Challenges in Cri-cal Infrastructure Security

Transcription

1 Challenges in Cri-cal Infrastructure Security Corrado Leita Symantec Research Labs 1

2 Symantec Research Labs CARD (Collabora*ve Advanced Research Department) group Sophia An*polis, FR Culver City, CA Herndon, VA European projects: WOMBAT ( ): Worldwide Observatory of Malicious Behaviors and AQack Threats VIS- SENSE ( ): Visual Analyi*cs of Large Datasets for Enhancing Network Security CRISALIS ( ): CRi*cal Infrastructure Security AnaLysIS BIGFOOT ( ): Big Data Analy*cs of Digital Footprints 2

3 Convergence between IT and ICS technologies Interconnec*on of standard computer systems with industrial control systems An opportunity? Lower costs and increased system efficiency Opportunity to leverage standard IT techniques (intrusion detec*on, file scanning, standard hardening techniques, ) Opportunity to enable ICS suppliers to manage and support ICS devices at scale A threat? Enable aqacks and incidents that are typical of standard IT environments Enable aqacks on cri*cal infrastructures and environments such as energy, gas, medical Privacy viola*ons from data being more widely available 3

4 What is this talk about? Q1 Why is research on Industrial Control Systems security important? How does it differ from standard IT security? Q2 What are the challenges associated to doing research on ICS security? 4

5 Q1 What are the challenges in the protec-on of ICS environments? 5

6 Off- the- shelf suitability to ICS Challenges IT VS OT culture Threat economy 6

7 Are off- the- shelf product suitable for ICS security? + =? 7

8 Smart Grid as a complex ecosystem Our focus SCADA AMI 8

9 A composi-on of complex environments flow datagram generated from the analysis of one hour of opera*on of a water pump control system diverse, o]en non- standard protocols Physical environment servers clients in main network gateways clients in separate network 9

10 Off- the- shelf suitability to ICS Challenges IT VS OT culture Threat economy 10

11 6th Interna*onal Conference on Autonomous Infrastructure, Management and Security (AIMS 2012) 11

12 The interes-ng lesson Is it possible to burn- out a water pump by solely interfacing with the SCADA layer? Fail- safe mechanisms exist to prevent physical damage! 12

13 Off- the- shelf suitability to ICS Challenges IT VS OT culture Threat economy 13

14 Threat economy Security mechanisms o]en aim at rendering an intrusion difficult enough Their effec*veness depends on the value of the target! Requiring a signed cer*ficate to inject a kernel driver Keeping valuable resources in a private network Storing a cer*ficate in a secure room cost revenue 14

15 Stuxnet, Duqu, Flamer Stuxnet: first publicly known malware to cause public damage Duqu: shares many similari*es, used for cyber espionage Flamer: even more advanced pladorm for data exfiltra*on è Cyber warfare is not a myth! 15

16 Is this the -p of an iceberg? 16

17 16 What is your experience with each of this type of abacks? (1580 industries contacted, 2010) Symantec 2010 Cri*cal Infrastructure Protec*on Study - hbp://bit.ly/bka8uf 17

18 Symantec 2010 Critical Infrastructure Protection Study - Global: Oc 2010 How many -mes have you suspected or been sure each of the following has occurred in the last 5 years? Symantec 2010 Cri*cal Infrastructure Protec*on Study - hbp://bit.ly/bka8uf 18

19 Cost es-ma-ons of all the abacks over the 5 years Symantec 2010 Cri*cal Infrastructure Protec*on Study - hbp://bit.ly/bka8uf 19

20 Q2 Research in ICS security 20

21 The problems Few or no informa*on is available on the threat landscape and on ongoing aqacks against ICS environments How do we ensure the relevance of our research? The few informa*on we have at our disposal shows very advanced threats carried out by groups or governments with almost unlimited resources How do we ensure the effec-veness of our research? 21

22 How do (should) we do research? Observe Form Hypothesis Perform experiments Analyze results Draw conclusions DATA 22

23 Marco Cova, Corrado Leita, Olivier Thonnard, Angelos Keromy*s, Marc Dacier, An analysis of Rogue AV campaigns, RAID 2010 An example: Rogue security sogware 1. What is the big picture? 2. Is there any major difference from other threats? All done in Javascript! 23

