Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
3. S4x15( Miami, FL) www.Cri&calStack.com3
“The capital purchasing cycle and limited interface to ICS and embedded devices
represents a persistent and pervasive threat to all sizes of enterprises. Advanced
techniques and technologies are needed to address this threat.”
Bro
Pla2orm
Executive Overview – What is our purpose
5. S4x15( Miami, FL) www.Cri&calStack.com5
Internet
of
Things
Device Management
Networks are now dominated by non-PC based devices.
6. S4x15( Miami, FL) www.Cri&calStack.com6
0
12500
25000
37500
50000
2003 2010 2015 2020
Devices Population
62
TrendsAgainstUs
We are not only outnumbered the devices are growing in:
complexity
computational power
variety
Lack of mgmt tools--> AV, HIDS, Update, Policy
Cisco IBSG
Growing Device
Management Gap
.08X 1.84X
3.47X 6.48X
Growth of Embedded Devices – We are on the wrong side of math
7. S4x15( Miami, FL) www.Cri&calStack.com7
CapitalInvestments
ICS, Embedded, Medical, Infrastructure is not easy to replace
and may be designed to run for 30+ years.
Embedded, TVs, mobile devices, gaming devices, packages...
Hardware Details
Embedded Linux
Dynamic Memory: 16- 64 Mb
Flash Memory: 16 - 128 Mb
32 bit PowerPC
Protocols
Sixnet, Modbus/TCP, DNP3
ARP, UDP, ICMP, DHCP, PPP...
10/100 Ethernet
1 Port Primary ( 2 MACs )
4 Port Switch
Communication
Telemetry, Telephone (dialup,
leased), radio...
RS232, RS485
Multiple configurations
23
Sample Device – ICS Controller
8. S4x15( Miami, FL) www.Cri&calStack.com8
SonySNC-RZ30nPTZCamera
Sony cameras come in a large number of configurations.
Model appeared in 2003- similar to current models.
I/O Options
3 Alarm Inputs
2 Alarm Outputs
RS-232C
RS-485
Protocols
ARP, HTTP, FTP, SMTP,
SNMP, DHCP, TCP/IP
10/100 Ethernet
Optional Wifi
Expansion Slots
25x Optical Zoom
Multiple Codecs, Frame Rates,
etc.
System
Embedded Linux
8 MB of Storage
Expansion Slots
Another Embedded Target – SimilarThreat Surface
10. S4x15( Miami, FL) www.Cri&calStack.com10
Security
Active Network Scanning
(NESSUS / NMAP)
Patch Management Programs
End Users
Syslog
Anti Virus
HIDS: Host Based IDS
Host Based Firewalls
Signatures
( Bad stuff we know about )
Flow Data
Segmentation-Air, VLANs
#fail
Traditional Techniques – Inadequate for Embedded / ICS
11. S4x15( Miami, FL) www.Cri&calStack.com11
ICS Field
Traffic
RepresentativeAttacks – Sample of compromises
Watering Hole
Attack
Carna
Botnet
ICS
Risks
12. S4x15( Miami, FL) www.Cri&calStack.com12
ICS Field
Traffic
Real World SCADA Anomalies
Fortune 20 Sample
Attack Scenario 1 – UnauthorizedAccess from MaliciousActor
13. S4x15( Miami, FL) www.Cri&calStack.com13
CuriousAnomalies
The frequency this host is participating in the network
does not make sense.
Anomaly?
1 Time
1 Host
1 Command
7 Day Period
Examine Modbus
Count
All Participants by Exception
Normal Comms
Regular polling of data
23
Specialized Traffic Modbus – 7 Days ofTraffic
Modified toAnonomize Location
Actual Real World Incident fromAug 2013
Count Orig Resp Errors
1 10.67.4.147 10.18.226.13 -
6 10.1.1.35 10.72.230.36 GATEWAY_TARGET_FAILED_TO_RESPOND
18 10.1.1.35 10.60.30.73 ILLEGAL_FUNCTION
5189 10.1.1.35 10.60.30.73 ILLEGAL_DATA_ADDRESS
123513 10.1.1.35 10.60.30.73 -
164312 10.1.1.35 10.60.230.36 -
14. S4x15( Miami, FL) www.Cri&calStack.com14
Watering Hole
Attack
Leveraging Vulnerable Infrastructure
Embedded devices may be turned against their operators.
