Continuous Asset Discovery, Risk Management & Threat Monitoring for IIoT & ICS Networks

Transcription

1 Continuous Asset Discovery, Risk Management & Threat Monitoring for IIoT & ICS Networks SANS Webinar on NIST Recommendations for IIoT & ICS Security With Behavioral Anomaly Detection (BAD) February 28, 2019 Phil Neray, VP of Industrial Cybersecurity

2 CyberX at a Glance Only industrial platform built by blue-team experts with a track record defending critical national infrastructure Founded in 2013 Global Presence Boston (HQ) Chicago Houston Florida London Paris Munich Tokyo Israel Only IIoT & ICS security firm with a patent for its ICS-aware threat analytics Simplest, most mature and most interoperable solution Partnerships with leading security companies & MSSPs worldwide 2 2

3 Unified IT/OT Security Monitoring & Governance 3

4 Partnered with Global Technology Leaders 4

5 Challenges We Address for Clients Asset Discovery What devices do I have, how are they connected and how are they communicating with each other? Risk & Vulnerability Management What are the vulnerabilities and risks to our most valuable assets and how do I prioritize mitigation? Continuous Threat Monitoring, Incident Response & Threat Hunting Do we have any ICS threats in our network and how do we quickly respond to them? Unified IT/OT Security Monitoring & Governance How can I leverage my existing IT security investments people, training & tools to secure my OT infrastructure? 5

6 Most Recognized ICS Threat Intelligence Continuously Discovering New ICS Zero-Day Vulnerabilities CyberX threat research featured in Chapter 7 ICSA A BUFFER OVERFLOW ICSA BUFFER OVERFLOW ICSA BUFFER OVERFLOW ICSA ARBITRARY FILE UPLOAD BUFFER OVERFLOW ICSA A BUFFER OVERFLOW ICSA UNCONTROLLED SEARCH PATH ELEMENT, RELATIVE PATH TRAVERSAL, IMPROPER PRIVALAGE MANAGEMENT, STACK-BASED BUFFER OVERFLOW ICSA D IMPROPER INPUT VALID (DDoS) ICSA BUFFER OVERFLOW 6

7 Simple, Non-Invasive, Agentless No Rules or Signatures Proprietary Deep Packet Inspection and Network Traffic Analysis (NTA) CMDB asset data, firewall rules, etc. (OPTIONAL) Network Traffic Data SPAN port on network switch OT Network 7

8 CyberX Platform Architecture CYBERX CENTRAL MANAGEMENT ICS Asset Management ICS Risk & Vulnerability Management with Threat Modeling CAPABILITIES & USE CASES ICS Threat Monitoring & Detection ICS Incident Response & Threat Hunting SOC Integration & REST APIs SIEM Ticketing & Orchestration Firewalls & NAC Secure Remote Access SELF-LEARNING ANALYTICS ENGINES Network Traffic Analysis (NTS) Behavioral Anomaly Detection Unusual M2M Communication Detection Protocol Violation Detection Operational Incident Detection IT & OT Malware Detection Data Mining Infrastructure CORE CAPABILITIES IP Network & Serial Device Dissectors Embedded Knowledge of ICS Devices & Protocols Proprietary ICS Threat Intelligence & Vulnerability Research ICS Malware Analysis Sandbox 8

9 Malware-Free Attacks Are Growing Why BAD is Needed Now So the important question to ask is not, Can you prevent the initial compromise? that may be an impossibility. To be successful at stopping breaches, an organization needs to detect, investigate, and remediate or contain the threat as quickly as possible. Malware-Free Examples Stolen credentials PowerShell Router compromises Source: 9

10 CyberX Global ICS & IIoT Risk Report Top Data Points Based on traffic data collected from 850+ production ICS networks across 6 continents and all sectors (Energy & Utilities, Oil & Gas, Pharmaceuticals, Chemicals, Manufacturing, Mining) Anti-Anti-Virus Mythical Air-Gap Broken Windows Hiding in Plain Sight 43% 57% Automatic updates No automatic detected updates detected 40% Internet connections detected 60% No internet connections 47% 53% Only modern Sites with Windows unsupported versions Windows boxes 69% Plain-text passwords 31% Encrypted passwords Download full report: cyberx-labs.com/risk-report

11 The TRITON attack on a petrochemical facility had a deadly goal it was not designed to simply destroy data or shut down the plant it was meant to sabotage the firm s operations and trigger an explosion. The New York Times 11

12 TRITON Kill Chain 1 Steal OT credentials Deploy PC malware 2 3 Install RAT in safety PLC TriStation Protocol 4 Disable safety PLC & launch 2 nd cyberattack L4 L3 L1 L0 L2 12

