SCADA Environments. Jess Garcia. esecurity.com

Transcription

1 Log Monitoring & Forensics in SCADA Environments Jess Garcia esecurity.com

2 Security Strategy Protect Detect React

3 Objectives Monitoring & Response Monitoring: Detect Possible Security Problems, as many as possible Response: Respondto stop theattack beforeit really hurts or at least mitigate the impact Why It's good practices: Prevention is Ideal but Detection is a Must Detection is a Must, but useless without Response etection is a Must, but useless without Response And it is necessary: SCADA environments CAN BE and ARE PRESENTLY attacked

4 Tsun Tzu "Know Your Enemy... Be up to date on the latest threats to properly prepare your Protection/Detection/Response... and Know Yourself" What existing systems there are Who talks to whom What they talk What vulnerabilities they have How open you are to the world and where

5 How is SCADA Different from the Detection & Response PoV? The News: it is not so different Each day more and more similar to standard networks Disadvantages: You cannot touch many of the systems (or at least not too much) Advantages: VERY Stable > Low False Positive Rate The Dream of an Intrusion Detection Analyst!! You still need to tailor & maintain i the installation ti VERY Similar systems > you can define profiles Many products are now SCADA certified

6 Case Study <This slide has been intentionally left blank>

7 How to Succeed The right technology The right ihprocesses The right human resources The right training

8 Where do you start Yes, there are 1 million ways to get in BUT If your network is reasonably closed an attacker will need So... Malware The help of an Insider Define your Threat Matrix Design your Detection & Response System for the top threats (then you will grow)

9 The Key to Success: Processes Monitoring Processes Alert Investigation i Incident Response Processes So many more

10 Incident Response Process Process Preparation Identification Containment Eradication Recovery Follow up

11 What Can Monitoring Do For You? Helps you identify where to look Sometimes directly, many times indirectly The better you tailor it to your environment, the more it will help In SCADA environments monitoring strategies work very well Not too much data Not too many false positives

12 What is Forensics? A discipline which helps determine: What happened How it happened When it happened Why it happened Who did it

13 How Do You Do It? Incident Evidence Evidence Evidence Response Acquisition Preservation Analysis Reporting 1. Something BadHappens 2. We Verify That It Actually Happened If It Did happen 3. We Collect Relevant Data (and Keep It Safe) 4. We Analyze the Data 5. We Present the Results (To Managers, Board or Court)

14 And What Can Forensics Do For You? Types: Network Forensics Trends: Full packet capture How it can help: Platform Forensics Trends: How it can help: Malware Analysis Trends: "DNA" patterns analysis How it can help: What Can Forensics Do in SCADA Environments Towards "SCADA certified" Forensic products

15 Recipe for Becoming a Network Big Brother in 10 Steps 1 Identify Your Assets 2 Deploy Sensors 3 Setup a Monitoring Infrastructure 4 St Setup a Forensics Infrastructure t 5 Setup Additional Support Systems 6 Establish an Incident Response Policy & Procedure 7 Deploy Monitoring & Response Processes 8 Select & Train Your Monitoring Team 9 Ready, Set, Go! 10 Improve

16 Step 1 - Identify Your Assets You will need to know: What you have Where everything is Use Traffic Analysis for that t task Port Mirroring if new switches Network Taps if old infrastructure

17 Step 2 - Deploy Sensors You need information! Sensor Types Logs (FWs, Routers, DBs, OS,... ) HIDS/NIDS Configuration Management Systems Network Forensics Platforms Honeypots Network Forensics Intrusion Detection is not only about NI[DP]S / HI[DP]S Include slide(s) from NIDS Presentation

18 SIEM Step 3 - Setup a Monitoring Infrastructure Select a SIEM technology that matches your needs Centralize logs from all systems to your SIEM Network Devices Security Devices IDS, IPS, etc. Operating Systems Applications Databases Configure Alerts & Reports

19 Step 4 - Setup a Forensics Infrastructure Deploy a Forensic Environment Deploy a Remote Forensic Solution Deploy an Forensic Analysis Environment Deploy an Malware Analysis Environment

20 Step 5 - Setup Additional Support Storage Systems Backup Systems Systems Data Processing Systems Forensic Analysis Environment Malware Analysis Environment Ticketing System

21 Step 6 - Establish an Incident Response Policy & Procedure Alert Investigation Process Response Times Incident Management Policies & Procedures

22 Step 7 - Deploy Monitoring & Response Processes Everything must be a process Document thoroughly how to carry out each process Make it happen regularly (daily, weekly, monthly) Define what is an anomaly and what to do when it is found Define Define what triggers a more in depth investigation Take it easy, one step at a time!

23 Step 8 - Select & Train Your Level 1 Tasks Monitoring i Team Review Reports Daily Receive Alerts Generate Daily/Monthly Activity Reports Level l1 Alert Investigations Implement improvements New Detection Rules New Alerts New Reports Document changes and process improvements Implement (simple) Level 2 Tasks Investigate Escalated Alerts Define improvements Dfi Define response actions

24 Step 9 - Ready, Set, Go! Alert Analysis (NIDS, SIEM, HIDS,...) Log Analysis Logs Traffic Analysis Packet Captures Forensic Analysis Malware Analysis

25 Step 10 - Improve Clean Up Your Network SCADA Networks are good girls, you just need to help them a bit Fine tune your monitoring systems Misconfiguration o Alerts etsare NOT Security Alerts. ets Filter them! Increase your teams skills through experience & training IDS, Log Analysis, Network/System Forensics, Malware Analysis,... Fine tune your processes Decrease your response time Document Keep a historical database... of everything! Automate the ProcessesProcesses

26 How Far Can You Get EXTREMELY FAR! (At least we have! ;) ) The combination of technologies can (almost) completely automate your incident verification, making it thorough

27 Contact Information Jess Garcia esecurity.com One esecurity W: esecurity.com com E: esecurity.com T: