An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Transcription

1 An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

2 Johns Hopkins University Applied Physics Lab (JHU/APL) University Affiliated Research Center Sponsors include DOD, NASA 6,500+ staff

3 Cyber Attack Weeks disconnected from the Internet 40 GB of unclassified data lost 5 malware versions, 13 accounts, 48 systems

4 Pre-Cyber Attack Completed risk assessment - Cross-APL team evaluated assets, assailants, tactics 2. Began distributing Application White Listing software - 2,000 systems by 6/11/09 3. Engaged Mandiant, preparing for a full network scan - 5,500 systems by 6/11/09, enterprise-wide scanning planned for 6/15/09

5 APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack

6 APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack

7 Timeline to Restore Internet Access Requirement Find all malware variants Secure all computers Malware types Systems impacted Login accounts Systems scanned Application white listing installed Notes Thu 6/ Attack discovered Fri 6/ Sat 6/ Sun 6/ Mon 6/ Tue 6/ Wed 6/ Thu 6/ Fri 6/ Mon 6/ Tue 6/ Wed 6/ Thu 6/ Fri 6/26 * 5 *48 13 All All Internet access opened

8 Leveraging Synergy at APL Leveraging Synergy at JHU/APL Mission Systems Corporate Cyber Cyber Research

9 Unclassified Network Internet Public Internal

10 Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal

11 Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines

12 Unclassified Network Korea China Hong Kong Canada Internet X Public VPN Internal Virtual Machines

13 Unclassified Network Korea China Hong Kong Canada Internet X Public X VPN Internal Virtual Machines

14 Unclassified Network Korea China Hong Kong Canada Internet Public VPN Social Networking Internal Virtual Machines

15 Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines

16

17

18 Coordinating Regional Cyber Response Fusion Cell Cyber Communications Law Enforcement Legal Integrated Threat Analysis Cell Cyber Analysts Regional Defensive Teams Team 1 Team 2 Team 3 Team 4 Team 5 Team 6

19 Visualize the Battlespace: Galaxy Main View Filters for major event types, lets the analyst turn off noise Primary view is a node-link graph helping the analyst make sense of heterogeneous event data Interactive selection of the focal time window and playback Zoomable timeline shows all events, provides a sense of scale.

20 Visualize the Battlespace: Galaxy Replay Capability Replay capability helps illustrate sequences of events. Here, a malicious actor finds a vulnerability and spreads through a network.

21 Regional Cyber Response: Positive Exercise Outcomes 1. Increasing amount of threat information shared by defensive teams 2. Crowd-sourced intelligence leads to a broad view of adversary tactics 3. Adversaries shut down after first attack due to information sharing 4. Threat Analysts told to pause sharing Intelligence with Defensive Teams because they were too fast 5. Adversaries must bring increasing numbers of staff and infrastructure due to Intelligence-sharing capability

22 Information Technology (IT) Operations Technology (OT) ICS Plant / Manufacturing Systems

23 The scale, scope, and frequency of cyber attacks on digital and physical infrastructure systems is growing rapidly. Threats are escalating as more sophisticated and organized attackers are designing targeted attacks to damage or disrupt vital services and critical physical systems. - President s NIAC Report 8/2017 ICS Industrial Control Systems (ICS) are EVERYWHERE

24 IT vs ICS IT System Lifetime 3-5 years years Control Systems (ICS) Owner CIO Technicians, operators, managers Purpose General computing, runs variety of applications Control machines, runs few applications at high availability Focus Preventing data loss Preventing operational disruption or damage Patches Security software, incident response and forensics IT staff; regularly scheduled, enterprise-wide, automated Commercial products and consulting available External vendor; nontrivial scheduling due to production impact and may break ICS functionality; ICS owners required to define acceptable risk Few solutions; forensics immature; requires good IT/ICS relationships; difficult to retrofit with security

25 Internet The greatest vulnerability to ICS occurs at any point of connection

26 Example: Fuel Delivery System 1. Phishing attack via the Internet 2. Reconnaissance to identify pump controller 3. Shutdown commands stop fuel delivery

27 Example Dependency Model: Fuel Delivery System Perform Operations Store Fuel Receive Fuel Distribute Fuel Provide cooling Transportation Provide safe working environment Perform preventative maintenance Perform corrective maintenance Fuel manager DB Automatic tank guage HVAC Water Treatment Building Automation Fuel handling systems Fire fighting equipment Diesel Generator Level Sensor 1 Level Sensor 2 Fuel Pump 1 Fuel Pump 2 Wireless Access Point 1 Wireless Access Point 2 Fuel Manager Server Windows Workstations

28 Example Assessment Findings ICS modernization has largely been ignored - Lots of end of life products (older hardware, software, expired warranties) - Operators are not fully aware of system interfaces - Systems have low funding priority (since they are so old), yet these elements directly impact the facility mission (not commonly understood) Increasing connectivity between systems - Allows a large attack surface for isolated systems to be exploited - Many systems have unencrypted wireless access System owners are not aware of cyber risks Ownership structure adds complications to management of systems - System owners and operators report to two separate chains of command

29 What does component failure mean for the overall system response? What does it mean for a multiple interacting systems? Overall economic impact? Potential to hold society at risk Vulnerability invites attack What about soft science consequences?

30 CyberWire 10/

31 Example Steps to Securing Control Systems (ICS) 1. Determine level of risk the organization will accept 2. Decide on cyber security ownership - Bring IT and OT together - Who owns protecting the asset? 3. Identify the ICS functions - Criticality to operations? - Common component across systems? 4. Implement ICS operational security - Baseline devices, apps, comms - Secure network connections - Harden system boundaries - Invest in detection tools - Focus on whitelisting - Create and exercise recovery options - Provide security training ICS From SANS Securing ICS 2017

32 Joint Defense and Red Teaming Government collaboration Consortium cyber response External red team New product penetration testing Cyber Defense is a Team Sport

33 Cross-Organization Response: Tabletop Lessons 1. Where to direct requests for resourcing to solve emergency needs 2. Different levels of classified communications, and staff classification levels 3. Sharing personal contacts/relationships to gather and disseminate information 4. Discussion of how we re informing the public 5. Coordinate external communications Building a CONOPS to guide restoration operations is vital

34

35

36

37