introduction - justanswer · web viewthe cyber kill chain model was first introduced by lockheed...

Western Interconnection Power Grid APT Attack and Defense In-Depth 1

Western Interconnection Power Grid APT Attack and Defense In-Depth


Introduction

The Western Interconnection Power Grid is a prime target for malicious nation states for

several reasons, which is most likely why an APT cyberattack is currently aimed at the power

grid. Since APT is a very calculated and stealthy attack that typically results in at will remote

access for the attackers, a successful APT attack on a major power grid interconnection

organization would facilitate first strike capabilities for a nation-state or terrorist organization

that is planning an attack on the United States and/or the entire eastern seaboard of North

America. Another reason why an APT attack would be aimed at the Western Interconnection

Power Grid is that control over the power grid would offer a terrorist group the ability to

shutdown power in specific locations, such as airports, with the potential for causing a disaster

not unlike the events that took place on September 11, 2001. For this reason it is essential that

the Western Interconnection Power Grid management and IT staff understand how APT works

and how the organization can improve cybersecurity readiness through a defense in-depth

strategy to protect the grid from APT attacks.

Cyber Kill Chain ICS Vulnerabilities

The Cyber Kill Chain model was first introduced by Lockheed Martin as a template that

conveys an understanding of exactly how attacks like APT are conducted in order to properly

defend against the same. Knowing how an attack is conducted will enable the Western

Interconnection Power Grid IT management and administration team to proactively configure

networks within the grid to both detect and thwart APT attacks.


Reconnaissance

The first step in the Cyber Kill Chain sequence, which is also the first step in an APT

attack, is to assess the target and find potential weaknesses that can be exploited as part of an

overall plan. Typically reconnaissance efforts involve the use of several tools including port

scanners such as Nmap (Nmap, 2017) that can identify services running on all accessible systems

within the target network, read service type and version information, read operating system type

and version information, and even scan and map networks through firewalls if the firewall is not

configured to block incomplete or fragmented TCP conversations. Other reconnaissance

techniques include the use of Google to search for system information, IP addresses, and even

company information that may reveal configurations that can be used in the next phase of the

attack. The Shodan search engine (Shodan, 2017) is another that in some ways is even more

effective because it is designed specifically to catalog systems connected to the Internet and

display each system's configuration in the search results. ICS systems in particular, until recently

were developed without cybersecurity in mind, so services such as SNMPv1, telnet, HTTP, and

protocols such as Bacnet that all send information in clear text, unencrypted, are prime targets

for APT attacks that will be a focus of the reconnaissance phase against the Western

Interconnection Power Grid networks.

Weaponization

The Weaponization phase processes the information gleaned from the Reconnaissance

phase by identifying the items in which vulnerabilities exist. For example, the service

information and operating system information gathered through Nmap (Nmap, 2017) and

vulnerability scanners such as Tenable Nessus (Tenable, 2017) can be searched in a vulnerability


database such as the databases such as the Mitre CVE database, (Mitre, 2017) and the U.S.

Federal Government NVD database (NVD, 2017) for any vulnerabilities that may exist with each

service type and version. Once the vulnerabilities are identified they can be used in the next

phase of the Cyber Kill Chain for exploitation.

Other information gained during the Reconnaissance phase that may be useful during

Weaponization includes identification of vulnerabilities vendors are not aware of and for which

no security patches currently exist. This type of vulnerability is called a “zero day” vulnerability,

and networks such as the Western Interconnection Power Grid can only defend against such

unknown weaknesses with a well structured information security program that includes a

framework built around a layered, defense in-depth strategy.

Exploitation

Once the Weaponization phase is completed, the Exploitation phase starts by designing

and developing tools intended to install and exploit the vulnerabilities identified during the

Weaponization phase. For example, if an analysis of information gleaned during the

Reconnaissance phase identifies a firewall vulnerability in which ICMP Type 13 or Timestamp

packets to traverse the firewall from the public network, the APT attack group may develop a

remote access service program payload that is delivered to a group of Western Interconnection

Power Grid administrators via a phishing attack and installs to a workstation once one of the

recipients clicks on a link within the phishing email. Once installed a service such as this could

use ICMP Type 13 packets as a covert channel for both communication and remote access

through the company's firewall.


