 7. #RSAC Only Default Host Logging Available But Do Have Network Monitoring
  • 8. #RSAC Let’s Dive In And Troubleshoot Our Process Starting with the HMI s7comm Controlled modbus Controlled ENIP Controlled
  • 9. #RSAC Modeling Modbus and EthernetIP Traffic Showed a Significant Reduction in Traffic During Event
  • 10. #RSAC Spikes in Modbus and ENIP Traffic Before Steep Dive Appear between Three IP Addresses
  • 11. #RSAC Context of Three IP Addresses 20 192.168.100.100 (HMI) 192.168.100.50 (Micrologix PLC) 192.168.100.20 (Axc 1050 PLC)
  • 12. #RSAC T8031 - Manipulation of Control Objective Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Source: https://collaborate.mitre.org/attackics/index.php/Technique/T0831 Known Attackers Sandworm/Electrum – Ukraine 2015 & Ukraine 2016 Equation – Stuxnet
  • 13. #RSAC Evolution of Attack 22 ??? T0831 (ICS ATT&CK) Manipulation of Control
  • 14. #RSAC Something Happened on the HMI That Changed HMI to PLC Comms, But What Caused it?
  • 15. #RSAC Traffic to the HMI During Timeframe Included Spikes in TLS and Port 3389 Traffic
  • 16. #RSAC Windows Event Logs Show Spike in Network Access Logins From 192.168.100.23 Before Event
  • 17. #RSAC Windows Event Logs Show Successful Login From 192.168.100.23 At Time of Event 4624 Log Username Source IP
  • 18. #RSAC T1021.001 – Remote Services: Remote Desktop Protocol Objective Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence. Source: https://attack.mitre.org/techniques/T1021/001/ Known Attackers APT1 APT3 APT39 AP41 APT40/Leviathan Lazarus Group Oil Rig
  • 19. #RSAC Evolution of Attack 28 ??? T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
  • 20. #RSAC What Happened on 192.168.100.23 At the Time of the Event
  • 21. #RSAC Remote Access Solution Logs Show New Participants Joining 2021/04/29 09:11:53.478 736 25492 G1 VoIP: Sender: Session 1513804143: VoIP streams: Participant added: "Chrome (XXX XXX XXX)" [968607818,976214507]
  • 22. #RSAC T1219 – Remote Access Software Objective An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. Remote access tools may be established and used post- compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. Source: https://attack.mitre.org/techniques/T1219/ Known Attackers Sandworm Team/Electrum – Ukraine 2015 Kimsuky – Korea Hydro & Nuclear Power Carbanak
  • 23. #RSAC Evolution of Attack 32 ??? T1219 Leverage Remote Access Software T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
  • 24. #RSAC We Know Attackers Used Remote Access Software To Access HMI. But How Did They Gain Initial Access
  • 25. #RSAC HTTPS/TLS Traffic Seen To Suspicious Domain
  • 26. #RSAC Attacker Spear Phished User To Gain Initial Access and Took Screenshot that Included Remote Access Creds Access ID Password
  • 27. #RSAC The Spearphishing Campaign Simulated the Following MITRE ATT&CK Tactics & Techniques
  • 28. #RSAC T1566.002 – Phishing: Spearphishing Link Objective An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. Remote access tools may be established and used post- compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. Source: https://attack.mitre.org/techniques/T1566/002/ Known Attackers APT1 APT28 APT29 APT32 APT33 APT39 Dragonfly 2.0 Leviathan/APT40 OilRig
  • 29. #RSAC T1113 – Screen Capture Objective Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture. Source: https://attack.mitre.org/techniques/T1113/ Known Attackers APT28 APT29 APT39 Dragonfly 2.0 OilRig
  • 30. #RSAC Evolution of Attack 40 T1566.002 Spearphishing Link • T1113 Take Screenshot T1219 Leverage Remote Access Software T1021.001 RDP Lateral Movement T0831 (ICS ATT&CK) Manipulation of Control
  • 31. #RSAC How Do We Prevent, Detect, and Respond to this Type of Scenario
  • 32. #RSAC Four main questions from this incident What happened? What could have happened? What did not happen? What can be done to reduce the risk of this happening again?
  • 33. #RSAC What happened? • An attacker successfully compromised a network using real world TTP's. • The attacker gained access to the Industrial Control System by discovering an HMI with Remote Desktop enabled that they were able to pivot to the HMI. • The attacker changed critical setpoints of the control system via the HMI. • An intrusion did indeed happen and should not be taken lightly.
  • 34. #RSAC What could have happened? • Nothing. The operator could have not opened the email and the intrusion would not have happened. • Attacker could have deployed ransomware. • Attacker could have destroyed files or caused a denial of service condition. • Attacker could have impacted health, life, safety, and quality issues by changing setpoints on the HMI.
  • 35. #RSAC What did not happen? • A lot • No loss of health, life, safety, or quality issues. • While the process was not designed with Cyber Physical security features it was designed with industry practice in mind. •Good Engineering Practices (GEP) •Good Engineering Practice (GEP) consists of proven and accepted engineering methods, procedures, and practices that provide appropriate, cost-effective, and well-documented solutions to meet user-requirements and compliance with applicable regulations. •Good Engineering Practices, Recognized And Generally Accepted Good Engineering Practices (RAGAGEP) •PSM Standard, 29 CFR 1910.119, directly references or implies the use of RAGAGEP.
  • 36. #RSAC What can be done to reduce the risk of this happening again? • Let's take a look at what happened step by step
  • 37. #RSAC Defending Against The Attack 47 Technique What We Saw How To Prevent How to Detect T8031 - Manipulation of Control • Video of effect on ICS equipment • Significant increase then drop in ICS protocol network traffic between HMI and PLCs • Limit control traffic to/from essential zones • Regularly audit and harden critical systems • Validate industrial protocol monitoring depth • Review retention strategy T1021.001 – Remote Services: Remote Desktop Protocol • Attacker pivoted from entry point to HMI with RDP • Audit remote desktop user group • Limit RDP traffic to/from essential zones • Monitor Windows Event 4624 records • Profile user access behaviors across network and host logs T1219 – Remote Access Software • Attackers used remote access software for initial access • Monitor and limit scope (where practical) of remote access • 2FA • Audit access software network and host logs • Look for secondary behavior (i.e. other attacker actions) T1566.002 – Phishing: Spearphishing Link • Initial access gained via spearphishing • User awareness training • Monitor outbound and inbound email traffic to OT zones • Monitor for newness and odd DNS/HTTP traffic • Monitor user account usage for compromise T1113 – Screen Capture • Screen capture contained remote access credentials to access network • Very challenging to prevent due to being built in feature • Very challenging to detect • Monitoring clipboard might help but doesn’t scale • Look for binaries with screen shot capabilities on OT network
  • 38. #RSAC Make Sure You Can Observe Deep Enough Into the Process and Correlate Process and Security Data
  • 39. #RSAC Take-Aways 49 Immediate Action: – Understand current defense collection and analysis scope – Assess the strengths and improvement areas of your people, process & technology balance – Understand what you need to protect and how your process works – Develop a relationship with the operations and engineering department – Security training for all personnel 3 Months From Now – Improve collection and/or analysis scope to one more attack scenario – Invest in additional people, process, or technology to improve your security program
  • 40. #RSAC SESSION ID: Thank You For Joining Us! SBX4-XIL6 Tom VanNorman Co-Founder ICS Village @ICS_Village Dan Gunter CEO & Founder Insane Forensics @insaneforensics

Editor's Notes

  1. Helpful hints: • Please do not begin your presentation with a description of your company (unless you are presenting a case study), or of your CV. Your session facilitator will introduce you. • Your score matters! The score you receive at RSA Conference will weigh your future call for speakers submissions. Your high score this year will help your submission get accepted next year! • Don’t put too many text slides in a row -- vary the visual input with graphs, graphics and photos. • If you have more than 4 or 5 bullets, it's better to add a second slide with the second part of the information — this also allows you to maintain a consistent type size. • Remember to review the abstract you submitted, to make sure that your session still reflects what the attendees are expecting. • For more suggestions, download the “Guidelines for Preparing your PowerPoint Presentation” file from the Speaker Resource Center.
  2. Image free for commercial use with no attribution required from: https://pixabay.com/photos/male-night-the-darkness-light-2013929/
  3. Image free for commercial use with no attribution required from: https://pixabay.com/photos/male-night-the-darkness-light-2013929/
  4. Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
  5. Image free for commercial use with no attribution required from: https://pixabay.com/photos/man-boy-laptop-cafe-frustrated-1246277/
  6. Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
  7. Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
  8. Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
  9. Image free for commercial use with no attribution required from: https://pixabay.com/photos/padlock-shed-locked-lock-secure-690286/
  10. Image free for commercial use with no attribution required from: https://pixabay.com/photos/architecture-steel-mill-2267789/