Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
6. Intent
Very little ICS targeted attack data
Maroochy Shire to Stuxnet to German Steel Plant
Why are targeted attacks different?
It’s a “Who” not a “What”
Professional, organized, well-funded
If you kick them out, they will return
10. If your ICS gets hacked…
gadgets
water
electricity
you can’t make anymore
11. Now what?
More Gov’t security regulations (CIPvX)
ICS security still lagging
Breaches are inevitable
Attacks aren’t stopping
Every sector
Including ICS
What can we do to get ahead of this???
12. Network Security Monitoring
“The collection, analysis, and escalation of
indications and warnings to detect and respond
to intrusions. NSM is a way to find intruders on
your network and do something about them
before they damage your enterprise.”
- The Practice of Network Security Monitoring
13. Network Security Monitoring
Invented in 1990, still in use today
Cliff Stoll
“Stalking the
Wily Hacker”
1988
Todd Herberlein
et al.
“A Network
Security
Monitor”
1990
US Air Force
Defense
Information
Systems Agency
Lawrence
Livermore
National Lab
Early 1990s
NetRanger
RealSecure
Snort
and many
others
Late 1990s -
early 2000s
Formal
definition of
NSM
2002
14. Before we start looking…
We need
At least one person (to watch and hunt)
The right tools to collect and analyze the data
15. The NSM Cycle
Collection
DetectionAnalysis
Model for action, based on
network-derived data
Requires people and process,
not just technology
Focuses on the adversary,
not the vulnerability
16. Methods of Monitoring
Network tap – physical device which relays a
copy of packets to an NSM sensor
SPAN or mirrored ports – switch configuration
which sends copies of packets to a separate port
where NSM sensor can connect
Host NIC – configured to watch all network traffic
flowing on its segment (usually on NSM sensor)
Serial port tap – physical device which relays
serial traffic to another port, usually requires
additional software to interpret data
Fluke Networks
Stratus Engineering
17. Types of Data Collected
Full content data – unfiltered collection of packets
Extracted content – data streams, files, Web pages, etc.
Session data – conversation between nodes
Transaction data – requests and replies between nodes
Statistical data – description of traffic, such as protocol
and volume
Metadata – aspects of data, e.g. who owns this IP
address
Alert/log data – triggers from IDS tools, tracking user
logins, etc.
18. Difficulties for NSM
Encrypted networks
Widespread NAT
Devices moving between network segments
Extreme traffic volume
Privacy concerns
Issues that most ICS do not face!
20. Anatomy of an Attack
20
Over all Mandiant attack investigations,
only a little more than half of victim computers have malware on them.
While attackers often use malware to gain an initial foothold,
they quickly move to other tactics to execute their attacks.
Unauthorized Use
of Valid Accounts
Known &
Unknown
Malware
Command &
Control Activity
Suspicious
Network Traffic
Files Accessed by
Attackers
Valid Programs Used
for Evil Purposes
Trace Evidence &
Partial Files
21. Attacker Objectives
Attacker’s goals:
Damage equipment
Affect or steal process info
Cause safety or compliance issue
Pivot from vulnerable ICS to
enterprise
Attacker’s options:
Gain physical access to an ICS host
Gain remote access to an ICS host
Compromise a highly-privileged
client machine with access to the
ICS network
Enterprise/IT
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
23. Let’s do some NSM!
Inquisitive mind
NSM collection tools
NSM hunting tools
Protection
24. NSM Collection
Firewall Logs
Session Data
NIDS/HIDS Logs
Full packet capture
Windows Logs and syslog
SNMP (CPU % etc.)
Alerts from security agents
(AV, whitelisting, etc.)
Enterprise/ITEnterprise collectors Logs and/or Agent
Network sensors Logs only
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
26. What are we looking for?
Exceptions from baseline (e.g. A talks to B but never C)
“Top Talkers”
Unexpected connectivity (to Internet, Business network)
Known malicious IPs and domains
Logins using default accounts
Error messages that could correlate to vulnerabilities
Unusual system and firewall log entries
Host-based IDS or other security system alerts
Unexpected file and firmware updates
Antivirus alerts
And others….
27. NSM Detection & “Hunting”
Analyst looks at detected anomalies
or alerts then escalates to IR
!
