CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Similar documents
TLP to IEP Evolution: What, Why & How

Water Information Sharing and Analysis Center

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DHS Hackers and the Lawyers Who Advise Them

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

23 MAR Malicious cyber activity of Iran-based Mabna Institute TLP: WHITE

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

The Mechanics of Cyber Threat Information Sharing

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

DHS Automated Information Sharing (AIS) Program

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

RSA NetWitness Suite Respond in Minutes, Not Months

Cyber Threat Awareness CETAC 2018

Operationalizing the Three Principles of Advanced Threat Detection

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

DHS Cybersecurity: Services for State and Local Officials. February 2017

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Sandboxing and the SOC

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

CloudSOC and Security.cloud for Microsoft Office 365

You Can t Stop What You Can t See

Cybersecurity Overview

How Breaches Really Happen

Critical Infrastructure Partnership

Department of Defense. Installation Energy Resilience

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Building a Threat-Based Cyber Team

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Building Resilience in a Digital Enterprise

Cyber Threat Landscape April 2013

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Live Adversary Simulation: Red and Blue Team Tactics

Are we breached? Deloitte's Cyber Threat Hunting

10 FOCUS AREAS FOR BREACH PREVENTION

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Critical Infrastructure Sectors and DHS ICS CERT Overview

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Statement for the Record

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

The Role of the ISACs in Critical Infrastructure Resilience Presented by Steve Lines Executive Director Defense Industrial Base Information Sharing

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

the SWIFT Customer Security

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Incident response to a breach: Right of boom you find ashes

The CERT Top 10 List for Winning the Battle Against Insider Threats

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Using Smart Cards to Protect Against Advanced Persistent Threat

How Advanced Persistent Threats Successfully Breach Large Organizations AND, What To Do About It

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

Cybersecurity: Incident Response Short

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Cyber Security Program

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

TLP: WHITE TLP: WHITE 1

ANATOMY OF AN ATTACK!

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

The Value of Bipartisanship

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Cybersecurity Test and Evaluation

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Election Infrastructure Security: The How and Why of It

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

A YEAR OF PURPLE. By Ryan Shepherd

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Securing Industrial Control Systems

SIEM: Five Requirements that Solve the Bigger Business Issues

ENTERPRISE ENDPOINT COMPARATIVE REPORT

RiskSense Attack Surface Validation for IoT Systems

Deception: Deceiving the Attackers Step by Step

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

Department of Homeland Security Updates

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

The Insider Threat Center: Thwarting the Evil Insider

Behavioral Analytics A Closer Look

building an effective action plan for the Department of Homeland Security

Incident Preparedness Report: Taming the Data Beast

Security Awareness Training Courses

Transcription:

National Cybersecurity and Communications Integration Center (NCCIC) Hunt and Incident Response Team (HIRT) CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS Jonathan Homer Chief, Industrial Control Systems Group HIRT/NCCIC Jonathon Briney Senior Presenter s Analyst, Name ICSG HIRT/NCCIC Presenter s Title and Organization

Disclaimer This presentation is intended for informational and discussion purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information. The display of the DHS official seal or other DHS visual identities, including the National Cybersecurity & Communications Integration Center (NCCIC) name or logo shall not be interpreted to provide any person or organization the authorization to use the official seal, insignia or other visual identities of the Department of Homeland Security, including NCCIC. The DHS seal, insignia, or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by DHS, NCCIC, or the United States Government. Use of the DHS seal without proper authorization violates federal law (e.g., 18 U.S.C. 506, 701, 1017), and is against DHS policies governing usage of its seal. This presentation is Traffic Light Protocol (TLP): WHITE. Subject to standard copyright rules, information may be distributed without restriction. For more information on the TLP, see http://www.us-cert.gov/tlp. TLP: WHITE DHS does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by DHS.

Current Cybersecurity Profile Worldwide Threat Assessment - 2017 Director of National Intelligence Dan Coats to Senate Select Committee on Intelligence May 11, 2017

Campaign Summary Advanced Persistent Threat (APT) actors Hundreds of victims (targeted or affected) Energy (focus area) Nuclear Aviation Critical manufacturing Government entities Response effort coordinated between multiple government organizations as well as industry organizations Effect has been limited to access so far, with no physical impact identified

Campaign Timeline Vendor compromised in early 2016 Remained dormant for over one year

Campaign Timeline Additional vendor network compromised in early 2017

Campaign Timeline Phishing attack originating from compromised network against another vendor and government entity