13 CyberX Threat Intelligence: Reverse-Engineering TRITON GetMPStatus packet structure: 3 Install RAT in safety PLC

14 New TRITON Information from S4x19 Conference First incident actually 2 months earlier in June 2017 Plant shutdown for 1 week when safety controller tripped Automation vendor concluded it was mechanical failure 2 nd incident affected (6) safety controllers not just two Caused another 1-week shutdown hundreds of $ million from downtime & cleanup Danger from toxic hydrogen sulfide gases Incident response uncovered multiple red flags Misconfigured firewalls enabled attackers to move from IT network to DMZ to OT network AV alerts on workstations about Mimikatz credential stealing malware were ignored Ongoing alerts about RUN/PROGRAM key in unsafe position were also ignored enabled attackers to upload malicious backdoor into safety controller Suspicious RDP sessions to plant's engineering workstations from IT network True lesson = lack of clear roles: Who is responsible for ensuring security controls are properly implemented & effective IT, OT, integrator, or automation vendor?

15 Threat Anomaly Scenarios Detected by CyberX in NIST Report Unauthorized Device Is Connected to the Network Unencrypted HTTP Credentials Unauthorized Ethernet/IP Scan of the Network Unauthorized SSH Session Is Established with Internet-Based Server Data Exfiltration to the Internet via DNS Tunneling Unauthorized PLC Logic Download Undefined Modbus TCP Function Codes Transmitted to PLC Data Exfiltration to the Internet via Secure Copy Protocol Virus Test File Is Detected on the Network Denial-of-Service Attack Is Executed Against the ICS Network Data Exfiltration Between ICS Devices via UDP Invalid Credentials Are Used to Access a Networking Device Brute-Force Password Attack Against a Networking Device Unauthorized PLC Logic Update Robotics System Unauthorized PLC Logic Update Process Control System 15

16 CyberX Event Timeline 16

17 Unauthorized Device Is Connected to the Network This anomaly was executed on the PCS. The engineering laptop (Windows 7) was removed from the network during the baseline analysis phase of the product and was later connected to VLAN-2 to execute the anomaly. After the initial connection, background traffic was automatically generated onto the network by the laptop. 17

18 Unencrypted Credentials This anomaly was executed on the CRS. An Apache HTTP server was configured on Machining Station 1 and contained a directory that was protected by HTTP basic authentication. The web pages hosted in the protected directory enabled an operator to remotely view machine status information. The connection was initiated from the Firefox browser on the engineering workstation. 18

19 Unauthorized Ethernet/IP Scan During the reconnaissance phase, an attacker may attempt to locate vulnerable services in an ICS network and will likely include probing for ICS-specific services (e.g., Ethernet/IP). Once a vulnerable service, host, or device is discovered, an attacker may attempt to exploit that entity. 19

20 Unauthorized SSH Session This anomaly was executed on the PCS. The OpenSSH suite was installed and configured on a server with an internally routed public IP address ( ). The open-source SSH client PuTTY was used to establish a connection with the SSH service from the engineering workstation to the internet-based server. 20

21 Data Exfiltration to Internet via DNS Tunneling Attacks against ICS with the goal of information gathering, must (at some point) attempt to exfiltrate sensitive or proprietary data from the ICS network, potentially utilizing the internet as a transport mechanism. Monitoring for ICS devices communicating to other devices over the internet can help detect data exfiltration events, especially if the affected device does not normally communicate over the internet. 21

22 Unauthorized PLC Logic Download Many ICS devices provide services to remotely update control logic over the network. These network services can also provide a mechanism for attackers to replace valid control logic with malicious logic if the device is not protected. The Allen-Bradley software Studio 5000 was used to download the logic from the PCS PLC to the engineering workstation. Physical access to the PLC was required in order to change the operation mode from RUN to REMOTE RUN. 22

23 Undefined Modbus TCP Function Codes Are Transmitted to PLC Communications that do not conform to the defined specifications of the industrial protocol may cause an ICS device to act in an undefined or unsafe manner. Depending on the manufacturing process and the ICS device, the nonconforming communications may or may not be impactful, but investigation into the cause is warranted. Python was used to create a Modbus TCP message with the undefined function code value of 49 (0x31). The message was generated by the CybersecVM and was transmitted to the PLC Modbus server. 23

24 Brute-Force Password Attack Compiled lists containing default user credentials are freely available on the internet. Given enough time, an attacker may be able to access vulnerable systems by using a brute-force password attack. The software Nmap was used to generate the brute-force password attack by using the script telnet-brute. The attack was pointed at the PCS router, which has a Telnet service for remote configuration and is protected by a password. The service was not configured to limit the number of authentication attempts. 24

25 Full Alert Flow 25

26 26

27 27

28 How CyberX Supports the NIST Cybersecurity Framework Threat Threat Insight Identify Threat Threat Prevention Prevent Threat Detection Detect Response Respond Recovery Recover Asset discovery Network topology mapping Automated ICS threat modeling ICS vulnerability management & mitigation Integration with NGFWs Continuous monitoring with patented analytics & self-learning for anomaly detection Deep forensic & threat hunting tools Native apps for IBM QRadar & Splunk Integration with ArcSight, RSA, LogRhythm, McAfee Automated reporting to stakeholders ServiceNow integration IBM Resilient integration 28

