A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
1. LUCA BARBA
SR. MANAGER, PRODUCT MGMT. STRATEGY
OT BUSINESS UNIT
APRIL 2019
LESSONS LEARNED FIGHTING
MODERN CYBER THREATS IN
CRITICAL ICS NETWORKS
2. FORESCOUT CONFIDENTIAL
The Forescout OT Business Unit
A Global Security Leader
▪ Global Partner Network
▪ World Class Support (NPS 78)
▪ Award winning
HUNDREDS
OF
Large ICS Deployments
Strong Expertise
▪ Utilities
▪ Oil & Gas
▪ Chemicals
▪ Life Sciences
▪ Industry 4.0
▪ Smart Cities
Forescout OT Center of Excellence
Eindhoven
The Netherlands
3. 3
Cyber Risk and Operational Risk
› Threats targeting IoT & OT are growing
› Sophisticated actors are developing new attacks
› Limited ability to remediate threats in real time
› OT networks are no longer separate
› Threats move between cyber & physical dimensions
› Assets are highly critical & rarely can be patched
Corporate HQ
Information
Technology
• Industrial control systems
• Critical infrastructure
Operational
Technology
99.999%
UPTIME
DAYS
WITHOUT AN
ACCIDENT
IT and OT
Convergence
Threats Targeting
Non-Traditional Devices
Cyber Risk Resulting in
Operational and Safety Risk
› System failure & downtime of critical devices
› Connectivity and configuration issues with field devices
› Insecure protocols & data sent in noncompliant formats
4. How to Defend ?
Prevention & Policies
Oriented to perimeter protection
Reactive
Relying on detection tools to flag threats
5. How to Defend ?
Prevention & Policies
Oriented to perimeter protection
Reactive
Relying on detection tools to flag threats
6. Introducing Threat Hunting
• Prevention is ideal but detection &
response is crucial.
• The network is your perimeter.
• Actively search for threats to prevent or
minimize damage.
• Test the organization’s capability to reliably
detect and respond to threats.
• Analysts create “assumptions” or
“behavioral patterns” that are then
automated to quickly search the network
for threat indicators.
https://sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop/
6
7. Threat Hunting vs Incident Response
Although computer security incident response teams (CSIRTs) are common nowadays,
especially in large organizations, it is important not to confuse those with threat hunting.
• Incident response focuses on containment and recovery in the aftermath of a cyber
incident, while threat hunting aims to catch threats before they hit.
• CSIRTs follow procedures and employ tools to detect and contain a threat. Threat hunting
is centered around analysts, aided by tools, to proactively look for indicators of
compromise.
• Incident response is all about the now and seeks to mitigate a detected threat. Threat
hunting may require analyzing historical information to identify early indicators of potential
threats.
7
9. SANS Survey on Threat Hunting 2018
• Threat intelligence leads threat hunting, and survey results demonstrate that
organizations are investing more in cyberthreat intelligence (CTI) than before.
• Trained staff are key to running threat hunting engagements.
• Hunting is starting to show that organizations are using intelligence properly to identify
threats instead of solely relying on traditional alerts and alarms.
• Threat hunting is helping organizations find threats more effectively.
“SANS 2018 Threat Hunting Survey Results” – SANS Institute 2018
9
11. Basic Analysis Workflow
▪ Asset inventory of all active hosts in the network with
automatic device fingerprinting and vulnerability indications
▪ Visibility into communication flows and protocols usage and
processes behavior
▪ Overview of networking and operational problems
Remote Support for capture
Analysis Approx. 1-3 Days
Remote capture supervision
Activities
Preparation
(e.g. determine
monitoring points)
Network traffic
capture
Analysis Report Final
Presentation
11
12. Tooling: Forescout SilentDefense
12
Key Benefits
Improved asset management
Improved preventative maintenance processes
Improved process performance
CORPORATE
NETWORK
API Native Integration with
Enterprise Systems
SIEM Asset
Management
LDAP
Management/ Backhaul Network / Encrypted Channel
Events Logs
SITE 1
ICS/SCADA Traf fic
SILENTDEFENSE™
Command Center
Passive Sensor
Active Module
(optional)
Events Logs
SITE N
ICS/SCADA Traf fic
Passive Sensor
Active Module
(optional)
Events Logs
SITE 2
ICS/SCADA Traf fic
Passive Sensor
Active Module
(optional)
ASSET INVENTORY
13. Establish Visibility
▪ A clear picture of the underlying
environment and its expected operation
is of utmost importance
▪ Most asset owners have been in
operations for decades; things change
▪ Internal security polices and best
practices should be applied (e.g.
segmentation)
▪ ICS protocol details allow better
understanding of normal
▪ Can you confidently answer these
questions:
▪ Do my PLCs talk to each other?
Or only HMI or DCS?
▪ Is everyone using my remote
access proxy?
▪ How many different ICS protocols
do we use?
▪ Do I have communications out to
the Internet?
14. Define the Normal Behavior of the System
▪ Baselining ICS control traffic
(automated and remote engineering)
access is a necessity to look for
threats that may leverage system
functions correctly, but in an abnormal
way
▪ Forescout can work with in-line tools
(such as NGFWs) to create a baseline
for application usage (DNP3, ICCP,
SSH, etc.)
