The Axis of Physical and Cyber Security providing three-dimensional threat protection

Transcription

1 The Axis of Physical and Cyber Security providing three-dimensional threat protection Presenters: Jim Willis, Doug King, CEO, InDev Tactical Technical Service Engineer Sr. Staff Lockheed Martin Rappahannock Electric Cooperative

2 Presenters Jim Willis, CMAS, CHS-I CEO, InDev Tactical MSc, International Development & Security BS, Electrical Engineering. Security consulting for electric co-op clients 40+ years electric power experience (co-op lineman/engineer/manager/nreca/consultant/subject-matter expert) Credentialed security & anti-terrorism expert Afghanistan, 6 yrs, reconstruction & security, (USAID, DOD, ISAF) Developed ASSIST a proprietary active shooter and violence prevention training for electric power industry.

3 Presenters Doug King Technical Service Engineer and Cybersecurity Lead Doug is a senior member of Lockheed Martin Energy s Rappahannock Electric Cooperative IT and Cybersecurity services team. Doug has over 20 years IT experience which includes: 4 years DoD Global Operational Support 14 years of electric cooperative support in information security operations, Doug s expertise includes cyber threat and targeted attack defense and response

4 Physical & Cyber Security Different roles Same goals

5 Cost of a data breach in 2016

6 Cost of a data breach in 2016 Energy sector per/unit cost = $148 For a co-op with 35,000 records that is = over $5,000,000

7 Data Protection: Defending against unauthorized access Physically & Digitally

8 3 Dimensional Data Protection Cyber Security Collaboration Physical Security

9 3 Dimensional Data Protection Physical Security Static Security Measures Dynamic Security Tactics Cyber Security Preattack Defense Active Attack Response

10 Physical Security Static Security Measures Dynamic Security Tactics

11 Static Security Measures Security elements utilized to protect the co-op s digital sphere from internal and external assault.

12 Static Security Measures Approach Access Theft of stored data

13 Physical Vulnerabilities Static Security Measures Server Rooms Voice & Data interface cabinets SCADA systems cabinets

14 Physical Vulnerabilities Static Security Measures Server Room access

15 Approach access

16 Theft of stored data

17 Physical Vulnerabilities Static Security Measures Voice & Data interface points & cabinets

18 Physical Vulnerabilities Static Security Measures SCADA network cabinets

19 Physical Vulnerabilities SCADA network cabinets

20 Physical Vulnerabilities SCADA network cabinets

21 Physical Vulnerabilities SCADA network cabinets

22 Dynamic Security Tactics Employing human resources (subject-matter experts & security consultants) to -

23 Dynamic Security Tactics Implement active security measures, Effectively communicate the threat, & Modify workplace culture.

24 Physical Security Dynamic Security Tactics Training

25 Physical Security Dynamic Security Tactics Security audits

26 Physical Security Dynamic Security Tactics Enhanced procedure development & Action plans

27 Cyber Security Pre-attack Defense Active Attack Response

28 Defender s Dilemma The Dilemmas We have to get security right every time an attacker only has to get it right once.

29 Attacker s Dilemma The Dilemmas We only need to detect one of the indicators of the attacker s presence in order to initiate incident response.

30 Scenario Over a long summer holiday weekend, someone cut a substation fence and attempted to steal a few dollars worth of copper. The communications shed in the substation was also broken into, but nothing was taken. Copper is not stored in the communications shed.

31 Scenario Later that fall, the cooperative s troublesome, aging security system alarmed over Thanksgiving weekend. The Sheriff s department and a senior cooperative employee responded but didn t find any signs of a break-in. They silenced the alarm and returned to their families.

32 Scenario On Monday, a cursory check shows nothing of value of taken. However, an administrator notices that sometime over the weekend a server completely lost power and power was restored approximately 10 minutes later. The server is normal and healthy. The administrator worries about possible hardware failure. The hardware vendor checked the system and all is well.

33 Scenario (cont) What really happened?

34 Scenario (cont) Two years prior, an advanced persistent threat (APT) team was tasked by a foreign nation state to breach a US electric distribution cooperative that serves strategically and politically sensitive US government facilities. The primary purpose of this tasking was to, at a time of the foreign nation state s choosing, send a strong message to US leadership and intelligence communities by demonstrating hostile command and control (C2) of a US utility. In order to accomplish this task the APT decided to use the cover of a routine PII attack in case their attempts were detected. The APT team found that remote external network penetration was too noisy. Instead, the APT team decided to engage with a physical attack.

35 Scenario (cont) Using OSINT (Open Source Intelligence) gathered from Google Maps, the APT first chose to attack the substation as Google Maps imagery showed that there was a communications shed that was not well protected. Ultimately, the shed contained only a minimal amount of equipment and had no direct enterprise or grid connectivity. At the cooperative HQ, Google Maps showed little fencing and large cooling equipment on one the roofs. The APT team assumed that this building contained the datacenter. The APT used a duplicated RFID badge to access the building. The original badge was scanned for duplication during TechAdvantage 2017.