Command & Control

The Command and Control phase of an APT attack is focused on using the tools

developed or identified and installed in the target network during the Exploitation phase to

expand control over the target network. Once the APT attack group has remote access to the

Western Interconnection Power Grid, they will use remote access through covert channels to also

access systems within the network that are their main focus. In this case the APT attack group

may install keystroke loggers on the remote access system to capture the authentication

credentials of administrators as they access ICS systems. Once the credentials are captured, the

APT group can access and compromise targeted ICS systems.

The APT attackers may also use the remote access systems to scan the network for a

more thorough understanding and map of the network, or install a network sniffer such as

Wireshark (Wireshark, 2017) that can be used to capture more authentication credentials and

vulnerability information, and identify additional vulnerabilities that could not be discovered

from outside the target network. This is an example of a situation in which certain phases in the

Cyber Kill Chain may be used again during the course of an attack as the attackers gain even

greater control over the victim network.

The following is an example diagram of a possible APT attack path and remote access

covert channel that may take place once each phase of the Cyber Kill Chain is exercised:


Actions

During the Action phase of the Cyber Kill Chain process, the APT attack group will

continue to expand control over the Western Interconnection Power Grid network while

maintaining an undetected posture. They will continue to repeat the Cyber Kill Chain process in

order to identify additional vulnerabilities in power grid systems from inside the power grid

network, develop additional tools for exploitation of vulnerabilities found, expand remote access

and control, and repeat the process. The APT will maintain their remote access and control for as

long as necessary to achieve their goals, which most likely include gathering as much


information about the grid as possible and ability to shut down part or all of the grid for either

terror attack or political power play purposes when required.

Countermeasures – Defense In-depth

The defense in-depth approach that originated from NIST recommendations is based

upon the perspective that no single form of cybersecurity defense will thwart cyberattacks 100%

of the time, (OWASP, 2015). Hence, by planning and implementing multiple cybersecurity

countermeasures in a layered approach, in combination these countermeasure layers will serve to

slow down, stop and/or facilitate detection of an attack before attackers can complete their

objectives, be it to damage, steal or otherwise alter information systems for malicious intent.

Three areas that should be addressed in a defense in-depth strategy include the people,

technologies, and operations that serve as the foundation for the organization.

People

The people that work within an organization are often the organization's number one

cybersecurity weakness due to a focus on the information technology itself rather than the people

that use the technology. APT attackers are aware of this fact and often employ the use of social

engineering tactics such as phishing to bypass system technological defenses by “tricking”

someone internal to the company to install malware that provides the APT attackers with remote

access to systems within the organization. A combination of training and countermeasures can

greatly decrease the possibility that cyberattacks focused on the organization's employees will be

successful.

Cybersecurity training arms the organization's employees with the knowledge they need


to be able to identify the difference between legitimate communications and activities on the

company network and an actual cyberattack. A cybersecurity training program for the Western

Interconnection Power Grid must require that each employee attend a cybersecurity training

course on at least an annual basis, with mandatory cybersecurity training update attendance on an

annual basis as well. In addition, new employees must be required to attend cybersecurity

training as part of the on-boarding process. The cybersecurity training should include education

in how to recognize cyberattacks, common signs of an attack, how every employee should

respond to an attack, and the internal contact personnel and protocol for alerting the organization

to a possible attack should one be discovered. Training on how to recognize social engineering

attacks, phishing and spear phishing attacks, recognizing and responding to cross-site scripting

attacks, and ways malware infections occur and prevention must all be included in the employee

training, which will greatly reduce the potential for personnel as a viable APT attack vector.