▪ Real-time network map leveraging the
Purdue Enterprise Reference
Architecture
▪ Automatically provision firewall
rulesets for segmentation efforts
▪ SOC integration through complete
SIEM interface and dedicated app
15. Use ICS-Centric Threat Hunting Tools
• Multi-Factor Threat Detection:
Effectively extract and analyze files
using rule-based analysis, such as
YARA and proprietary malicious
hashes
• Threat Profile Database: A threat and
vulnerability database that is updated
and maintained is critical. We use the
‘ITL’ which has over 1,600 ICS-
specific threat indicators,
vulnerabilities and protocol checks
• Anomaly Detection: Machine learning
capabilities to detect new attacks and
techniques but also deviations from
normal behaviors
• Scripting: It allows to easily extend
built-in capabilities based on most
advanced needs like protocol support
and custom network- and process-
specific checks.
SilentDefense Industrial Threat Library (ITL)
Forescout Cyber Resilience Process
INDUSTRIAL EXPERIENCES
CUSTOMER
INTELLIGENCE
OPEN SOURCES
17. Case Study: Hunting Ransomware Abnormal Pattern of Activities
• Where: < --- > Factory
• When: Recently
• They had SMB communications
on the network.
• SMB provides remote directory
services that many Windows-
based control systems rely on to
properly operate
17
PLANTNETWORK1
e.g. MMS, Modbus,
proprietary protocols
CORPORATENETWORK
DCS & HMI WORKSTATIONS
PLC/
RTU
Sensors
Actuators
PLC/
RTU
Sensors
Actuators
SILENTDEFENSE™
MONITORING SENSOR
SERVERS AND HMIS
NETWORK SWITCH
IT protocols, e.g.
DCOM/OPC, SMB
SILENTDEFENSE™
COMMAND CENTER
Gateway / Firewall
Gateway / Firewall
PLANTNETWORK2
PLANTNETWORKN
19. Hypothesis: SMB malware infection
• We started baselining SMB
traffic to map anomalies
• SilentDefense detects
malformed SMB packets out
of the box.
• There were many malformed
packets, too short, wrong
field alert for SMB.
• No specific Wannacry
detections on endpoints.
• The hypothesis looked solid!
Dates and information
anonymized on purpose
20. Hypothesis: SMB malware infection
• Second Step: installing
specific scripts for detecting
Eternal Blue, Eternal
Romance, Double Pulsar
• They might install other
malware, like WannaCry,
DiskCoder, Petya, crypto-
miners ...
• No specific Wannacry
detections on file transfers
• The hypothesis looked
dangerously near to truth.
• But no Wannacry? Dates and information
anonymized on purpose
21. The Analyst Steps In
• IoCs must be used to
scope and hunt and to
help final detection
• Investigation on SMB
payload structure to verify
whether the SMB-minus-3-
bytes alerts could be
malware related (Spoiler:no)
• Investigation & correlation to
confirm whether the alerts
were not a false positive.
(They were real.)
• Estimation of the chance of
having false positives like
pentesting tools
Dates and information
anonymized on purpose
SilentDefense Threat Analysis Script
22. Results & Possible Automations
• Two infected PC’s in the
customer network, luckily
no ransomed system
meaning …
• Unknown malware (data
exfiltration, crypto-mining
?), probably running for a
while
• With longer observation
detected SMB outgoing
traffic to many places in the
world
• SilentDefense alerts led to a
deeper investigation at the
end-user site
Recommendation to improve the
cybersecurity posture of the customer
network
Dates and information
anonymized on purpose
Network policies in place and
monitored in real time
SilentDefense Threat Analysis
Scripts available
23. Bonus : GreyEnergy
• GreyEnergy utilized more modern
techniques than BlackEnergy.
• The malware has been built as a modular
framework that can adjust to different target
infrastructures.
• Hypothesis: We are target of GreyEnergy.
• SD network behavior analysis is crucial to
identify precursor activities and anomalies
• We developed IoC from Intelligence
(domains, IP, hashes)
• We deployed advanced IoC exploiting our
Forensic Time Machine to look back in time
23
24. Bonus : LockerGoga
• Requires preliminary compromise
• Several endpoint protection systems have
failed to recognize it
• Hypothesis: We are target of LockerGoga.
• SD network behavior analysis is crucial to
identify precursor activities
• SD user login analysis can help
• We craft and deploy a better Yara Rule
24
25. Bonus : ShadowHammer Supply Chain Attack
• The goal of the attack was to surgically
target an unknown pool of users, who were
identified by their MAC addresses.
• More than 600 unique MAC addresses from
more than 200 samples used in the attack
• Capable of gathering information about the
system including usernames, computer
specs, and operating system versions.
• It could also be used to download malicious
payload from C&C servers
• Hypothesis: We are target of
ShadowHammer.
• We need to check all the MAC addresses
on our industrial network…
25
26. Key Takeaways
• Intelligence is very valuable.
• IoCs are fundamental to scope and hunt and to help final detection
• Trust between the stakeholders is key.
• The future is data analysis - finding attackers pattern of activities.
• Malicious patterns are always malicious regardless of tools or techniques.
• Choose tools and partners able to help your processes and needs as a whole
• The expert in the loop is invaluable hire or pay the best.
26