apt and impact to scada systems · apt and impact to scada systems mark fabro cissp, cism, csse...
TRANSCRIPT
© 2010 Lofty Perch, Inc. © 2010 Lofty Perch, Inc.
APT and Impact to SCADA Systems
Mark Fabro CISSP, CISM, CSSE
President and Chief Security Scientist
Lofty Perch, Inc.
2010 SANS European Community SCADA and Process Control Summit
October 11-13, 2010 London, U.K.
© 2010 Lofty Perch, Inc.
Agenda
• Defining APT for the session
• APT requirements
• Observations
– Security Assessments
– APT Focus Reviews
– „fly away‟ response
• Countermeasures
• Conclusions
© 2010 Lofty Perch, Inc.
What is APT?
The term was used to describe
specific groups associated with
nation-states that aggressively
and successfully penetrated
critical infrastructure networks
and established well
developed, multi-level
footholds in those networks.
But now it increasingly means
“generally bad thing from the
Internet”.
© 2010 Lofty Perch, Inc.
The perfect storm is upon us as a new breed of sophisticated
cyber attackers emerge. Honing in on their high value targets,
they deliver a persistent torrent of multi-faceted, advanced attacks
that can subvert even the most cutting edge protective systems to
steal valuable data, or threaten critical infrastructures.
It has dawned upon today’s government and business leaders that
they can no longer depend on mere perimeter protections to
keep their assets safe.
© 2010 Lofty Perch, Inc.
Framing the Definition (for this discussion)
• The „A‟ should be for Adequate
– No new hacks unless it is really required
• „Advanced‟ is relative to the
countermeasures deployed for maintaining
presence or previously unseen capabilities
• The threat is the actor
– Not the exploits
– Not the tools
– Not weaponized precision malware
© 2010 Lofty Perch, Inc.
Exfiltration Problem
CORE
DATA
FIREWALLS IDS/IPS CONTENT FILTERING
AV ASSESSMENT
TESTING
CONFIG MGMT.
© 2010 Lofty Perch, Inc.
APT Elements
Target Folders
Organized/
Structured
High Chance of Success
• High chance of success
• Targeted (very rarely opportunistic)
• Organized and structured
– Mid-term and long-term plans
– No random elements
• Exploit human nature
– Software and wetware vulnerabilities
– Legitimate credentials are acquired
• E.g „Gh0stNet„ and obvious C2 chain
• Newness‟ is really defined by elements of attack
The value of the target data
greatly exceeds investment cost
to get it
© 2010 Lofty Perch, Inc.
Tactics, Techniques,
Procedures • Advanced attributes are defined by 0-days, code
nuances, and structured exploits built on
KNOWN APPLICATIONS
• Creating a super-kit for SCADA just not feasible
• ROI is maximized when APT methods are
reused
– Often same MD5 of C2 channel or dropper
• Each threat has a TTP or a „fist‟ that is often
recognizable and defendable
– Self preservation/expansion/replication
– Stuxnet not so easy
© 2010 Lofty Perch, Inc.
Observations From the Field
• Sources of data are several
– Secruity assessments
– APT „focus reviews‟
– „fly away‟ incident response (with law
enforcement)
© 2010 Lofty Perch, Inc.
Observations From the Field
• ICS instances appear to be collateral
– Connectivity enabled the compromise, lateral functions simply
catch automation
• Of 37 instances to investigate anomalous activity and
rogue compromise 3 yielded artifacts suggesting actual
direct APT impact on ICS
– And the activity on ICS was secondary based on collected
(compromised) intelligence
• Target folders exist but nothing beyond level 1 adversary
with standard OSINT
– Folders full of stuff we know or have seen before
• No artifacts on field equipment
– No need if compromise HMI or FEP
© 2010 Lofty Perch, Inc.
Artifacts on ICS
• Obvious C2 channel
• Windows and *nix
• No indication of intent to damage system,
only collection
– Typical of most APT
• Q:How do we know ICS was not targeted?
– We don‟t
– What if time to ICS compromise was really
short?
© 2010 Lofty Perch, Inc.
Observations From the Field
•Rogue network sockets open by processes
•Evidence of driver layering
•Packet interception and keystroke capture
•SCADA/ICS done well after initial domain
• Not obvious channels
• Port 80 or ICMP
• Comms from ICS:
• Out to corp
• Direct to Internet
• Out via VPN
• Phishing
• SQL Injection
• Trust abuse
• Target folders
• Corporate analysis
• Peer business activities
• Integration/service provider investigation
Recon Penetration
Escalation and Lateral
Activity
Command and Control
© 2010 Lofty Perch, Inc.
Target Folder
• Emails
(exec/admin/legal/HR)
• Personnel profiles
• Family Trees
• Blog pages
• Corporate ppt
• Corporate events
• M&A
• 501(c)
• Network diagrams
(notional)
• Network diagrams
(integrators
• Case studies
• Nmap/nessus
reports
• Service records
• ISP data
• Peer comms
• ipindex
ACME CORP.
• Recent data
• Progress
• C2 monitoring
© 2010 Lofty Perch, Inc.
Countermeasures • Of the observed „APT‟ damage was avoided by
implementation of defense in depth
– Existing host and network tools work perfect
• Live SCADA forensics proved very useful to
aggregate anomalies
• Code analysis provided framework for egress
and DNS corrective actions
• Persistence is proportional to vulnerabilities
– Kernel locking works very well for 0 days
• It is very hard to get rid of some of these
© 2010 Lofty Perch, Inc.
Exfiltration Problem
CORE
DATA
FIREWALLS With
Ingress/Egress Filtering
IDS/IPS PROPERLY
TUNED
CONTENT FILTERING
BEHAVIOR BASED
AV ASSESSMENT TESTING with
APT Components
CONFIG MGMT.
ICS/SCADA DOMAIN
© 2010 Lofty Perch, Inc.
Active APT Forensics on ICS • Must be fast and non-intrusive to process
– load similar to virus scan
• Actually easier when system is operating for a single purpose!
Main Imaging
Access pre loaded servlets
Map known process .exe .dll
Egress monitoring
Running Processes
Review open handles and map to virtual address
space
Review open network sockets
Core Device/driver layering
Walk linked list (loaded kernel modules)
Identify hooks (System Call Table, Interrupt Descriptor Table, Driver Function Table
Identification of loaded drivers and verification
of signatures
© 2010 Lofty Perch, Inc.
Facts
• Any real frequency of SCADA/ICS APT is
several orders of magnitude below
defense contractors, embassies, and FI‟s
• Only mild indicators that initial target was
ICS
– But this is almost impossible to know
– Future modus operandi may provide intel
• Expect to see a lot more now that we
know what to look for
© 2010 Lofty Perch, Inc.
Caution
“In the cyber security domain, APT is
quickly becoming the new Smart Grid.
Pretty soon it will be a catch-all for
everything we are not clever enough to
understand, and become so ethereal that
only the people trying to sell it will have a
definition – and different ones at that.”
© 2010 Lofty Perch, Inc. © 2010 Lofty Perch, Inc.
Thank You
QUESTIONS?
Mark Fabro CISSP, CISM, CSSE
President and Chief Security Scientist
Lofty Perch, Inc. [email protected]
2010 SANS European Community SCADA and Process Control Summit
October 11-13, 2010 London, U.K.