In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
Generative AI for Technical Writer or Information Developers
How to Increase ICS Cybersecurity Return on Investment (ROI)
1. Austin Scott (GICSP, CISSP, OSCP)
Dragos ICS Penetration Testing Principal
ICSJWG June 2020 Virtual Meeting
How to IncreaseICSCybersecurityReturn on
Investment (ROI)
3. 2019 DRAGOS YEAR IN REVIEW
3
71
have poor
security
perimeters
66
adversaries
directly
accessing the
ICS76
organizations
could not
detect Dragos’
Red Team
activities
routable
network
connections into
their operational
environments
100
54
lacked
separate IT
and OT user
management
systems
81
Limited or no
visibility into
ICS/OT
network
90
incidents
involved
shared
credentials
for lateral
movement
4. v
ICS CYBERSECURITY RAPID SELF-CHECK
4
Take ownership of understanding Cyber Risk
in your environment.
8. WHAT WE SEE: CYBER RISK IMPACT
Increase difficulties in gaining access to Domain
Administrator accounts.
8
OPERATIONAL RISK
Very Low
TOOLS REQUIRED
Bloodhound, Active Directory Enum Script
ACCESSMANAGEMENT
WHAT WE SEE
WHAT TO DO
• Domain Admins Galore
• Overprivileged Service Accounts
• Numerous Paths to Domain Admin
• Download and Run BloodHound
• Review Paths to Admins
• Review Overprivileged Accounts
10. WHAT WE SEE: CYBER RISK IMPACT
Increase the level of effort required to obtain
credentials.
10
OPERATIONAL RISK
Very low
TOOLS REQUIRED
Session Gopher, LSASS Dump and Mimikatz,
Mimikittenz, Nirsoft.net Password Utils
ACCESS MANAGEMENT #2
WHAT WE SEE
WHAT TO DO
• We almost always find Credentials
• We often find default Credentials
• We often find Credentials that are
stored and not properly encrypted.
• Understand where and how
Credentials are stored.
• Implement Access Management.
14. WHAT WE SEE: CYBER RISK IMPACT
Greatly increase the difficulty for adversaries to
escalate privileges and move laterally.
14
OPERATIONAL RISK
Medium – Verify system hardening changes with
ICS vendor.
TOOLS REQUIRED
• Configuration Hardening Assessment PowerShell Script
(CHAPS)
• Microsoft Security Compliance Toolkit
• CIS tools
• STIG tools
HARDENING
WHAT WE SEE
WHAT TO DO
• Common system hardening issues
allow for hash reflecting, passing
and clear-text password recovery.
• Windows - Run CHAPS
• Linux - Run Linux Bash script
16. v
CHAPS HARDENING DEMO
16
[*] Testing if WDigest is disabled.
[-] WDigest UseLogonCredential key does not exist.
[*] Testing if LLMNR is disabled.
[-] DNSClient.EnableMulticast is enabled:
[*] Testing if Computer Browser service is disabled.
[-] Computer Browser service is: Running
[*] Testing Lanman Authentication for NoLmHash.
[-] NoLmHash registry key is configured: 0
[*] Testing if PowerShell Version 2 is permitted
[-] PowerShell Version 2 is permitted.
[+] = TEST PASS
[-] = TEST FAIL
17. CYBER RISK IMPACT
Improve Threat Detection Capability
Improve Incident Response Capability
17
OPERATIONAL RISK
Low – Centralized logging can increase network
traffic within ICS environment
TOOLS REQUIRED
Configuration Hardening Assessment PowerShell
Script (CHAPS)
LOGGING
WHAT WE SEE
WHAT TO DO
• Not Logging the Right Stuff
• Lack of Centralized Logging
• Run CHAPS
• Implement Centralized Logging
• Validate Event Logging
18. v
CHAPS WINDOWS EVENTLOG CONFIG DEMO
18
[*] Testing if PowerShell Moduling is Enabled
[-] EnableModuleLogging Is Not Set
[*] Testing if PowerShell EnableScriptBlockLogging is Enabled
[-] EnableScriptBlockLogging Is Not Set
[*] Testing if PowerShell EnableScriptBlockInvocationLogging is Enabled
[-] EnableScriptBlockInvocationLogging Is Not Set
[*] Testing if PowerShell EnableTranscripting is Enabled
[-] EnableTranscripting Is Not Set
[*] Testing if PowerShell EnableInvocationHeader is Enabled
[-] EnableInvocationHeader Is Not Set
[*] Testing if PowerShell ProtectedEventLogging is Enabled
[-] EnableProtectedEventLogging Is Not Set
[*] Event logs settings defaults are too small. Test that max sizes have been increased.
[x] Testing Microsoft-Windows-SMBServer/Audit log size failed.
