Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems!

Similar documents
Cyber Attacks & Breaches It s not if, it s When

Resilient Architectures

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Introduction to Threat Deception for Modern Cyber Warfare

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Smart Grid Automation in a Cyber-Physical Context

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

locuz.com SOC Services

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

MOBILE FORENSICS AND SECURITY

Cyber Defense Operations Center

Firewalls (IDS and IPS) MIS 5214 Week 6

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

RiskSense Attack Surface Validation for IoT Systems

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Deception: Deceiving the Attackers Step by Step

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

IoT & SCADA Cyber Security Services

RSA NetWitness Suite Respond in Minutes, Not Months

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Comparative Study of Different Honeypots System

Overview of Honeypot Security System for E-Banking

An Aflac Case Study: Moving a Security Program from Defense to Offense

Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win. Sun Tzu, The Art of War

The Perfect Storm Cyber RDT&E

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

THE EVOLUTION OF SIEM

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Active defence through deceptive IPS

Checklist for Evaluating Deception Platforms

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Next Generation Endpoint Security Confused?

playbook OpShield for NERC CIP 5 sales PlAy

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

Device Discovery for Vulnerability Assessment: Automating the Handoff

RSA INCIDENT RESPONSE SERVICES

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

McAfee Virtual Network Security Platform 8.4 Revision A

Case Study. Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform

Building Security at Scale. PRESENTED BY Alex Stamos Black Hat USA 2014 August 7, 2014

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

68 Insider Threat Red Flags

CompTIA CSA+ Cybersecurity Analyst

RiskSense Attack Surface Validation for Web Applications

Cisco Advanced Malware Protection. May 2016

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

THALES DATA THREAT REPORT

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Security Challenges and

Evolution Of Cyber Threats & Defense Approaches

Introduction to ICS Security

RSA INCIDENT RESPONSE SERVICES

Securing Your Cloud Introduction Presentation

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CISO View: Top 4 Major Imperatives for Enterprise Defense

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Consolidation Committee Final Report

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

Mcafee Network Intrusion Detection System. Project Report >>>CLICK HERE<<<

Continuously Discover and Eliminate Security Risk in Production Apps

Modern Cyber Defense with Automated Real-Time Response: A Standards Update

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

Network Security: Firewall, VPN, IDS/IPS, SIEM

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Identity-Based Cyber Defense. March 2017

WHITEPAPER DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

From Managed Security Services to the next evolution of CyberSoc Services

2015 VORMETRIC INSIDER THREAT REPORT

CTI Capability Maturity Model Marco Lourenco

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Go mobile. Stay in control.

SIEM Solutions from McAfee

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Securing Your Microsoft Azure Virtual Networks

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Proactive Approach to Cyber Security

Clinical Segmentation done right with Avaya SDN Fx for Healthcare

Transcription:

Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com

Agenda History of ICS/SCADA Vulnerabilities and Attacks Attack Disclosures Vectors of Attack and Rationale History and Purpose of HoneyNet Design and Architecture Criteria Interaction Levels Actual System as Deployed Actual Attack Data Advanced Deception Technology Concepts Next Steps

August 14, 2003 - The Saga begins.. FirstEnergy Corporation Transmission Line Foliage Race Condition in GE XA/21 EMS Software Bug! Not an Attack Blaster August 11, 2003? 265 Generating Stations 28.7 GW Load Shed 50 Million Customers 8 States and Canada

Timeline Industrial Control Systems Attacks

Full Disclosure

SCADA/ICS System Vulnerabilities What s connected? Few testing environments Compliance = FIREWALLS protection $$$$$ Legacy equipment Hacker highways Goodbye security by obscurity

Not to mention.physical Access!

(SCADA) InfoSec Triad CISO - Security Team Security! Multifactor Authentication Encryption Change Control Regulations ACLS, Firewalls and Red Tape Technicians - Analysts Features! Remote Access Historian, Corporate Data Access Tablet, iphone, Android Access EZ Authentication Operations Availability! Availability Availability!

In a Perfect World?

What are we trying to prove? SCADA Operational Intelligence Program Validate System Attacks Identify Nature of Attacks Actual Damages Quantify Impact

Requirements Real system appearance Interaction levels Attacker profile information Full Packet Capture (FPC) Tor or Not to Tor?

SCADA Intelligence Gathering Cycle Initialize Intelligence Sensors (HoneyNet) SCADA Intelligence Continuous Monitoring Sensor Upgrades Intelligence Correlation and Reporting Cyber Security Systems Engagement Attack Analytics

Myth or Reality?

SCADA Intelligence System Architecture Deployment Options: DMZ with BackChannels DMZ Landing Page DNS Record

Low Interaction plcscan.py

Medium and High Interaction

I-Frame High Interaction

And we have liftoff...

GeoLocation, HMI, Web, TOR Exit Nodes! Map

Attack Profile - Russian Federation SEV 2782

Anybody Home?

Not that we re keeping score Graphs Attacks US China Thailand Taiwan France

Top Internet Service Providers Y1

Top Internet Service Providers Y2-3 Get off of my cloud!

Correlation

Rankings 16748 Packet Exchanges Recon Coordinated Attack

Details, Evidence and Attacker Profiling

Findings - Attack Intelligence Correlation Real and malicious attacks directed at Critical Infrastructure Attack count and severity spiked on 9/11 Legacy systems are extremely vulnerable Cloud provider sourcing rapidly increasing Only sophisticated attacks utilize evasion techniques (e.g. TOR) Diversity in attack tools (Simple scanners >> Professional tools)

Next Steps All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Sun Tzu, The Art of War

All warfare is based on deception Sun Tzu, The Art of War We re convinced that deception is a necessary part of any network defense Not limited to ICS/SCADA; All industries, Enterprise IT, and even consumers could benefit from deception based anomaly detection But the cost of deploying and maintaining deception needs to be low http://i.imgur.com/pl0a3fp.jpg

Deception In Depth Deception Funnel Lure Attackers Deeper With Multiple Layers of Deception Lures/Baits/Breadcrumbs Many Low Interaction Some Medium Interaction Few High Interaction Fewer Super High Interaction

Automation Automated Deployment Public/Private Cloud Deployment Automated Response Software Defined Networking

Automated Deployment

Public/Private Cloud Deployment

Automated Discovery and Deployment

Automated Discovery and Deployment

Automated Deception Response Automated Response with Software Defined Networking NSA Active Cyber Defense (ACD) is a component of the Department of Defense's (DoD) overall approach to defensive cyber operations Only 2 approved Trusted Cyber Sensor vendors Keep adversaries engaged and collect intelligence Learn Tactics Techniques and Procedures (TTP) and apply to cyber-response playbooks

Cover All Your Bases Known-Known: IDS/IPS and Trusted Cyber Sensor Known-Unknown: Deception Technology Unknown-Unknown: Behavioral Machine Learning

Takeaways

Consider deception as an early warning system Key to success is automation In Summary Use SDN to redirect attacks away from real to deception systems Use a multi-layered deployment Keep adversaries occupied and confused Use analytics to consume output from deception nodes

Thank You!

Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback