Advance Malware protection in distribution and manufacturing environments. Rob Dolci, April 2016, copyright aizoon USA.

Transcription

1 Advance Malware protection in distribution and manufacturing environments Rob Dolci, April 2016, copyright aizoon USA.

2 aizoon at a glance Bologna New York, NY Cuneo USA Troy, MI Lewiston, ME Cambridge, MA EUROPE Genova Milano Roma Torino Sheffield AUSTRALIA Sydney aizoon is a 500+ employees strong technology consulting firm Focused on Smart Factory and Cybersecurity 2

3 Cyber scenarios: crime size and sophistication et/visualizations/worlds-biggestdata-breaches-hacks/ 3

4 Cyber scenarios: rapid detection and response The average targeted malware compromise was present for 205 days before detection, longest presence being 2982 days, and 69% were discovered by third parties (Mandiant, 2015) 160,000 new pieces of malware/day flood the internet Ensuing Goals: Managing behavioral expectations Behavioral analytics Incident response process and team Tools to monitor people, process, technology 4

5 Cyber crime in manufacturing and distribution Steel mill brought to standstill and damage to furnace in 2014 Automotive OEM with fewer welding spots on 10 cars for blackmailing purposes Emerging Trends: From stealing sensitive data (personal, financial) to IP infringement, to changing parameters for damage/blackmail Exploitation of old PLC and communication protocols Disrupting operations on shopfloor or DC is a matter of minutes for sizeable damage with our supplychains 5

6 23 Dec 2015, 3.35pm local time 7 x 110kV and 23 x 35kV substations disconnected for 3 hours 80,000 companies affected, multiple business operations down at last hour shipment time before Christmas Hackers used: Two separate SCADA hijack approaches Spear fishing and social engineering to gain access Remote access onto operators s HMI UPS systems to trick into scheduled service outage 6

7 Diagnosis of OT attacks 7

8 Cybersecurity gamut 8

9 Improving ARCHITECTURE Segment your network on principle of least privilege Enable logging for bot IT and OT assets Ensure your nodes (PCs, PLCs, Switches) can capture data Include MD5 and SH256 digital hash of the installers of your critical software Test, and keep testing your tools and technologies for Passive and Active defense Priotitize and patch vulnerabilities Use 2 form autenthication and need to use basis for remote connections Use system monitoring solutions 9

10 Improving PASSIVE Defense Whitelist, and periodically revisit, your applications Define, and periodically revisit, your Demilitarized Zone and your network segments Establish a central logging service to allow FORENSIC evidence to be collected Implement alarm priorities for abnormal events Enforce password policy, especially for VPN and Admin accounts Protect against denial of service and known malware Install, and periodically revisit, an intrusion detection system that can quickly find intruders 10

11 Improving ACTIVE Defense Have cybersecurity analysts hunt for odd communications ENTERING AND LEAVING your network Continuously monitor your network Have Incident Handlers connected also to your Legal and Finance depts. Use a Security Operations Center (SOC) Use backup and recovery tools to take images, especially from your supervisory environment such as HMIs, MES, WMS, MOM Train your analysists in YARA 11

12 aizoon s support to Cyber Security INCIDENT HANDLING Innovative Product Full service provider aizoon SECURITY SYSTEM & NETWORKS APPLICATION SECURITY DIGITAL FORENSIC IOT SECURITY MOBILE SECURITY EMBEDDED SECURITY 12

13 4 founding pillars for Aramis Aramis is an advanced malware identification product designed to: IDENTIFY THREATS inside a network by highlighting the deviations from its normal behavior FOSTER HUMAN ANALYSIS using proprietary pre-attentive dashboards and graphics COLLECT DATA PASSIVELY without altering the current network layout, therefore avoiding detection TAKE ADVANTAGE OF SPECIFICALLY DESIGNED BAYESIAN analysis engines and advanced deterministic rules 13

14 Aramis Workflow COLLECT ENRICH CORRELATE VISUALIZE 14

15 Engine: Bayesian network self-learning engine Evaluate consistency in the network using ad hoc Bayesian network analysis. The consistency shows the level (between 0 and 100) of normality of the information in the data flow. The Bayesian network analyzes different dimensions: HTTP requests and replies FTP activity SSL sessions SSL certificates used SMTP traffic on a network DNS activity on a network Connections Network activity on non-standard ports Files transmitted over the network Unexpected protocol-level activity Single Event Consistency Overall Consistency trend 15

16 User Experience: Pre-attentive The aramis Risk Visualizer collates the information in pre-attentive dashboards, because in certain cases a person can understand and react faster than a computer. aramis gives the analyst the right tools to be aware of what is going on, in real time 16

17 Goal of rapid response and detection, accomplished 17

18 Consistency of the model Between 0% (complete inconsistency) and 100%. The algorithm evaluates how closely the behavior represents the real data flow when compared to history. The portion of data that seems not consistent, will be segregated and presented to the operator for further inspection to determine if there is a threat or a simple anomaly. After the initial period of self-learning, Aramis can be configured with a view to define «used» variables as the real independent ones, and «evaluated» variables as the ones that are dependent. 18

19 Consistency with Aramis L Choice of dependent and independent variables is based on the feedback from the initial learning period on the network and its real behavior. Learning has the following time function. time 19

20 25 July 2015, 10:00-11:00: TCP scan with active SYN 200 clients, servers, printers, laptops, and smartphones were present on the network at that time. Notice how PC1 shows low consistency across Port & Machine 20

21 25 July 2015, 10:00-11:00: we dig in PC1 and Comparing Duration and Probability we immediately see incoherent behavior in connections <110 milliseconds. TCP is not highlighted confirming port scan, since TCP is ok. Duration Probability Inf Protocol Probability icmp tcp udp

22 Conclusion Risk from Malware is a function of: cost to develop, volume, speed Near impossible to analyze new Malware, develop protection AND avoid infection. 205 days dwell time = huge risk for business Self-learning automated system only way if it can catch symptoms and unexpected behaviors Aramis and Aizoon s SOC represent effective risk management and remediation 22