ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

Transcription

1 ICS, SCADA, and Non-Traditional Incident Response Kyle Wilhoit Threat Researcher, Trend Micro 1

2 $whoami Threat Researcher, FTR, Trend Micro Threat Researcher at Trend Micro- research and blogger on criminal underground, advanced persistent threats, and vulnerabilities/exploits. Research: Malware detection/reversing Persistent Threats (Malware based espionage) ICS/SCADA Security Vulnerabilities and the Underground Offensive Exploitation 2

3 Agenda 3

4 What are ICS devices? Used in production of virtually anything Used in water, gas, energy, automobile manufacturing, etc. Notoriously insecure in every way Software is sometimes embedded, sometimes not Typically proprietary 4

5 Glossary HMI: Human Machine Interface IED: Intelligent Electronic Device SCADA: Supervisory Control And Data Aquisition RTU: Remote Terminal Unit Historian: Data Historian Modbus: Most common ICS Protocol DNP3: Very common ICS Protocol 5

6 Typical ICS Environment 6

7 Security Concerns- ICS vs. Traditional IT Systems ICS Correct Commands Issued (Integrity) Up-time (Availability) Protection of data (Confidentiality) IT Protect the data (Confidentiality) Protect communication (Integrity) Limit interruptions (Availability) 7

8 ICS Vulnerabilities In 2012, 171 unique vulnerabilities affecting ICS products. 55 Vendors 8

9 Unique ICS Concerns- Incident Response Remote Lack of INFOSEC knowledge Lack of engineer knowledge of INFOSEC Unknown embedded/proprietary OS Lack of network layout knowledge Lack of logical access 9

10 Unique ICS Concerns- Forensics Remote Imaging?!?!? Embedded/Proprietary operating systems WAN/LAN Links 10

11 BUT WHAT CAN WE DO? 11

12 Story Time Small town in rural America Water pump controlling water pressure/ availability Population 18,000~ 12

13 Story Time Water pressure system Internet facing No firewalls/security measures in place Could cause catastrophic water pressure failures First accessed Dec

14 Story Time Attacked several times During Q3-Q4 Attackers successfully gained access Has not been made public This is not a story Real life event.. 14

15 This Happened. 15

16 Story Time In my basement 16

17 Enter Pro-Active Incident Response 17

18 Honeypot Overview Two low-interaction One high-interaction Ran for 28 days in total One Windows Server 08 Two Ubuntu Servers 18

19 What They See 19

20 What is an Attack? ONLY attacks that were targeted ONLY attempted modification of pump system (FTP, Telnet, etc.) ONLY attempted modification via Modbus/DNP3 DoS/DDoS will be considered attacks 20

21 Attacks CHILE, 1 CROATIA, 1 NORTH PALESTINE, 1 KOREA, 1 RUSSIA, 3 VIETNAM, 1 US, 9 POLAND, 1 BRAZIL, 2 JAPAN, 1 NETHERLAND S, 1 LAOS, 6 CHINA, 17 UK, 4 1 Spear Phishing Attempt 21

22 Attacks Vxworks exploitation attempt Attempt to shutdown pump system Modify temperature output Modify pump pressure Count Secured area access attempt Modbus traffic modification Modification of CPU fan speed

23 Need for ICS Incident Response No focused interest seen anywhere Needed to understand attacks. Are we even attacked??? Need to understand differences Security event Engineering event Hardware event Etc. Educated response leads to decreased risk CRITICIAL INFRASTRUCTURE!!! 23

24 Traditional Incident Response 24

25 ICS/SCADA Incident Response Must include forensics Must be dynamic enough to diversify Must have SME s Must follow documented process Must have a wide range of expertise Muse utilize threat intelligence 25

26 ICS INCIDENT RESPONSE APPROACHES 26

27 Proposed ICS IR Flow Asset Identification Recovery Pro-active Identification Forensic Capture and Analysis Incident Identification Containment Investigation/ Assessment Threat Actor Identification 27

28 Asset Identification Identify all assets deemed ICS Perform criticality assessment Logically map all equipment Map connectivity points to LAN/WAN segments Identify make, model, and manufacturer or ICS equipment 28

29 Pro-Active Identification Honeypots IDS (Not IPS in active mode!) Must be placed parallel to other ICS equipment IOC s Threat Intelligence (HUMINT, SIGINT) Offensive Incident Response Network Segmentation 29

30 Incident Identification/Investigation Identify Incident Engineering mistake? Security Incident? Hardware Incident? In the ICS world- take off network (Likely) Primary business priority- get back online 30

31 Threat-Actor Identification Why care? Especially during incident. Helps look for parallel attackers Can help planning of offensive IR (Offensive countermeasures) Use OSINT!!! 31

32 OSINT Case Study 32

33 Containment Typical Containment Methods: Firewalls IPS/IDS Take device off net ACL s Bastion hosts Whitelisting IOC development Increased logging Sniffer deployment The list goes on 33

34 ICS Forensics Done to understand incident on micro level Will allow classification of future events Asset retrieval (If applicable) Interpret and draw inferences Chain of custody established Analyze forensic data (String search, data carving, artifact analysis, etc) Forensic imaging (Physical, Logical, and Memory) Capture of forensic network data (Where Applicable) 34

35 Recommendations Implement forensics and incident response into ICS environments Have SME s for threat intelligence, malware, incident response, and forensics Have pro-active protections in place Utilize logging!!! Take devices off the Internet Utilize network segmentation 35

36 Thanks! @lowcalspam 36