You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell Mandiant, a FireEye company [2014 SANS European ICS Summit]

About me Currently: Principal Consultant on Mandiant s Industrial Control Systems Security team Previously: Product Security Architect for major industrial software & hardware vendor

If ICS are so vulnerable, why haven t we seen more attacks?

1. Intention 2. Visibility

1. [Intention] 2. Visibility

Attacker motivation Why are targeted attacks different? It s a Who, not a What They are Professional, Organized & Well Funded If You Kick Them Out They Will Return

Cyber incident response statistics Proactive measures eventually fail Attackers exploit the weakest link

Assumption #1 ICS is becoming more, not less, connected

Assumption #2 Vulnerabilities will exist indefinitely

Assumption #3 Defensive measures eventually fail

Conclusion Security breaches are inevitable

1. Intention 2. [Visibility]

We are not looking! (Meme alert)

Prevention is ideal,

but Detection is a must.

Determined adversaries will breach your defenses, the goal is to keep them from achieving their objectives.

Why ICS is different DETECT RESPOND Enterprise IT Systems Widely-used technology Well-known attack patterns Standardized logging (i.e. syslog, Windows Event log) High frequency of events Involves IT teams Industrial Control Systems Obscure technology Limited historical data (i.e. Stuxnet) Non-existent or non-standard log formats Low frequency, high impact events Involves IT and OT teams CONTAIN Laptop example: Unplug device Perform forensics Re-image & redeploy ICS example: Assess criticality & risk to process Failover Perform forensics Re-commission Acceptance testing Failback

and why ICS isn t different Enterprise/Plant/DMZ communications run through Ethernet switches and routers Windows Event Logs & syslog frequently available Many asset owners have a SOC or CIRT within their organization Security tools frequently deployed in the environment Good governance, quality management, and engineering are technology-agnostic disciplines Network security monitoring for industrial control systems is achievable using the tools we have today

What is network security monitoring? the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise. Richard Bejtlich The Practice of Network Security Monitoring

A bit of history. Cliff Stoll Stalking the Wily Hacker 1988 Todd Herberlein et al. A Network Security Monitor 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002 NSM is not a new concept, and the tools are fairly mature

Ok, so what is NSM really? It s a model for action, based on networkderived data Requires people and process, not just technology Focuses on the adversary, not the vulnerability

In ICS, we have the benefit of time. https://flic.kr/p/9nnu3z

Enterprise defenders are racing to thwart attackers, but the threats we face at this moment have not yet caused wide-scale kinetic effects. https://flic.kr/p/5m8lta

Let s use the time we have to find and disrupt intruders. https://flic.kr/p/fcstr

Difficulties for NSM Encrypted networks Widespread NAT Devices moving between network segments Extreme traffic volume Privacy concerns Issues that most ICS do not face!

Instrumenting ICS Enterprise/IT Each network segment of an ICS should be monitored Plant DMZ Web Historian or other DB Natural points are at network gear separating segments SCADA HMI Control PLCs, RTUs, PACs, sensors SCADA Historian Monitoring traffic at the DMZ ingress/egress point may help provide early warning of attackers coming from the Corporate network

https://flic.kr/p/7sdjw

Methods of monitoring Network tap physical device which relays a copy of packets to an NSM server SPAN or mirrored ports switch configuration which sends copies of packets to a separate port where NSM can connect Host-based host NIC configured to watch all network traffic flowing on its segment Serial port tap physical device which relays serial traffic to another port, usually requires additional software to interpret data

Cisco Fluke Networks Stratus Engineering

Types of data collected for NSM Full content data unfiltered collection of packets Extracted content data streams, files, Web pages, etc. Session data conversation between nodes Transaction data requests and replies between nodes Statistical data description of traffic, such as protocol and volume Metadata aspects of data, e.g. who owns this IP address Alert/log data triggers from IDS tools, tracking user logins, etc.

Technology Many different open source and commercial tools can be used to build NSM capability Let s examine the tools in Security Onion, a purpose-built Linux distribution for NSM https://flic.kr/p/75yf6l

Security Onion Full packet capture Tcpdump/Wireshark Extracted content Xplico Session data Bro Transaction data Bro Peel Back the Layers of Your Network Statistical data Capinfos/Wireshark Metadata WHOIS* Alert data Snort, Suricata, Sguil, Snorby

IR Process DETECT RESPOND Goal: Minimize total time CONTAIN

NSM Process

People The most important part of NSM! Gigabytes of data and 1000s of IDS alerts are useless without interpretation Analyze data collected to understand what s normal and what s not Identify adversary TTPs and act to disrupt them Remember, adversaries are a Who, not a What

Setting the right goal Showing evidence of conformance/compliance Finding indications of compromise

Redefining the win DETECT RESPOND CONTAIN ICS network instrumented with security technology and monitored by security personnel Effective process for response to ICS cyber security incidents Business continuity and DR planning consider ICS asset compromise

Breaking one link in the kill chain stops attackers from achieving their objective Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf

References The Practice of Network Security Monitoring Richard Bejtlich, No Starch Press http://nsmwiki.org http://securityonion.net https://flic.kr/p/5mgrqa

https://flic.kr/p/6hxhpx