[x] Testing Security log size failed.
[-] Microsoft-Windows-PowerShell/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-Pow
[-] Microsoft-Windows-TaskScheduler/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-
[-] Microsoft-Windows-WinRM/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-WinRM/Op
[-] Microsoft-Windows-Security-Netlogon/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Wind
[-] Microsoft-Windows-WMI-Activity/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-W
[-] Windows PowerShell max log size is smaller than System.Collections.Hashtable[Windows PowerShell] GB: 0.015 GB
[-] System max log size is smaller than System.Collections.Hashtable[System] GB: 0.02 GB
[-] Application max log size is smaller than System.Collections.Hashtable[Application] GB: 0.02 GB
[-] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational max log size is smaller than System.Collections.Hasht
19. CYBER RISK IMPACT
Improve Threat Detection Capability
Improve Threat Hunting Capability
Improve Incident Response Capability
1
9
OPERATIONAL RISK
Low – Connecting to SPAN ports is nonroutable –
BUT CPU usage of switches should be monitored.
TOOLS REQUIRED
Dragos Community Tools
Network Miner - $$
NETWORK VISIBILITY
WHAT WE SEE
WHAT TO DO
• Operate in ICS networks undetected
• Maintain perpetual access
• Do not know what is on networks
• Identify SPAN ports for monitoring
• Create procedure for collecting
network packet captures
• Use a free tool to view them
3:30pm - 4:10pm - Simple Wins During Slow Downs, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc.
Recent events have added some additional constraints to our ability as an industry to move ICS cyber security programs forward. How do we continue to identify and reduce cyber risk in our ICS environments when we cannot hire consultants or meet with vendors? As ICS operations team are actively working to minimize contact with the outside world, how do we add implement new technology or improve the security posture of our environments? In my presentation, I will detail several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk. Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues.
Really this presentation is based on the recommendations we have for some of the most common findings we see in the field.
Today thanks to the Covid-19 Pandemic, Dragos and other vendors are unable to do assessments. However, I am going to review some simple checks you can easily do internally to continue to drive your ICS cybersecurity program forward… even during Quarintine.
We find these issues in the vast majority of assessments we do. So as a thought exercise, during this presentation you COULD pretend that I am providing an executive outbriefing after doing an assessment on your ICS network. I would love to hear that some of you in the audience have stood up a project or initiative internally to identify and address these findings after this presentation.
Okay – So what I propose is creating a small project internally to give yourself a bit of a self checkup. I am going to share some of the techniques that we use during our assessments that are:1. Low cost
2. Easy to use
3. And can quickly identify Cyber Risk in your environment
Take ownership.
I am going to show you some of the same tools or similar tools that we would run in your environment to identify cyberrisk, privilege escalation and lateral movement.
These are ALSO the same tools or similar to the ones that activity groups are using against their targets today.
Identify Interactive Service Rules that traverse security levels
SSH, Telnet, Remote Desktop, VNC, TeamViewer, DameWare, WMI, PowerShell, RPC, SMB ( PSEXEC )
Firewall Browser
Free Firewall Browser helps test and verify firewall rules
Key Features
Import and search unlimited Cisco, Check Point, and NetScreen configs
Search rules and objects based on IP address, object name, service, or port
Verify if a change request is already handled by the security rules
https://www.solarwinds.com/free-tools/firewall-browser
Many Domain admins in ICS networks
Service accounts that are also Domain admins or have Admin like privs.
Many service accounts are kerberoastable
Many paths to domain admin
Understand how an Adversary views your domain can be very helpful.
Search for password files in network shares
Look for applications that are capable to storing Credentials.
Allow us to collect Hashes, Allows us to Reflect Hashes, Allows us to collect Clear-text passwords, allows us to pull sensitive data from memory.
We have a tool we have developed internally to handle this which collects way more data and allows us to hunt for things, do vulnerability analysis, threat hunting and forensic analysis in one.
But this open source tool that was recently released will go a long way to hardening your Windows Based ICS endpoints.
Linux Systems you can use this github tool.
https://github.com/cutaway-security/chaps
Configuration Hardening Assessment PowerShell Script (CHAPS)
Windows Event Forwarder
As industrial penetration testers, we frequently are able to operate within ICS networks undetected and unhindered as these networks often lack the capabilities of detecting us. Quite often, Windows Host logs are being collected, but not in a centralized manner where they can be easily reviewed. In other cases, we encounter ICS networks that have a Centralized collection capability, but they are not logging data that is of value. Sometimes we encounter cases where IT-based solutions have been deployed into ICS environments for monitoring the network traffic. These IT technologies are effective at stopping IT attacks but are not capable of detecting ICS specific tradecraft.