24 Methodology 1. Scope defini-on: defini*on of lists of domains likely to be related to the threat Norton Safeweb, Malware Domain Lists, Data enrichment using robtex.com 2. Data enrichment: collec*on of informa*on on the infrastructure hos*ng the content Registra*on informa*on, DNS informa*on, server informa*on, 3. Data mining: defini*on of a set of features for each domain and applica*on of MCDA Manual analysis of each generated cluster 24

25 PC An-spyware Domain name Web server Web server/dns server /24 network Registrant 25

26 Level of coordina-on This is unique to this threat and not shared by, for instance, drive- by- downloads Registra*on date 26

27 Are these findings specific to the threat landscape? Experiment: drive by downloads Analysis of 5304 domains known to be landing pages for Internet Explorer ADODB.Stream Object Installa*on Weakness (CVE ) Repeated feature collec*on and analysis using MCDA Only 21 clusters were found accoun*ng for a total of 201 domains (3.8%) The domains under analysis do not share a common infrastructure The infrastructure is not actually owned by the perpetuators of the aqacks Important difference with the Rogue AV scenario How to jus*fy this difference? 27

28 Rogue AV economics What are the costs/revenues associated to the rogue AV business? Costs (informal survey) Average monthly cost: 50$ Annual domain registra*on costs: 3-10$ Total annual costs: 879-2,230$ Revenues Average price for a rogue AV: 30-50$ Client volume??? Total annual revenues:?? 28

29 Rogue AV servers and Apache mod_status 6 servers (193 domains) were discovered to be offering u*liza*on sta*s*cs through the output of Apache mod_status Con*nuous sampling of the output over a period of 44 days Filtered out probing/scanning aqempts Tracked a total of 372,096 dis*nct IP addresses 29

30 Behavior evolu-on Successful scans: 25,447 Unsuccessful scans: 306,248 Hit rate: 7.7% A scan is considered successful if a download is performed by the same IP address within 24 hours Cumula*ve number of dis*nct IP addresses for each behavior type 30

31 Comple-ng the table What are the costs/revenues associated to the rogue AV business? Costs (informal survey) Average monthly cost: 50$ Annual domain registra*on costs: 3-10$ Total annual costs: 879-2,230$ Revenues (pessimis-c es-mate) Average price for a rogue AV: 30-50$ Expected mone*za*on rate for client hit: 0.26% (in previous studies on spam) Client volume over 44 days: 331,695 Total annual revenues: 214, ,702$ 31

32 Challenges Rigorous data collec*on is essen-al to security research Understanding the threat landscape Understanding the threat economics Evalua*ng/benchmarking real- world applica*on of specific solu*ons It s an expensive process Highly dynamic threat landscape Need to ensure representa*veness of the observa*ons, but also repeatability It s an itera*ve process The effort cannot be easily shared Field data experimenta*on is associated to lots of legal and ethical concerns when it comes to sharing data 32

33 The importance of observa-on What should we really do research on? 33

34 WINE: Benchmark for Computer Security Symantec s worldwide sensors Pladorm for experimental reproducibility 34

35 The Worldwide Intelligence Network Environment (WINE) Goal: repeatable cyber security experiments at scale Field data collected on millions of end- hosts Data sampled from Symantec s opera-onal data sets Access WINE on SRL site: Culver City, CA or Herndon, VA Fee required Store reference data sets used in prior experiments Maintain lab book 35

36 What WINE is not a defini*ve benchmark suite a data set that can be copied outside of SRL a system that can be accessed remotely a repository for all the data that Symantec collects an effort targeted exclusively at cyber security 36

37 Opera-onal Model 1 Malware Samples Proposal Hypothesis Data needed 3 2 WINE Catalog NDA 7 Isolated Red Lab 5 6 Contract 4 Researcher 7 Virtualized Server DB 5 6 Publica*on Ack: WINE 8 Contextual informa*on 37

38 WINE Data Set: Malware Packed and unpacked malware binaries Vulnerability Remedia*on Patch Malware Samples New AQacks Zero- Day AQacks Advisory Dissemina*on & Concealment 38

39 WINE Data Set: Binary Reputa0on Norton Insight (opt- in program) Submissions Queries MachineID Timestamp MD5 of binary Remedia*on SHA2 of binary Download URL Protocol version Patch Advisory Vulnerability Malware Samples Dissemina*on & Concealment New AQacks Zero- Day AQacks Binary Reputa-on 39

40 WINE Data Set: A/V & IPS Telemetry Threats detected by Norton products A/V, IPS Telemetry Remedia*on Patch Advisory Vulnerability Malware Samples Dissemina*on & Concealment Telemetry AQack signature Timestamp Zero- Day Target AQacks OS Target process New AQacking IP AQacks CPU make & model Binary Reputa*on 40

41 WINE Data Set: Spam Samples of spam and phishing s Sta*s*cs on blocked spam Vulnerability Remedia*on Patch Malware Samples New AQacks Zero- Day AQacks A/V, IPS Telemetry Advisory Dissemina*on & Concealment Binary Reputa*on Spam 41

42 WINE Data Set: URL Reputa0on Data collected by crawling the Web A/V, IPS Telemetry URL Reputa-on Site name Site ra*ng Remedia*on Threat URL Threat type Threat name Patch Timestamp Advisory Vulnerability Malware Samples Dissemina*on & Concealment New AQacks Zero- Day AQacks Binary Reputa*on URL Reputa-on Spam 42

43 Distributed Data Collec-on Malware: 7M samples A/V telemetry: 130M machines URL reputa-on: 10M domains Binary reputa-on: 35M machines Spam: 2.5M decoys 43

44 Can we extend the WINE idea to ICS research? CRISALIS: 3- year collabora*ve project (funded by FP7- SEC) Par*cipants: Symantec (Ireland) Siemens (Germany) Security MaQers (Netherlands) EURECOM (France) Chalmers (Sweden) University of Twente (Netherlands) ENEL (Italy) Alliander (Netherlands) Industry Academia End users 44

45 The problems Few or no informa*on is available on the threat landscape and on ongoing aqacks against ICS environments How do we ensure the relevance of our research? The few informa*on we have at our disposal shows very advanced threats carried out by groups or governments with almost unlimited resources How do we ensure the effec-veness of our research? 45

46 Threat economy (reminder) Security mechanisms o]en aim at rendering an intrusion difficult enough Their effec*veness depends on the value of the target! Requiring a signed cer*ficate to inject a kernel driver Keeping valuable resources in a private network Storing a cer*ficate in a secure room cost revenue 46

47 Stuxnet Windows worm discovered in July 2010 Uses 7 different self- propaga*on methods Uses 4 Microso] 0- day exploits + 1 known vulnerability Leverages 2 Siemens security issues Contains a Windows rootkit Used 2 stolen digital cer-ficates (second one introduced when first one was revoked) Modified code on Programmable Logic Controllers (PLCs) First known PLC rootkit 47

48 Stuxnet and the myth of the private network Internet P2P communica*on Remote propaga*on C&C servers 48

49 Stuxnet: an isolated incident? September 2011: a European company seeks help to inves*gate a security incident that happened in their IT system, and contacts CrySyS labs (Budapest University of Technology and Economics) October 2011: CrySyS labs iden*fies the infec*on and shares informa*on with major security companies Duqu: named a]er the filenames created by the infec*on, star*ng with the string ~DQ A few days later, Symantec releases the first report on Duqu malware sample with the help of the outcomes of the original CrySyS inves*gators 49

50 Signed Drivers Some signed (C- Media cer*ficate) Revoked immediately a]er discovery 50

51 Extremely stealthy and targeted infec-on 0- day vulnerability in TTF font parser Shellcode ensures infec*on only in an 8 days window in August No self- propaga*on, but spreading can be directed to other computers through C&C Secondary target do not communicate with C&C, communicate instead through P2P Infec*on leaves almost no trace on hard drive: only the driver file is stored in stable storage! 51

52 Command & Control Complexity Communica*on over TCP/80 and TCP/443 Embeds protocol under HTTP, but not HTTPS Includes small blank JPEG in all communica*ons Basic proxy support Complex protocol TCP- like with fragments, sequence and ack. numbers, etc. Encryp*on AES- CBC with fixed Key Compression LZO Extra custom compression layer CnC server hidden behind a long sequence of proxies 52