IDS alerts
Anomaly detection
Firmware updates, other
commands
Login with default credentials
High CPU or network bandwidth
Door alarms when nobody is
supposed to be working
Devices going off-line or behaving
strangely
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
29. NSM Analysis
Incident responders analyze the
detected anomalies to find evil
Application exploitation
Third-party connections (ex. ICCP
or vendor access)
ICS-specific communication
protocol attacks (ex. Modbus,
DNP3, Profinet, EtherNet/IP)
Remote access exploitation
Direct network access due to poor
physical security
USB-delivered malware
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
32. Session Data “Top Talkers”
FlowBAT characterizes Session Data, showing which nodes have the most traffic
Web traffic
Web traffic
NetBios
NTP
SiLK and FlowBAT can be easily
installed in Security Onion
33. Pcap Analysis for anomalies
NetworkMiner can find potential ARP spoofing (as well as many other indicators)
34. Pcaps - Abnormal DNS Traffic
NetworkMiner sees“strange” DNS requests originating from within the ICS
35. IDS alerts - Abnormal DNS Traffic
DNS requests shown in the Bro IDS log in ELSA
36. Pcaps – Malformed Modbus
Deep packet inspection of Modbus by Wireshark
37. Pcaps – Custom Modbus
Unknown Function Code 90
Schneider Modicon uses FC 90 to start/stop the PLC and other admin stuff
Metasploit module does too!
c
38. IDS Logs
Bro IDS
– DNP3 & Modbus
– More ICS protocols being developed by UIUC
Snort IDS
– DNP3 & Modbus preprocessors
– ET SCADA & DigitalBond Quickdraw Snort rules
Suricata IDS
– New DNP3 parser & ET SCADA rules
41. Syslog
Syslog can be configured to send to a NSM sensor or detected in
network traffic if sent elsewhere. This is the Bro IDS Log for
Syslog from an RTU.
42. RTUs with Syslog
SEL-3530 RTAC
GE D20MX
Novatech OrionLX
Cooper SMP 16
If not…require syslog and other logs in the ICS
procurement language
43. NSM Tools for the 7 Data Types
Security Onion Linux distribution
– Easy to install and lots of documentation
Full packet capture –
Tcpdump/Wireshark/NetworkMiner
Extracted content – Xplico/NetworkMiner
Session data – Bro/FlowBAT
Transaction data – Bro
Statistical data – Capinfos/Wireshark
Metadata – ELSA (Whois)
Alert data – Snort, Suricata, Sguil, Snorby
Peel Back the Layers of Your Network
45. NetFlow Tools
SiLK & FlowBAT
Install on Security Onion with 2 scripts
www.flowbat.com
46. Security Onion Implementation
Test in a lab first
Select suitable hardware platform
More RAM is better
Bigger hard drive is better (longer retention)
Mirrored/SPAN port on router/switch or a good
network tap
Select proper placement of SO sensor
The Practice of Network Security Monitoring
Applied Network Security Monitoring
Work with the right stakeholders if placing in
production
47. Security Onion Implementation
I installed SO on an industrially hardened box
SEL-3355
16GB RAM
1TB SSD
Other boxes out there suitable for NSM sensor
for industrial environments
50. The Cuckoo’s Egg by Cliff Stoll
https://www.youtube.com/watch?v=EcKxaq1FTac
1-hour NOVA Special (1990)
The Practice of Network Security Monitoring
by Richard Bejtlich
http://www.nostarch.com/nsm
Applied Network Security Monitoring
by Chris Sanders & Jason Smith
http://www.appliednsm.com/
The NSM Wiki http://nsmwiki.org
http://securityonion.net
NSM References/Resources
51. Takeaways
You can implement NSM in ICS
today – without impacting your
operations
There are free tools available to
help you start looking at your ICS
and hunting for evil
52. People…
…the most important part of NSM!
Gigabytes of data and 1000s of
IDS alerts are useless without
interpretation
Analyze data collected to understand
what’s normal – and what’s not
Identify adversary TTPs and act to disrupt them
Remember
Adversaries are a “Who”, not a “What”
We are not looking!
If your ICS is breached today, would you know it?
Could you tell if it was just commodity malware, a targeted attack, or just a misconfiguration?
I’ll show you the tools you need to hunt for evil on your ICS
I’ll show some real-world examples of using the tools
Finally, I’ll give you some nuggets to take back so you can do this
Lack of Intent – we just don’t have enough ICS breach data to fully understand attacker targeting ICS
Lack of Visibility – monitoring IT networks is common, but doing security monitoring on ICS is generally limited
There are a few documented cases of ICS-specific attacks.
But we do know how modern attackers are with IT systems...and can make some observations.
See no evil
There may be someone from IT looking at the enterprise side of the network, but most businesses don’t regularly look at traffic patterns and logs on the control system network (if they are even available). ICS network alerts most likely aren’t tied into a company’s SOC.
If you don’t look for evil on your ICS, you certainly can’t find it…unless the FBI shows up at your door first.
I collected data on the publicly known ICS-specific vulnerabilities, exploits, and malware. Even though the vulnerabilities in ICS code may have existed for many years, it’s clear that Stuxnet caused these to be brought to light. The numbers here show that the potential for ICS-specific malware is higher that it has ever been, because so many vulnerabilities and exploits are now known.
BlackEnergy2 malware that targeted HMIs used a very similar exploit to ones that had been previously published for those HMIs.
ICS Owners are now having to pay attention to security issues, whether it’s NERC/CIP or CFATS requirementsVulnerability alerts from ICS-CERT and vendorsICS-specific breaches or malware in the news
Management asking…could we be hacked?
What can we do in the face of increasing regulation, poor understanding of the threats, and increased attacks across all sectors?
Network Security Monitoring!
NSM has been around for almost 30 years and it has a proven track record of helping security analysts find evil on their networks
Cliff Stoll dug into a $0.75 accounting anomaly and discovered a hacker in Lawrence Berkeley Labs’ system (the first documented case of catching a hacker)
Of the 80 systems that the hacker breached, only 2 noticed!!!
David Bianco (expert security analyst) says NSM and hunting are two sides of the same coin.
https://twitter.com/DavidJBianco/status/557623366723846144/photo/1
“Hunting and Monitoring (ESM): Two sides of the same coin.”
To make NSM work, you have to have both sides of the coin:
Instrumentation to collect the data from your ICS
At least one person to analyze the data to hunt for evil
Evil could be:
An attacker (external or internal)
Human error (misconfiguration, etc)
Machine error (switch failure, etc)
NSM data must be collected by an NSM sensor
NSM data is passively collected! No active scanning…
The sensor can collect data with a NIC that is set up to capture traffic in promiscuous mode
The sensor needs a network tap (which will require a network outage) or a SPAN port from a switch to get a copy of the network traffic
You can also monitor serial traffic with a serial tap (or a serial terminal server that supports port mirroring)
7 types of NSM data
Full pcap - like a fully recorded phone call (takes up a lot of storage space)
Extracted content – NSM programs can extract files, documents, web pages out of the full pcaps
Session data – AKA Netflow…like a phone bill summary (who talked to who on what line for how long)
- takes up a lot less storage space than pcaps
Transaction data – number of transmits, receives, errors, etc
Statistical data - breaking down the traffic into percentages, averages, trends over time
Metadata – data about data…WHOIS and GeoIP (is that IP address assigned to someone in the US, Canada, Russia?)
Alert/log data – syslog, windows logs, IDS alerts, firewall logs, etc
NSM is perfect for ICS networks
No encryption
very static
ICS devices aren’t mobile
Low bandwidth
Usually no privacy concerns since the ICS is private
Every control system is different, but here is an example ICS architecture that has
Enterprise, a DMZ, the ICS, and down to the control level
Before we can find and hunt evil on our ICS, we will need several things
A person in charge of NSM for ICS…in this case it’s Mike Assante. Mike has an inquisitive mind and is an excellent hunter.
NSM collection tools such as netflow, pcaps, and log collection…so Mike can “see” his “terrain.” This will help him know his home turf.
NSM hunting tools such as a SIEM or Log search and aggregation…so Mike can pivot and hunt for evil in his home turf.
Protection…Mike has to protect himself and the NSM sensors from attack as well
Let’s take a look at some traffic shall we?
Much like a hunter looking at:
-animal tracks in the mud
-setting up a trail camera to collect pictures
Real world ICS specific examples using Free Open Source Software called Security Onion Linux Distribution
George loves cooking in the substation with his new line of industrial grills from SEL. #sorrynotsorry 3355 3560S
Onions have layers...good security has layers.Onions smell bad...quite often, security stinks.Onions make you cry...poor security can make you cry, scream, and cuss.Welcome to the Security Onion.