36 Scenario (cont) Once inside the data center, a physical server was located. The server had a label affixed to it - Domain Controller 002. The APT forced powered off the system, reapplied power and inserted bootable removable media into to copy a single file from the domain controller.

37 Scenario (cont) The APT stole a copy of the cooperative s Active Directory database and which has the password hashes for all AD accounts.

38 Scenario (cont) All password hashes and configuration information is stored there. Secretsdump.py was used to extract the password hashes.

39 Scenario (cont) The APT plans to leverage the password hashes to create custom malicious payloads what will be delivered by , USB flash drives and social media later that year to establish remote C2. Since they are customized and using the credentials of stolen service accounts the probably of success is quite high.

40 Cybersecurity Preattack Defense Pre-attack Defense Develop and practice a physical attack incident response plan Treat ALL physical attacks as a potential cyber attack Be proactive and adversarial Threat hunt for Indicators of Compromise (IOCs)

41 Cybersecurity Preattack Defense Pre-attack Defense Research & Study Tactics, Techniques, and Procedures of Threats (TTPs) Search for and explain anomalies Minimal 2 years of logs for all PCs, servers and systems

42 Cybersecurity Preattack Defense Pre-attack Defense Regular open box red team penetration testing Forensic logging for all PCs, servers and systems 24/7/365 IDS/IPS monitoring & alerting Install and maintain centralized logging and reporting (SIEM)

43 Cybersecurity Preattack Defense Pre-attack Defense Consistent and dedicated InfoSec training for support staff PowerShell logging for all PCs and servers Do not implicitly trust the security practices of your vendors

44 Cybersecurity Preattack Defense Pre-attack Defense Practice Least Administrative Privilege (Local Administrator) Randomize Local Administrator Passwords (LAPS) Install a SIEM (GrayLog, Splunk, etc.) Event logs from all PCs, IoT devices, & Servers ingested into SIEM (Security Information & Event Management)

45 Cybersecurity Preattack Defense Pre-attack Defense Endpoint Detection and Response (Carbon Black, FireEye, etc.) Audit and monitor internet ingress/egress from your networks Audit Active Directory (Ask the hard questions)

46 Cybersecurity Preattack Defense Pre-attack Defense Monitor Active Directory for changes (Netwrix Auditor, etc.) Baseline processes and store in safe place (Get-Process Select-Object name,fileversion,productversion,company,path Export-Csv process.csv) Microsoft Advanced Threat Analytics (MS ATA)

47 Cybersecurity Preattack Defense Pre-attack Defense Honeypots (Canary) Honey Files Honey Tokens / Honey Accounts Pepper your enterprise with detection tripwires Deploy deception (Fake employees, LinkedIn, Facebook, Twitter, , etc.)

48 Cybersecurity Preattack Defense Pre-attack Defense Purple Teams Send your defenders to penetration testing and hacking courses Your defenders will become better defenders

49 Cybersecurity Preattack Defense Pre-attack Defense Your defenders will be able to anticipate and quickly adapt to threats Conduct a reoccurring 3 rd party penetration test to test you defenders The money spent on a penetration test is actually training for your defenders

50 Cybersecurity Active Attack Response Active Attack Response Follow a well rehearsed IRP that addresses all facets of your organization. Work quickly to protect what makes you a valuable target PII and Grid Control Systems

51 Cybersecurity Active Attack Response Active Attack Response Immediately secure your backup solution Be prepared to work with law enforcement (FBI, DHS, etc.)

52 Cybersecurity Active Attack Response Active Attack Response Assume the worst until proven otherwise Be prepared to sever network connections (LAN & WAN) Preserve forensic evidence whenever possible

53 Cybersecurity Active Attack Response Active Attack Response Look for devices that were left behind network taps, wireless devices, etc. Review any and all available camera footage When in doubt, shutdown and remove power from potentially compromised equipment

54 Cybersecurity Active Attack Response Active Attack Response Potential IOCs Anomalies In Privileged User Account Activity Unusual Outbound Network Traffic any change from baseline Geographic Anomalies Unexplained account lockouts for legitimate accounts

55 Cybersecurity Active Attack Response Active Attack Response Potential IOCs Failed logon attempts for non existent accounts Increase in database read volume Increase in website reads Distributed Denial of Service Attack (DDOS smoke screen)

56 Cybersecurity Active Attack Response Active Attack Response Stopping the attack is the first definitive step The next step Repair and remediation, but that s an entirely different issue.

57 The key to 3 Dimensional Data Protection Cyber Security Collaboration Physical Security

58 This is NOT collaboration

59 Collaboration A team effort between IT, Safety, & Security

60 For more info or questions Contact: Jim Willis, Physical Security issues Doug King, Cyber Security issues