EFFECTIVE DEFENCE In a connected world. Philippe COTELLE, Airbus Defence and Space 2016, Nov 4th

Transcription

1 EFFECTIVE DEFENCE In a connected world Philippe COTELLE, Airbus Defence and Space 206, Nov 4th

2 Telecommunications Satellites Cybersecurity Threats Telemetry & Command hijack or jamming Data communication jamming Theft of transponder bandwidth or capacity Data communication interception Responses Brute-force, spread spectrum, multiband / multifrequency, encryption, authentication Robust waveform, frequency hopping, spread spectrum, spectral subtraction, jammer nulling (frequency / spatial) Spectrum monitoring, geolocation Encryption (AES for civilian usage, else military solution) Techno Active Antennas, Processors, Steerable Reflectors Active Antennas, Processors, Steerable Reflectors Processors, Interferometers Processors Processors Active Antenna Geolocation Regeneration, spread spectrum Processors Steerable Reflectors 2

3 TMTC Hijacking or Jamming Scenario "3am call" to operator to satellite control manager Satellite not responding Sudden and total loss of TM/TC Emergency management and start of investigation Early investigation leads to external "cyber attack on communication link" Expenses to get satellite back under control Potential business interruption 3

4 How could it occur? Targeted attack via with lateral move and information exfiltration RECONNAISSANCE Information gathering in social network and through public website scanning 2 WEAPONIZATION Crafting of a dedicated malicious pdf with Windows XP exploit embedded and attacker s workload. 3 DELIVERY Sending of a spear phishing aiming at luring the targeting user so he would execute the malware himself. 4 EXPLOITATION Malicious pdf execution by the user, admin priviledge gain by windows XP exploit usage. 5 INSTALLATION Attacker s workload dropped and installed on the targeted workstation. 6 COMMAND AND CONTROL Connection to the C&C in order to allow direct access to the target by the attacker. 7 ACTIONS ON OBJECTIVES Actions could be for instance: lateral move in order to gain access to critical target, internal information gathering, information exfiltration, 4

5 Use Case Airbus Defense & Space CyberSecurity Service in action Potential APT detection 2 First triage by L 3A Context information gathering by L 3B Incident qualification by L2 4 Customer notification & ticket creation 5 Investigation and analysis of available logs 6A Complementary information requests to customer IT security team 6B (opt) Dispatch of keelback host 6C (opt) Incident response expertise dispatch 7 Automatic sandbox analysis 8A New or updated IOCs and correlation rules deployment 8B Vulnerability scan & assessment 9 Incident follow-up 0 Incident ticket closed and knowledge base update 5

6 Use Case Airbus Defense & Space CyberSecurity Service in action Potential APT detection 2 First triage by L 3A Context information gathering by L 3B Incident qualification by L2 4 Customer notification & ticket creation 5 Investigation and analysis of available logs 6A Complementary information requests to customer IT security team 6B (opt) Dispatch of keelback host 6C (opt) Incident response expertise dispatch 7 Automatic sandbox analysis 8A New or updated IOCs and correlation rules deployment 8B Vulnerability scan & assessment 9 Incident follow-up 0 Incident ticket closed and knowledge base update 6

7 Data Jamming Scenario 7

8 Theft of Bandwidth Scenario Frequency Plan Receive Unused channel Frequency plan change (Processor capability) Frequency Plan Transmit Signal Noise Ratio Bandwidth thief Bandwidth thief Other possible response: change uplink gateway

9 Data Interception Scenario interception Data encryption (ex: AES ) Other possible response: frequency hopping

10 Conclusion Solutions exist to manage cyber risk Risk analysis is mandatory to adopt sound mitigation strategy Technical mitigation combine cybersecurity service and technical solution on satellite Insurance Transfer shall be considered in coordination with risk mitigation 0