Attack Scenario 2 – Demonstration from 10/13
16. S4x15( Miami, FL) www.Cri&calStack.com16
ICS
Risks
Leveraging Vulnerable Infrastructure
Embedded devices may be turned against their operators.
Attack Scenario 3 – Un-Recognized Risks
17. S4x15( Miami, FL) www.Cri&calStack.com17
Vulnerability Overview
Lot’s of vulnerabilities- this one is particularly bad.
CVE-2013-2802
EXPLOITABLE IMPACT ENVIRONMENTAL TEMPORAL
Access Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Impact
Collateral Damage
% Vulnerable
Exploitability
Fix Available
Vulnerability Verified
ActualScore
10.0
9
CVS Scoring – CVE-2013-2802 Rank
18. S4x15( Miami, FL) www.Cri&calStack.com18
EmbeddedSystems
Systematic vulnerabilities can not be addressed in
a vacuum- with in a system each component must be
secured and monitored at numerous levels.
Host/OS Attack
Attacker modifies firmware (OS) of device
- or -
Attacker uploads/downloads malware
- or -
Attacker maliciously reconfigures device
ICS Protocol Attack
Attacker injects or modifies ICS logic
Connectivity
DDOS, Man-in-the-Middle-
availability effected
Network Comms
Partners, controllers, or SCADA system
itself maliciously modified
System Attacks
HMI, Historian, Management
systems attacked
8
3. ICS Threat Surface – Significantly Larger than discussed
19. S4x15( Miami, FL) www.Cri&calStack.com19
ICS
Honeypot
2013 TrendMicro ICS Honeypot
Representative of real world conditions
Attack Scenario 3 – Who is attacking ICS systems?
20. S4x15( Miami, FL) www.Cri&calStack.com20
Data Breakdown
Threat
Classifica&on
Reconnaissance- 100%
Unauthorized Access- 77%
Unauthorized Modification- 15%
Information Disclosure- 69%
Device Malware- 23%
ICS Protocol- 15%
By
the
Numbers
18 Hours Until First Attacks
39 Documented Attacks
12 Unique Targeted Attacks
13 Repeated Attacks from Multiple Sources
Link
www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/
white-papers/wp-whos-really-attacking-your-ics-equipment.pdf
3. TrendMicro ICS Honeypot –Threat type x GEO IP
21. S4x15( Miami, FL) www.Cri&calStack.com21
Carna
Botnet
Largest publicly known embedded worm
aka “Alien Worm”
aka Internet Census 2012
Attack Scenario 4 – Global Embedded worm discovered by Bro Platform
22. S4x15( Miami, FL) www.Cri&calStack.com22
Tracking Carna Botnet –TheTeam
Aashish Sharma
Lawrence Berkeley National Lab
Works with an incredible team of IR.
Incredible speaker.
Bro Power User
Catch and Release with Bro
System acts as an Internet Telescope
Sample of Anomalies
June 2011- Morto Worm
June 2012- “Alien Worm”
June 2012- CVE-2012-2122-mysql-authentication-
bypass
Link
http://ee.lbl.gov
http://www.lbl.gov
Image 1 - Aashish Sharma
23. S4x15( Miami, FL) www.Cri&calStack.com
420,000
Devices
Scan
Stuff
Default
Credentials
23
Carna Botnet – ”Port scanning /0 using insecure embedded devices”
? ACCESS SCOPE PAYLOAD
25%
/0
“..we discovered an amazing
number of open embedded
devices on the Internet.
Many of them are based on
Linux and allow login to
standard BusyBox with empty
or default credentials.”
“..insecure devices are
located basically everywhere
on the Internet. They are not
specific to one ISP or country.
So the problem of default or
empty passwords is an
Internet and industry wide
phenomenon.”
“The binary on the router was
written in plain C. It was
compiled for 9 different
architectures using the
OpenWRT Buildroot.
In its latest and largest
version this binary was
between 46 and 60 kb in size
depending on the target
architecture.”
hJp://internetcensus2012.bitbucket.org/paper.html
24. S4x15( Miami, FL) www.Cri&calStack.com24
Carna Botnet– Lets look at the payload....
DirectoryListingCompromisedDevice
This is from one sample device- there would be minor differences
between the 9 different architectures.