53 Targets 6 organiza*ons in 8 countries confirmed infected 53

54 Duqu strange clues TTF Exploit Font name Dexter Regular from Show*me Inc. Only two characters defined: : ) Inside the keylogger component is a par*al image interac*ng Galaxy System NGC

55 W32.Flamer Recently discovered, but ac*ve for more than 2 years Extremely high complexity LUA Interpreter Comprehensive toolkit for data exfiltra*on Ability to record from internal microphone Bluetooth toolkit 55

56 What have we learned so far? 1. Abacker mo-va-on: no security prac*ce is likely to make the intrusion difficult enough. New mo*va*ons for aqackers (crime, cyber warfare) mean more resources and incen*ves to conduct aqacks. 2. Myth of the private network: also because of 1., relying on network isola*on from the Internet as main security protec*on is ineffec*ve. Physical security cannot be enforced in prac*ce, and network isola*on renders cloud- based security technologies impossible to apply (e.g. reputa*on, data analysis, signatures, ). 3. From Intrusion Preven-on to Intrusion Tolerance: a layered approach is required with several safety nets and managerial procedures to handle fallback modes. 56

57 The CRISALIS approach O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions System discovery SCADA environments AMI environments End user support 57

58 System discovery: the founda-on of the CRISALIS project Understand the environment being monitored Devices Interconnec*ons among devices Seman*cs of the interac*ons Challenges Proprietary devices and protocols Lack of protocol parsers O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions End user support System discovery 58

59 O.1 Securing the systems Penetra*on tes*ng Globally accepted methodologies in ICT infrastructures O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions End user support System discovery Methodology needs to be carefully revisited to be applicable to ICS (dangerous!) Vulnerability discovery AQen*on to the automated discovery of vulnerabili*es in ICS devices Sta*c analysis of the binary code Dynamic analysis Drive the vulnerability discovery process through informa*on on the protocol specifica*on 59

60 O.2 Detec-ng the intrusions O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions System discovery End user support Vulnerability discovery is unlikely to exhaus*vely iden*fy all the possible threat vectors. How to iden*fy and block a successful intrusions? Targeted aqacks: we need to avoid a- priori assump*ons on the threat vector Tradi*onal assump*ons on the threat model are likely to not hold Signature- based technologies are not appropriate Revisit behavior- based detec*on in ICS environments Revisit host- based monitoring techniques 60

61 O.3 Analyzing successful intrusions O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions System discovery End user support Be ready to fail: provide instruments to detect suspicious modifica*ons to the devices and analyze their effects Forensic analysis of industrial devices: how can we understand if a PLC device has been compromised? How can we understand the impact of the modifica*ons? Challenges Perceived absence of real threats by the industry Deployment of proprietary components and protocols Lack of persistent storage capabili*es 61

62 Valida-on environment O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions System discovery End user support How can we validate the soundness of the obtained results? What is the performance of an intrusion detec*on methodology in real world environments? Valida*on environments: ENEL Security Lab (Livorno, Italy): replica of a real- world SCADA system used in power genera*on Alliander Tes*ng deployment (Netherlands): tes*ng AMI deployment 62

63 Thank you! Corrado Leita Copyright 2010 Symantec Corpora-on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora*on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec*ve owners. This document is provided for informa*onal purposes only and is not intended as adver*sing. All warran*es rela*ng to the informa*on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa*on in this document is subject to change without no*ce. 63

64 An example: CRISALIS and protocol learning Can we try to aqach seman*cs to the different edges with no a- priori knowledge on the protocol structure? Can we infer causality? 64

65 ScriptGen Protocol- agnos*c algorithm Observe conversa*on samples between a client and a real server Infer seman*cs using bioinforma*cs algorithms Proved good results in handling determinis*c exploit scripts 250 OK MAIL FROM: <alice@symantec.com> MAIL FROM: <*@symantec.com> MAIL FROM: <bob@symantec.com> MAIL FROM: <carl@symantec.com> 250 OK 250 OK MAIL FROM: <xxx@bad.ru> MAIL FROM: <*@*.*> 550 ERR 65

66 Region analysis 1 2 Multiple alignment Clustering 4 3 Region synthesis Micro clustering MAIL FROM: <alice@eurecom.fr> MAIL FROM:<*@eurecom.fr> MAIL FROM: MAIL FROM:<*@*.*> 66