29 CyberX Integration with Palo Alto Networks Accelerate time between threat detection & prevention Automatically generate firewall policies to block sources of malicious traffic identified by CyberX use cases: Unauthorized PLC changes Protocol violations can indicate malicious attempt to compromise device vulnerabilities (e.g., buffer overflow) PLC Stop commands can break production Malware e.g., programs using EternalBlue exploits Scanning malware can indicate cyber reconnaissance in early stages of breach Implement granular network segmentation based on asset profiles CyberX tags discovered assets with ICS properties (protocols, type, authorized, etc.) Rapidly create asset-based segmentation policies & Dynamic Access Groups (DAGs) 29

30 CyberX Integration with Palo Alto App Framework (Cortex) Analyze data collected by Palo Alto appliances already deployed in network Native CyberX app now available from App Framework portal 30

31 Applying INL s CCE Methodology to Securing ICS If you re in critical infrastructure you should plan to be targeted. And if you re targeted, you will be compromised. It s that simple. Andy Bochman, Senior Grid Strategist for National & Homeland Security, INL CCE = Consequence-Driven Cyber-informed Engineering 1. Identify Your Crown Jewel Processes 2. Map the Digital Terrain 3. Illuminate the Likely Attack Paths 4. Generate Options for Mitigation and Protection

32 Simulating Attack Paths to Crown Jewel Assets

33 Industry Unique Automated ICS Threat Modeling Choose your most critical crown jewel assets as targets CyberX finds all potential attack paths, ranked by risk CyberX shows visual simulation of entire attack chain, enabling what-if scenarios for remediation and mitigation (e.g., zoning, patching)

34 More than 1,200 Installations Worldwide 2 of the top 5 US energy utilities Top 5 global pharmaceutical company Top 5 US chemical company National energy pipeline & distribution company Top 3 UK gas distribution utility National electric utilities across EMEA & Asia-Pacific Largest water desalination plant in western hemisphere and more 1

35 What Manufacturing Clients are Saying About CyberX Reducing risk to our production operations is smart business. CyberX gives us deep visibility into our OT environment and continuous OT risk management, while enabling unified security monitoring and governance across both IT and OT. Ariel Litvin CISO First Quality Enterprises Consumer goods manufacturer with nearly 5,000 employees 35

36 Manufacturing Case Study CyberX ICS asset/vulnerability management & threat monitoring platform Deployed in multiple plants with 8,000+ devices monitored Centralized management provides global command-andcontrol across all facilities CyberX integrated with SOC workflows and security stack IBM QRadar (SIEM) Siemplify (security automation and orchestration) PAN NGFW infrastructure (prevention) 36

37 CyberX Services + Support Portfolio Technical support via phone/ Monthly tipsand-tricks webinar Online help & knowledge base Case management Hardware support via Dell & Arrow Optional services Online & onsite training Onboarding & Deployment Support Network Architecture Planning Onsite Incident Response Forensic Analysis SOC Enablement for ICS 24x7 coverage & dedicated TAM 37

38 Most Mature & Interoperable Solution STRATEGIC Reduce Risk Prevent costly production outages, safety & environmental failures, theft of corporate IP TACTICAL Gain Visibility Auto-discover all OT assets & how they communicate Prioritize Mitigations Identify critical vulnerabilities & attack vectors Detect & Respond to Threats Quickly Continuously monitor for malware, targeted attacks & equipment failures OPERATIONAL Seamless Integration Integrate with all OT protocols and equipment, SOC workflows & existing security stacks Zero Impact Non-intrusive & agentless 2138

39 For More Information ICS & IIoT Security Knowledge Base Threat & vulnerability research Black Hat research presentations Transcripts & recordings from past SANS webinars CyberX Global ICS & IIoT Risk Report Presenting OT Risk to the Board NISD Executive Guide See Us at Upcoming Events SANS ICS Security Summit & Training (Mar 18-19, Orlando) Cyber Security for Critical Assets (CS4CA) (Mar 26-27, Houston) ICS-JWG 2019 Spring Meeting (April 23-25, Kansas City) ICS Cyber Security (April 24-26, London) Public Safety Canada, ICS Security Symposium (May 29-30, Charlottetown) Palo Alto Network IGNITE US (June 3-6, Austin) API-IOG Cybersecurity Europe (June 19-20, London) CyberX vulnerability research featured in Chapter 7 free download from CyberX

40 THANK YOU

41 Appendix 41

42 What Clients are Saying About CyberX "As a UK gas distribution network, SGN relies on CyberX to deliver 24/7 visibility into our OT assets, vulnerabilities, and threats -- across thousands of distributed networks -- with zero impact on operations." Mo Ahddoud, CISO SGN 42