Custom Payload
4 ARM Binaries
Revision Jun 28, 2012
Activity Back to May 30, 2012
“Hilinux” Busybox
Linux (none) 2.6.24-rt1-hi3520v100
#2010033002 Wed Mar 31 13:05:50 EST
2010 armv6l unknown
Default Password
root / <blank>
root / 123456
Daemon tcp/210
https://isc.sans.edu/
port.html?port=210
4K Payload
Scanning files
Logs
-rwxr-xr-x 0 root root 8610 Jun 28 19:19 t2.arm_v6k
-rwxr-xr-x 0 root root 13492 Jun 28 04:44 sp.arm_v6k
drwxr-xr-x 0 root root 0 Jul 23 2007 run/
-rw-r--r-- 0 root root 33 Jun 28 04:02 response
-rw-r--r-- 0 root root 371 Jun 28 04:02 readme
-rw-r--r-- 0 root root 49152 Jul 5 09:19 pz
-rw-r--r-- 0 root root 0 Jul 3 13:01 j
-rw-r--r-- 0 root root 33 Jun 28 04:02 idhash
-rwxr-xr-x 0 root root 5013 Jun 28 19:19 ht.arm_v6k
-rw-r--r-- 0 root root 33 Jun 28 04:02 challenge
-rwxr-xr-x 0 root root 10938 Jun 28 04:05 b.arm_v6k
-rw-r--r-- 0 root root 10 Jul 3 13:21 1.run
-rw-r--r-- 0 root root 10 Jul 3 13:21 0.run
25. S4x15( Miami, FL) www.Cri&calStack.com25
Device – What do the devices look like?
Dozens of Vulnerable Models
Consider where in your network these resources
would be deployed.
- Sensitive area’s
- Behind your firewall
One “Chinese” OEM
Production traced by to single OEM
Initially very concerning
Retailed By
Meier Grocery Store
Sams Club
Amazon.com
Costco
100’s of Retailers online
Link
https://www.q-see.com/
http://wansview.net/
Image 1 - Vulnerable Wansview PTZ Camera Image 3 - Vulnerable Smarteye PTZ Camera
Image 2 - Vulnerable Q-See DVR
26. S4x15( Miami, FL) www.Cri&calStack.com26
APicture – is worth 420,000 devices....
Carna Botnet Details
Most camera’s on Asian based networks.
Scattered activity, single origin.
SYN Packets Only
Top ASN (4134) = 25% of Infections
ASN 4134 (CN)- China Telcom
Top 5 ASN- 50% of Infections
-ASN 3462 (TW)- Data Communications Business
Group
-ASN 4837 (CN)- China Unicom
-ASN 9121 (TUR)- Turk Telcom
-ASN 4788 (MY)- TM Net
Top 16 = 60% of Infections
Long Tail of Infections
Global in Scope
hJp://internetcensus2012.bitbucket.org/paper.html
27. S4x15( Miami, FL) www.Cri&calStack.com27
Bro
Platform
Overview
Capabilities, use cases, and direction.
28. S4x15( Miami, FL) www.Cri&calStack.com28
Bro – is short for Big Brother
Broisthreethings...
The hardest part about Bro is that there are so many distinct
use cases for the Bro Platform
Turing Complete PL
Event on traffic, files, protocols
Syntactically like Python
Utilities to manage Bro
API, Intefaces, etc.
2
1
Bro
Apps
BPL
Bro Programming Language
Bro Platform
Bro-IDS
Monitoring, Vulnerability Mgmt, DLP, Analysis, File
Analysis
( Really just Bro Scripts )
3
29. S4x15( Miami, FL) www.Cri&calStack.com29
Bro Platform – Dozens of use cases
Brohasusecasesin..
Security,Monitoring,Reliability,Discovery,Compliance
36. S4x15( Miami, FL) www.Cri&calStack.com36
Terms & Definitions – Signature Detection vs.Anomaly Detection
ClassicallySpeaking...
In the literature you will typically find IDS’s broken into two distinct
categories- Signature or Anomaly based Detection.
Bro is designed to face Next Generation Challenges.
Signature Detection
atomic indicators
domains, file hashes, IPv4/6
Traditional Signatures
Algorithms
Anomaly Detection
Traffic Analysis
Flow Analysis
Protocol Analysis
Bro Platform
Hybrid System
Best of Both Worlds
+ a programming language
Bro Deployment
Today we concentrate on that
37. S4x15( Miami, FL) www.Cri&calStack.com37 4
ICSI SSL
Notary
Team CYRMU
Malware Hash
Internal
Feeds?
AlertsActionProtocol
OSINT
Abuse.ch
Malware
Domain
List
Spamhaus
Drop
Bro Intelligence Framework –Actual Indicators
CRITs::Mul&ple_Campaign_Hits
Recently
2
items
on
the
zzAPT
campaign
were
hit
CRITs
UIDs:
504f88abe0742e059a424144,
509697c6e0742e4d547a907d
38. S4x15( Miami, FL) www.Cri&calStack.com38 5
Protocol Location Intel Type
IP Connection Address
DNS Request, Reply Address, Domain
File Hashes Generated Hash
File Name Name
HTTP- HEADER HOST Domain
HTTP- HEADER REFERER Domain
HTTP- HEADER X-FORWARDED-FOR Domain
HTTP- HEADER USER-AGENT Software
SMTP-HEADER FROM Domain
SSL / TLS X-509 Certificate CN Domain
.. exhaustive to list all the permutations!
Bro Intelligence Framework – More effective use of atomic indicators
39. S4x15( Miami, FL) www.Cri&calStack.com39
Signature Evasion –Threat actors modify theirTTPs to evade detection efforts
Each file, ip, domain, etc.. can be modified.
Overly simplified example to communicate concept.
58
Signature
UserAgent=“DirBuster”
Evasion
“UserAgent=“DirBreaker”
SignatureEffectiveness
Despitetheirevadabilitysignaturesarestillan
effectiveweaponagainstparticulartypesof
threatsandthreatactors.
Moreadvancedthreatactorsareactively
monitoringdefensiveTTPs,measuringattack
successrates,andactivelyworkingtoevade
detectionefforts.
+
evasion
40. S4x15( Miami, FL) www.Cri&calStack.com40
Socratic Ideal–Anomaly Detection
Whatshouldyournetworklooklike?
You can not secure what you do not understand.
Green
HTTP
Pink
FTP-DATA
Red
FTP
Payload
Upload
Normal
41. S4x15( Miami, FL) www.Cri&calStack.com41
Viewing
ICS &
Embedded
Network Monitoring
Defending ICS & Embedded Systems
More
Bro
37
42. S4x15( Miami, FL) www.Cri&calStack.com42
Payload
Upload
Normal
$ less conn.log | bro-cut service|sort| uniq -c | sort -n
11 ftp
15 http
158 ftp-data
$ less conn.log | bro-cut service|sort| uniq -c | sort -n
14 http
Bro
-‐
conn.log
38
Whatshouldyournetworklooklike?
You can not secure what you do not understand.
“Ground Truth” –Areal record of communication
43. S4x15( Miami, FL) www.Cri&calStack.com43
Whitelistorblacklistactivity,behavioronyournetwork?
Bro gives you access to the internals of each protocol in real time as it happens.
Payload
Upload
Normal
1 /command/all-configuration.cgi
1 /command/ftpserver.cgi
1 /command/main.cgi
11 /command/inquiry.cgi
1 /command/inquiry.cgi?inqjs=camctrlright
1 /command/ptzf.cgi?AreaZoom=94,35,158,62
2 /command/inquiry.cgi?inqjs=tvstandard
2 /command/ptzfctrlright/inquiry.cgi
3 /command/inquiry.cgi?inqjs=sysinfo
64 /command/ptzf.cgi
hJp.log
URI’S
{ }
40
Deeper Inspection – Protocol and Payload Details
44. S4x15( Miami, FL) www.Cri&calStack.com44
Knowthyself:PartII
You do need to have an understanding what normal means to you.
Normal
host device_type
58.107.168.125 Known::MODBUS_MASTER
58.107.168.121 Known::MODBUS_SLAVE
58.107.168.123 Known::MODBUS_MASTER
58.107.168.119 Known::MODBUS_SLAVE
58.107.168.121 Known::MODBUS_MASTER
modbus.log
Normal?
41
ICS Specific Protocols – Protocol and Payload Details
45. S4x15( Miami, FL) www.Cri&calStack.com45
Knowthyself:PartII
You do need to have an understanding what normal means to you.
58.107.168.121 6350 53774 48652 0.515266
58.107.168.121 6352 8002 13124 0.515266
58.107.168.121 6354 16244 26487 0.515266
58.107.168.121 6368 52973 28967 0.515266
58.107.168.121 6370 14484 22486 0.515266
58.107.168.121 5020 8884 0 0.021755
58.107.168.121 5021 548 0 0.021755
58.107.168.121 5022 8840 0 0.021755
modbus_register_change.log
43
ICS Specific Protocols – Protocol record; what actually happened in the SCADASystem.