Log Monitoring & Forensics in SCADA Environments Jess Garcia jess.garcia@one esecurity.com
Security Strategy Protect Detect React
Objectives Monitoring & Response Monitoring: Detect Possible Security Problems, as many as possible Response: Respondto stop theattack beforeit really hurts or at least mitigate the impact Why It's good practices: Prevention is Ideal but Detection is a Must Detection is a Must, but useless without Response etection is a Must, but useless without Response And it is necessary: SCADA environments CAN BE and ARE PRESENTLY attacked
Tsun Tzu "Know Your Enemy... Be up to date on the latest threats to properly prepare your Protection/Detection/Response... and Know Yourself" What existing systems there are Who talks to whom What they talk What vulnerabilities they have How open you are to the world and where
How is SCADA Different from the Detection & Response PoV? The News: it is not so different Each day more and more similar to standard networks Disadvantages: You cannot touch many of the systems (or at least not too much) Advantages: VERY Stable > Low False Positive Rate The Dream of an Intrusion Detection Analyst!! You still need to tailor & maintain i the installation ti VERY Similar systems > you can define profiles Many products are now SCADA certified
Case Study <This slide has been intentionally left blank>
How to Succeed The right technology The right ihprocesses The right human resources The right training
Where do you start Yes, there are 1 million ways to get in BUT If your network is reasonably closed an attacker will need So... Malware The help of an Insider Define your Threat Matrix Design your Detection & Response System for the top threats (then you will grow)
The Key to Success: Processes Monitoring Processes Alert Investigation i Incident Response Processes So many more
Incident Response Process Process Preparation Identification Containment Eradication Recovery Follow up
What Can Monitoring Do For You? Helps you identify where to look Sometimes directly, many times indirectly The better you tailor it to your environment, the more it will help In SCADA environments monitoring strategies work very well Not too much data Not too many false positives
What is Forensics? A discipline which helps determine: What happened How it happened When it happened Why it happened Who did it
How Do You Do It? Incident Evidence Evidence Evidence Response Acquisition Preservation Analysis Reporting 1. Something BadHappens 2. We Verify That It Actually Happened If It Did happen 3. We Collect Relevant Data (and Keep It Safe) 4. We Analyze the Data 5. We Present the Results (To Managers, Board or Court)
And What Can Forensics Do For You? Types: Network Forensics Trends: Full packet capture How it can help: Platform Forensics Trends: How it can help: Malware Analysis Trends: "DNA" patterns analysis How it can help: What Can Forensics Do in SCADA Environments Towards "SCADA certified" Forensic products
Recipe for Becoming a Network Big Brother in 10 Steps 1 Identify Your Assets 2 Deploy Sensors 3 Setup a Monitoring Infrastructure 4 St Setup a Forensics Infrastructure t 5 Setup Additional Support Systems 6 Establish an Incident Response Policy & Procedure 7 Deploy Monitoring & Response Processes 8 Select & Train Your Monitoring Team 9 Ready, Set, Go! 10 Improve
Step 1 - Identify Your Assets You will need to know: What you have Where everything is Use Traffic Analysis for that t task Port Mirroring if new switches Network Taps if old infrastructure
Step 2 - Deploy Sensors You need information! Sensor Types Logs (FWs, Routers, DBs, OS,... ) HIDS/NIDS Configuration Management Systems Network Forensics Platforms Honeypots Network Forensics Intrusion Detection is not only about NI[DP]S / HI[DP]S Include slide(s) from NIDS Presentation
SIEM Step 3 - Setup a Monitoring Infrastructure Select a SIEM technology that matches your needs Centralize logs from all systems to your SIEM Network Devices Security Devices IDS, IPS, etc. Operating Systems Applications Databases Configure Alerts & Reports
Step 4 - Setup a Forensics Infrastructure Deploy a Forensic Environment Deploy a Remote Forensic Solution Deploy an Forensic Analysis Environment Deploy an Malware Analysis Environment
Step 5 - Setup Additional Support Storage Systems Backup Systems Systems Data Processing Systems Forensic Analysis Environment Malware Analysis Environment Ticketing System
Step 6 - Establish an Incident Response Policy & Procedure Alert Investigation Process Response Times Incident Management Policies & Procedures
Step 7 - Deploy Monitoring & Response Processes Everything must be a process Document thoroughly how to carry out each process Make it happen regularly (daily, weekly, monthly) Define what is an anomaly and what to do when it is found Define Define what triggers a more in depth investigation Take it easy, one step at a time!
Step 8 - Select & Train Your Level 1 Tasks Monitoring i Team Review Reports Daily Receive Alerts Generate Daily/Monthly Activity Reports Level l1 Alert Investigations Implement improvements New Detection Rules New Alerts New Reports Document changes and process improvements Implement (simple) Level 2 Tasks Investigate Escalated Alerts Define improvements Dfi Define response actions
Step 9 - Ready, Set, Go! Alert Analysis (NIDS, SIEM, HIDS,...) Log Analysis Logs Traffic Analysis Packet Captures Forensic Analysis Malware Analysis
Step 10 - Improve Clean Up Your Network SCADA Networks are good girls, you just need to help them a bit Fine tune your monitoring systems Misconfiguration o Alerts etsare NOT Security Alerts. ets Filter them! Increase your teams skills through experience & training IDS, Log Analysis, Network/System Forensics, Malware Analysis,... Fine tune your processes Decrease your response time Document Keep a historical database... of everything! Automate the ProcessesProcesses
How Far Can You Get EXTREMELY FAR! (At least we have! ;) ) The combination of technologies can (almost) completely automate your incident verification, making it thorough
Contact Information Jess Garcia jess.garcia@one esecurity.com One esecurity W: www.one esecurity.com com E: info@one esecurity.com T: +34 911 011 000