Challenges in Critical Infrastructure Security

Similar documents
Challenges in Cri-cal Infrastructure Security

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Computer Security DD2395

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Evolution of attacks and Intrusion Detection

Malicious Network Traffic Analysis

Description: Course Details:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Innovations in Network Security

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Cyber security and critical national infrastructure

Introducing IBM s Advanced Threat Protection Platform

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Randy Lee FireEye Labs. Understanding Modern Malware.

Defending Against Cyber Attacks with SessionLevel Network Security

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Getting Ahead of Malware

Protecting the Infrastructure: Symantec Web Gateway

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Networking for Caribbean Development

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

IBM Endpoint Manager for Core Protection

IBM Advanced Threat Protection Solution

The Hillstone and Trend Micro Joint Solution

Fighting Advanced Threats

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

10 Things Every Web Application Firewall Should Provide Share this ebook

Anti-exploit tools: The next wave of enterprise security

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

CS 356 Lecture 9 Malicious Code. Spring 2013

Cisco Advanced Malware Protection for Endpoints

Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

What is Cyber Liability

WEB ATTACKS AND COUNTERMEASURES

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

IBM Security Strategy

Operation Liberpy : Keyloggers and information theft in Latin America

1949 Self-reproducing cellular automata Core Wars

Information Security Threat Trends

Protecting Your Organisation from Targeted Cyber Intrusion

Cybercrime Security Risks and Challenges Facing Business

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

The Leading Provider of Endpoint Security Solutions

BlackRidge Technology Transport Access Control: Overview

The Key to Secure Online Financial Transactions

Automated Protection on UCS with Trend Micro Deep Security

Securing the endpoint and your data

IBM Security X-Force Threat Intelligence

IBM Protocol Analysis Module

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cyber and Mobile Landscape, Challenges, & Best Practices

Gregg Gerber. Strategic Engagement, Emerging Markets

Cloud Services Prevent Zero-day and Targeted Attacks

ANTIVIRUS BEST PRACTICES

Integrated Protection for Systems. João Batista Territory Manager

Beyond the Hype: Advanced Persistent Threats

Cisco Advanced Services for Network Security

Deep Discovery. Technical details

Unknown threats in Sweden. Study publication August 27, 2014

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Secure Your Mobile Workplace

FORBIDDEN - Ethical Hacking Workshop Duration

IBM Security IBM Corporation IBM Corporation

Web 2.0 and Data Protection. Paul Tsang Security Consultant McAfee

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Network Incident Report

Current counter-measures and responses by CERTs

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Cisco Advanced Malware Protection for Endpoints

Personal Data Security. Grand Computers Club New Technologies SIG May 21, 2014

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

OPC & Security Agenda

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Cyber liability threats, trends and pointers for the future

RSA Security Analytics

Defending Against. Phishing Attacks

Computer Security Threats

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Data Center Security in a World Without Perimeters

Post-Stuxnet Industrial Security

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Better Together: Microsoft Office 365 & Symantec Office 365

DDoS Attacks & Defenses

Are you prepared to be next? Invensys Cyber Security

Inspection of Encrypted HTTPS Traffic

The Fortinet Advanced Threat Protection Framework

Protecting Data From the Cyber Theft Pandemic. A FireEye Whitepaper - April, 2009

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Transcription:

Challenges in Critical Infrastructure Security Corrado Leita Symantec Research Labs DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 1

Symantec Research Labs Symantec Research Labs Sophia Antipolis, FR Dublin, IE Culver City, CA Herndon, VA European projects: WOMBAT (2008-2011): Worldwide Observatory of Malicious Behaviors and Attack Threats VIS-SENSE (2011-2013): Visual Analyitics of Large Datasets for Enhancing Network Security BIGFOOT (2012-2014): Big Data Analytics of Digital Footprints CRISALIS (2012-2014): CRitical Infrastructure Security AnaLysIS DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 2

