You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Transcription

1 You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell Mandiant, a FireEye company [2014 SANS European ICS Summit]

2 About me Currently: Principal Consultant on Mandiant s Industrial Control Systems Security team Previously: Product Security Architect for major industrial software & hardware vendor

3 If ICS are so vulnerable, why haven t we seen more attacks?

4 1. Intention 2. Visibility

5 1. [Intention] 2. Visibility

6 Attacker motivation Why are targeted attacks different? It s a Who, not a What They are Professional, Organized & Well Funded If You Kick Them Out They Will Return

7 Cyber incident response statistics Proactive measures eventually fail Attackers exploit the weakest link

8 Assumption #1 ICS is becoming more, not less, connected

9 Assumption #2 Vulnerabilities will exist indefinitely

10 Assumption #3 Defensive measures eventually fail

11 Conclusion Security breaches are inevitable

12 1. Intention 2. [Visibility]

13 We are not looking! (Meme alert)

14 Prevention is ideal,

15 but Detection is a must.

16 Determined adversaries will breach your defenses, the goal is to keep them from achieving their objectives.

17 Why ICS is different DETECT RESPOND Enterprise IT Systems Widely-used technology Well-known attack patterns Standardized logging (i.e. syslog, Windows Event log) High frequency of events Involves IT teams Industrial Control Systems Obscure technology Limited historical data (i.e. Stuxnet) Non-existent or non-standard log formats Low frequency, high impact events Involves IT and OT teams CONTAIN Laptop example: Unplug device Perform forensics Re-image & redeploy ICS example: Assess criticality & risk to process Failover Perform forensics Re-commission Acceptance testing Failback

18 and why ICS isn t different Enterprise/Plant/DMZ communications run through Ethernet switches and routers Windows Event Logs & syslog frequently available Many asset owners have a SOC or CIRT within their organization Security tools frequently deployed in the environment Good governance, quality management, and engineering are technology-agnostic disciplines Network security monitoring for industrial control systems is achievable using the tools we have today

19 What is network security monitoring? the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise. Richard Bejtlich The Practice of Network Security Monitoring

20 A bit of history. Cliff Stoll Stalking the Wily Hacker 1988 Todd Herberlein et al. A Network Security Monitor 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002 NSM is not a new concept, and the tools are fairly mature

21 Ok, so what is NSM really? It s a model for action, based on networkderived data Requires people and process, not just technology Focuses on the adversary, not the vulnerability

22 In ICS, we have the benefit of time.

23 Enterprise defenders are racing to thwart attackers, but the threats we face at this moment have not yet caused wide-scale kinetic effects.

24 Let s use the time we have to find and disrupt intruders.

25 Difficulties for NSM Encrypted networks Widespread NAT Devices moving between network segments Extreme traffic volume Privacy concerns Issues that most ICS do not face!

26 Instrumenting ICS Enterprise/IT Each network segment of an ICS should be monitored Plant DMZ Web Historian or other DB Natural points are at network gear separating segments SCADA HMI Control PLCs, RTUs, PACs, sensors SCADA Historian Monitoring traffic at the DMZ ingress/egress point may help provide early warning of attackers coming from the Corporate network

27

28 Methods of monitoring Network tap physical device which relays a copy of packets to an NSM server SPAN or mirrored ports switch configuration which sends copies of packets to a separate port where NSM can connect Host-based host NIC configured to watch all network traffic flowing on its segment Serial port tap physical device which relays serial traffic to another port, usually requires additional software to interpret data

29 Cisco Fluke Networks Stratus Engineering

30 Types of data collected for NSM Full content data unfiltered collection of packets Extracted content data streams, files, Web pages, etc. Session data conversation between nodes Transaction data requests and replies between nodes Statistical data description of traffic, such as protocol and volume Metadata aspects of data, e.g. who owns this IP address Alert/log data triggers from IDS tools, tracking user logins, etc.

31 Technology Many different open source and commercial tools can be used to build NSM capability Let s examine the tools in Security Onion, a purpose-built Linux distribution for NSM

32 Security Onion Full packet capture Tcpdump/Wireshark Extracted content Xplico Session data Bro Transaction data Bro Peel Back the Layers of Your Network Statistical data Capinfos/Wireshark Metadata WHOIS* Alert data Snort, Suricata, Sguil, Snorby

33

34 IR Process DETECT RESPOND Goal: Minimize total time CONTAIN

35 NSM Process

36 People The most important part of NSM! Gigabytes of data and 1000s of IDS alerts are useless without interpretation Analyze data collected to understand what s normal and what s not Identify adversary TTPs and act to disrupt them Remember, adversaries are a Who, not a What

37 Setting the right goal Showing evidence of conformance/compliance Finding indications of compromise

38 Redefining the win DETECT RESPOND CONTAIN ICS network instrumented with security technology and monitored by security personnel Effective process for response to ICS cyber security incidents Business continuity and DR planning consider ICS asset compromise

39 Breaking one link in the kill chain stops attackers from achieving their objective Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives

40 References The Practice of Network Security Monitoring Richard Bejtlich, No Starch Press

41