Campaign Timeline Intrusion from compromised vendor to another vendor

Campaign Timeline Latest vendor victim leveraged to phish U.S. utilities

Campaign Timeline Used new victim network to pivot and browse external content of an alreadyphished organization, as well as a non-u.s. organization

Campaign Timeline Used compromised vendor to access several U.S. energy utilities and IT service providers

Campaign Timeline Leveraged early victim to gain entry to two previously accessed utilities and one new victim

Who is the Target? Staging Targets Smaller organizations with less sophisticated networks Pre-existing relationships with intended targets Deliberately selected, not targets of opportunity Examples: vendors, integrators, suppliers, and strategic R&D partners Used for staging tools and capabilities Intended Targets Small, medium, and large organizations U.S. targets focused within the Energy Sector, specifically power generation, transmission, and distribution Sophisticated networks with more defensive cyber tools

What We Will Present Today Not a comprehensive overview of the attack For full information, see DHS Alert TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Third-party analysis reports Focus on unique tactics and behaviors Two areas of discussion Penetration of corporate networks Targeting of control systems

Corporate Networks: Reconnaissance Accessing the corporate websites of staging targets Human-driven behaviors, not scripted Lists of targets align to open-source lists (organized by subject-matter areas) published by third-party industry organizations Downloading detailed photos of organization infrastructure published to public website by victim organization

Corporate Networks: Credential Harvesting Tactic: Remote Server Message Block (SMB) server Spearphishing using a Microsoft Word file referencing a remote normal.dotm file Watering hole: Javascript leverages hidden iframe to generate a file:// connection to a remote server resulting in an SMB transfer of the user s NT Local Area Network Manager (NTLM) hash Stage 1: Request for file outbound over ports 137/139/445 Stage 2: Server requests credentials Stage 3: Victim provides user hash Stage 4: Server provides file

Corporate Networks: Initial Network Access Primarily leveraging captured legitimate credentials All victims had externally-facing, single-factor authenticated systems Three known intrusion vectors Virtual private networks (VPN) Outlook Web Access Remote desktop (both externally exposed and through VPN)

Corporate Networks: Other Traditional TTPs Persistence: Legitimate credentials, new account creation, scheduled tasks Lateral movement: PsExec, batch scripts, remote desktop (RDP), virtual network computing (VNC), admin shares Command and control: web shells, remote desktop Tools leveraged are available on GitHub Mimikatz CrackMapExec Angry IP SecretsDump Hydra Inveigh (and Inveigh-Relay) httrack

Corporate Networks: Persistence Using LNK files Stage 1: LNK file stored in common access directory Stage 2: LNK file icon file setting Stage 3: LNK file icon viewed using Windows Explorer Stage 4: Image Request for file outbound over ports 137/139/445 Stage 5: Server requests credentials Stage 6: Victim provided user hash Stage 7: Server provides image file Result: Active user s credentials are obtained by the threat actor every time the directory is viewed.

Control System Networks: Recon and Initial Intrusions Threat actor conducted research using publicly available information specifically related to the control systems being operated by specific victims Many of the phishing emails were targeted against control systems operations and related to control system operations

Control System Networks: Tactics Stage 1: Access from threat actor to victim corporate network using RDP port forward already in place and/or compromised credentials through VPN Stage 2: ICS Data exfiltrated from corporate servers: Vendor Information Reference Documents ICS Architecture Layout Diagrams Stage 3: Remote access profiles downloaded from RDP/VNC jumpbox Stage 4: Configuration data and screenshots downloaded from HMI

Control System Networks: RDP Session of Threat Actor

Recommendations Initial Triage Search for known Indicators in historical logs (see DHS Alert) Remain focused on behaviors (TTPs) Don t whitelist network traffic with trusted partners Continual Monitoring Behavior-based analysis Staging Targets: anticipate spearphishing and watering holes Intended Targets: anticipate spearphishing, C2 using legitimate credentials, and persistent scripts on workstations and servers Directly Related Mitigations Block all external SMB network traffic Require multi-factor authentication for all external interfaces

NCCIC Current Focus Areas NCCIC provides support for victims at all stages of compromise Specifically interested in information from victims, vendors, and cyber community in the following areas: 1. Authentication by threat actor using multi-factor authentication 2. Any direct access or information reconnaissance pertaining to control system networks 3. Non-interactive activities by threat actor (actions other than those taken through RDP and VNC)

Contact NCCIC NCCICCustomerService@hq.dhs.gov 1-888-282-0870 24x7x365 Operations

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback