cyber security for an iotworld - sut · cyber security for an iotworld. ... end-to-end “kill...
TRANSCRIPT
Presenter: David De Lima, BE, BSc, CENG (IET), CCIE 7958, CISSP, CISA
Title: Consulting Systems Engineer – Security, Cisco Systems
Date: May 2017
Cyber Security for an IoT World
IoT Growth - 1.5 Million Devices Per hour!!
20202017
• Compromised IoT Devices• Baby monitors, webcams• Home routers• DVRs, printers
• Massive DDoS Botnet (600Gb-1Tb)• DynDNS attack (Liberia, Deutsche Telekom)• DDoS as a service, DDoS for ransom• Source code released!!
• Challenges (why does it exist??)• Default Passwords, open ports, unmanaged• Vulnerabilities (slow to patch)• Low focus on security (time to market/cost)• Low resources (CPU/RAM/Storage/etc)
Mirai Botnet (IoT) Oct 2016
• Began on May 12 - spreads as a worm – 230,000 infections across 150 countries• OT Impact - Britain NHS (computers, MRI scanners, blood-storage refrigerators and theatre
equipment), Telefonica, Deutsche Bahn, Nissan (UK), Renault, ATMs, Parking Meters• Exploits windows (MS17-010) using tools leaked by Shadow Brokers – 1 month head start!!
• Not very sophisticated!! – Payment via 4 BTC wallets + AntiVM kill-switch + Direct Infection• Next one much worse (already new variants) - Mirai + Wannacry!! (DDOS kill-switch!!)
WannaCry (Worm – OT/IoT Impact)
How Malware Works–Most Variants Require All 5 Steps
Malware activates
Malware activatesEncryption Key C2
Infrastructure
User Clicks a Link or Malvertising
Malware Payload
MaliciousInfrastructure
Email w/ Malicious Attachment
Malware Payload
EMAIL-BASED INFECTION
WEB-BASED INFECTION
!
Encryption Key C2 Infrastructure
!
TARGET BREACHCOMPROMISE
DNS
DNS-Layer
Security
WebSecurity
EmailSecurity
NGIPS
LAUNCH
HostAnti-
Malware
INSTALL
NGIPS
NGFW
NetworkAnti-
Malware
EXPLOIT
DNS
DNS-Layer
Security
WebSecurity
NGIPS
CALLBACK
NGIPS
NGFW
RECON
FlowAnalytics
PERSIST
Threat Intelligence
STAGE
End-to-End “Kill Chain” Defense Infrastructure
File Trajectory
ATTACKER
INFRASTRUCTURE USED BY ATTACKER
FILES/PAYLOADSUSED BY ATTACKER
Site Business Planning and Logistics Network
BatchControl
DiscreteControl
SupervisoryControl
HybridControl
SupervisoryControl
Enterprise Network
Patch Mgmt
Web Services Operations
AV Server
Application Server
Email, Intranet, etc.
ProductionControl HistorianOptimizing
ControlEngineeringStation
ContinuousControl
Terminal Services
Historian (Mirror)
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
Level 2
EnterpriseZone
DMZ
Level 3
Level 1
Level 0
L5
HMI HMI
OT Security Layers
Level 3
Sensors Drives Robots
Level 3
DMZ 3.5
Actuator
L4
ControlZone
Host Anti-Malware on Endpoint HMI + Key
Servers(AMP For Endpoints)
Netflow Anomaly Detection + Visibility(Stealthwatch)
Anti-Malwareon FW
+IPS+
VPNIdentity based Segmentation
(ISE)
Host Anti-Malware(AMP For Endpoints)
Web Proxy+
OpenDNS+ CTA
IDS
IDS + Pkgs
Industrial FW IDS for
critical PLCs
DNS = Domain Name Systemwww.google.com = 172.217.26.68 (IP Address)
www.evil.com = 66.96.146.129
CNC = C2 = Command and Control
yfrscsddkkdl.com (Initial)qgmcgoqeasgommee.org (2 hours later)
iyyxtyxdeypk.com (2 hours later)diiqngijkpop.ru (2 hours later)
66.96.146.129 (IP Address)
= 66.96.146.129 (2 hours later)
Monetise Malware (RAT, Banking Trojan, Ransomware, etc)
OpenDNSMALWAREC2/BOTNETSPHISHING
“OpenDNS FREE”
https://signup.opendns.com/homefree/
DGA – Domain Generation Algorithm
Fast Flux IP
OpenDNS – OT/IoT ProtectionLocky: Real World Example
Original Malware Domain (Command and Control)
Hash of the malicious file downloaded from these domains
Malware Download URLThese domains
co-occurr
These domains share the same infrastructure
Malware distribution Point
Infection Ingress Point
Next Malware Distribution Points
Easter Egg: expose the attackers’ infrastructure (nameservers and IPs) to predict the next moves
OpenDNS - Machine Learning on Massive DatasetLocky: Real World Example
Stealthwatch – OT/IoT Protection(Record all Conversations)
WhoWhoWhat
When
How
Where
Applied situational awareness
Flow Sensor
Threat Intelligence
Geo-IP mapping
Endpoint Visibility
Stealthwatch - Behavioral and Anomaly Detection Model
SECURITYEVENTS (94 +)
ALARMCATEGORY RESPONSE
Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
COLLECT AND ANALYZE FLOWS
FLOWS
Anatomy of a Cyber Attack
https://www.youtube.com/watch?v=4gR562GW7TI
• Attackers are not necessarily nerds in hoodies sitting in the dark• Commercial enterprises – well resourced – run as 9-5
companies• Free wifi, public space
• (Spear) Phishing attack (email attack)• Social engineering• Qaullcart.com vs Qualicart.com• Email signature
• Ransomware (smokescreen)• Ransomware as a service (Ransom32)• Pyramid affiliate schemes• Very popular – crypto currencies + anonymous web
• Real target - gamed stock, customer information
What did you notice??
How can you help protect your organisation?
1. You are a target – be vigilant at all times (Social Engineering)2. Don’t open up unknown attachments!! (Emails!! + Personal)3. Understand what qualifies as sensitive data within your organisation (assets)4. Backup data (work and personal)5. Understand how to identify and avoid threats (skeptical mindset + phone)6. Understand your organisation’s acceptable use policies7. Understand your organisation’s security policies8. If you’re ever in doubt – ask for help!