Convergence between IT and ICS technologies Interconnection of standard computer systems with industrial control systems An opportunity? Lower costs and increased system efficiency Opportunity to leverage standard IT techniques (intrusion detection, file scanning, standard hardening techniques, ) Opportunity to enable ICS suppliers to manage and support ICS devices at scale A threat? Enable attacks and incidents that are typical of standard IT environments Enable attacks on critical infrastructures and environments such as energy, gas, medical Privacy violations from data being more widely available DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 3

Culture Environments ICS Security Threats DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 4

Different priorities How can I prevent unauthorized individuals from accessing my data? How can avoid a downtime? DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 5

DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 6

Lessons Those systems can, in most cases, be remotely accessed by employees and contractors via VPN! Is it possible to burn-out a water pump by solely interfacing with the SCADA layer? Fail-safe mechanisms exist to prevent physical damage! DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 7

Culture Environments ICS Security Threats DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 8

Are off-the-shelf product suitable for ICS security? + =? DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 9

Smart Grid as a complex ecosystem Our focus SCADA AMI DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 10

A composition of complex environments flow datagram generated from the analysis of one hour of operation of a water pump control system diverse, often non-standard protocols Physical environment servers clients in main network gateways clients in separate network DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 11

Culture Environments ICS Security Threats DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 12

First IBM PC virus: Brain boot sector virus created in Pakistan The Era of Discovery 1986 1987 1988 1989 1990 1991 First DOS File Infector: Virdem presented at the Chaos Computer Club First Polymorphic Virus: Chameleon developed by Ralf Burger DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 13

Michaelangelo trigger date: Causes widespread media panic that computers would be unbootable The Era of Transition CIH: A Windows file infector that would flash the BIOS 1992 1993 1994 1995 1996 1997 1998 First Word Macro virus: Concept is the first macro virus infected Microsoft Word documents DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 14

Email systems down: The Melissa worm spreads rapidly to computers via email causing networks to come to a crawl Blended Threats: CodeRed, Nimda spread without any user interaction using Microsoft system vulnerabilities Worm wars: MyDoom, Netsky, Sobig, all compete for machines to infect The Era of Fame and Glory 1999 2000 2001 2002 2003 2004 2005 LoveLetter Worm: First VBS script virus to spread rapidly via Outlook email Anna Kournikova: Just another email worm, but successful in propagation using racy pictures of Anna Kournikova as bait Samy My Hero: XSS worm spreads on MySpace automatically friending a million users DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 15

Rogue AV: Becomes ubiquitous charging $50-$100 for fake proteciton Mebroot: MBR rootkit that steals user credentials and enables spamming The Era of Mass Cybercrime 2006 2007 2008 2009 2010 Zeus Bot: Hackers botnet executable of choice -- steals online banking credentials Storm Worm: P2P Botnet for spamming and stealing user credentials Koobface: Spreads via social networks and installs payper-install software Conficker: Spreads via MS08-067, builds millions-sized botnet to install pay-perinstall software DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 16

Hydraq: Targets multiple US corporations in search of intellectual property Duqu: Cyber espionage toolkit The Era of Politically-driven cybercrime 2010 2011 2012 Stuxnet: Targets industrial control systems in Iran Flamer: Even more advanced cyber espionage toolkit DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 17

Threat economy Security mechanisms often aim at rendering an intrusion difficult enough Their effectiveness depends on the value of the target! Requiring a signed certificate to inject a kernel driver Keeping valuable resources in a private network Storing a certificate in a secure room cost revenue DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 18

Cyber warfare Stuxnet: first publicly known malware to cause public damage Duqu: shares many similarities, used for cyber espionage Flamer: even more advanced platform for data exfiltration Cyber warfare is not a myth! DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 19

Is this the tip of an iceberg? DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 20

What is your experience with each of this type of attacks? (1580 industries contacted, 2010) Symantec 2010 Critical Infrastructure Protection Study - http://bit.ly/bka8uf DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 21

How many times have you suspected or been sure each of the following has occurred in the last 5 years? Symantec 2010 Critical Infrastructure Protection Study - http://bit.ly/bka8uf DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 22

The risk of dahusian research How can we protect from threats we do not know? 6th International Conference on Autonomous Infrastructure, Management and Security (AIMS 2012) 23

Culture Environments ICS Security incidents Threats DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 24

Stuxnet Windows worm discovered in July 2010 Uses 7 different self-propagation methods Uses 4 Microsoft 0-day exploits + 1 known vulnerability Leverages 2 Siemens security issues Contains a Windows rootkit Used 2 stolen digital certificates (second one introduced when first one was revoked) Modified code on Programmable Logic Controllers (PLCs) First known PLC rootkit DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 25

Stuxnet and the myth of the private network Internet P2P communication Remote propagation C&C servers DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 26

Dissemination of Stuxnet DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 27

Let s add some WINE (http://www.symantec.com/wine) Vulnerability Remediation Patch Malware Samples New Attacks Zero-Day Attacks A/V, IPS Telemetry Dissemination & Concealment Binary Reputation URL Reputation Spam DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 28

Dissemination of Stuxnet # new infected machines Stuxnet discovered new variant Exploits CVE 2010-2568 (well documented MD5 hashes) CVE 2010-2568 reported on Jul 16 Weeks DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 29

Stuxnet: an isolated incident? September 2011: a European company seeks help to investigate a security incident that happened in their IT system, and contacts CrySyS labs (Budapest University of Technology and Economics) October 2011: CrySyS labs identifies the infection and shares information with major security companies Duqu: named after the filenames created by the infection, starting with the string ~DQ A few days later, Symantec releases the first report on Duqu malware sample with the help of the outcomes of the original CrySyS investigators DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 30

Signed Drivers Some signed (C-Media certificate) Revoked immediately after discovery DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 31

Extremely stealthy and targeted infection 0-day vulnerability in TTF font parser Shellcode ensures infection only in an 8 days window in August No self-propagation, but spreading can be directed to other computers through C&C Secondary target do not communicate with C&C, communicate instead through P2P Infection leaves almost no trace on hard drive: only the driver file is stored in stable storage! DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 32

Command & Control Complexity Communication over TCP/80 and TCP/443 Embeds protocol under HTTP, but not HTTPS Includes small blank JPEG in all communications Basic proxy support Complex protocol TCP-like with fragments, sequence and ack. numbers, etc. Encryption AES-CBC with fixed Key Compression LZO Extra custom compression layer CnC server hidden behind a long sequence of proxies DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 33

Targets 6 organizations in 8 countries confirmed infected DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 34

Duqu strange clues TTF Exploit Font name Dexter Regular from Showtime Inc. Only two characters defined: : ) Inside the keylogger component is a partial image interacting Galaxy System NGC 6745 DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 35

W32.Flamer Recently discovered, but active for more than 2 years Extremely high complexity LUA Interpreter Comprehensive toolkit for data exfiltration Ability to record from internal microphone Bluetooth toolkit DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 36

What do we learn from all this? 1. Attacker motivation: no security practice is likely to make the intrusion difficult enough. New motivations for attackers (crime, cyber warfare) mean more resources and incentives to conduct attacks. 2. Myth of the private network: also because of 1., relying on network isolation from the Internet as main security protection is ineffective. Physical security cannot be enforced in practice, and network isolation renders cloudbased security technologies impossible to apply (e.g. reputation, data analysis, signatures, ). 3. From Intrusion Prevention to Intrusion Tolerance: a layered approach is required with several safety nets and managerial procedures to handle fallback modes. DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 37

Corrado Leita corrado_leita@symantec.com Thank you! CRISALIS: http://crisalis-project.eu WINE: http://www.symantec.com/wine Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 38

The CRISALIS approach O.1 Securing the systems O.2 Detecting the intrusions O.3 Analyzing successful intrusions System discovery SCADA environments AMI environments End user support DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information