Countermeasures the organization can employ to protect against insider collusion with

APT attackers include job rotation and separation of duties, both of which must be implemented

within the Western Interconnection Power Grid organization. Job rotation is an essential and

effective countermeasure that prevents cybersecurity attacks by employees through the

identification of roles within the organization that handle highly sensitive information and/or

interact with critical systems or systems that process and store highly sensitive information and

then as a matter of policy require personnel that serve in those roles to periodically switch duties

and/or roles with other employees in the company that are qualified to perform the same tasks.

Job rotation decreasing the opportunity for insider attacks by requiring collusion by multiple

employees in order to perform an attack against the organization without detection. Separation of


duties is a technique applied to the same critical roles as those to which job rotation applies and

involves dividing up and assigning tasks to multiple employees such that responsibilities cannot

be completed without the cooperation of multiple individuals (similar to job rotation). By

implementing both job rotation and separation of duties the Western Interconnection Power Grid

organization will ensure that insider compromise of information systems by critical roles within

the company cannot occur unless multiple individuals are involved.

Technology

Layers of countermeasures for each attack vector used for APT attacks will help ensure

that performing an attack is extremely difficult while also increasing the chances that attacks will

be detected by administrators and blocked before systems are compromised and an information

security incident occurs.

Firewalls and the routers in front of them most often serve as the first defense against

malicious traffic entering the organization through a public network ingress/egress interface. All

Internet facing routers should be equipped with firewall services that include access control lists

or ACLs that allow forwarding of only traffic that is absolutely necessary for company

operations. Firewalls should be equipped with deep packet inspection features that detect

malicious payloads as well as suspect packet types and block them from entering the company's

private network. Firewalls must also be configured to block all traffic except that which is

necessary for business operations, such as blocking ICMP and other protocols that should never

traverse the firewall, greatly decreasing the opportunity for a successful attack and/or

establishment of covert channels for unauthorized remote access.

IPS/IDS systems must be deployed at every ingress/egress interface to public, wireless,


and critical network section interface, with both anomaly and signature based detection enabled

so that known attacks are immediately detected and new attacks are recognized as anomalies that

are either blocked through pre-programmed IPS actions, such as stopping the malicous traffic

traversing the internal network through ACLs and alerting system administrators when an attack

is detected.

Every workstation and server must be equipped with anti-malware software that is

centrally managed and updated to ensure that the most current anti-malware definitions are

installed on all systems at all times. Similarly, all system security updates and patches (including

ICS and SCADA systems) must be centrally managed and update installation verified

automatically so that security patches for all known vulnerabilities are immediately remediated

and patch installation verified for all systems connected to the power grid network.

All non-essential services on all systems must be disabled, including on ICS and SCADA

systems, which will substantially decrease the attack surface inside the company to only network

services that are essential for operations. In addition, all systems must be scanned for

vulnerabilities using a highly capable enterprise level scanner such as the Tenable Nessus

scanner to ensure that both known and potential vulnerabilities are detected and remediated

before they can be exploited by attackers, (Tenable, 2017).

Operations

Along with the vulnerability scanning and update management mentioned above (which

overlaps into operations as well) the company must pay close attention to how access control is

implemented within the organization. Typical system and network authentication involves the

use of username/account and password prior to granting authorization. However, passwords and


account names can be stolen through the enumeration process, network sniffing attacks and even

by “dumpster diving” (a type of social engineering attack in which the attackers sift through

company refuse in order to find valuable information such as authentication credentials and

financial information which is often inadvertently thrown away). To prevent attacks against

username/password authentication, the company must implement and enforce authentication

policies that include mandatory password complexity, mandatory password change every 60 to

90 days, and strong multi-factor authentication.

Password complexity ensures that passwords cannot be easily guessed or broken using

brute force password techniques. Password lists that include common dictionary words and

passwords used to increase the speed of brute force password cracking software such as John the

Ripper can be easily downloaded from Internet hacking sites. Increasing the complexity of

passwords by requiring passwords to meet complexity rules such as being 14 characters in

length, and having at least one special character, upper case letter, lower case letter, and a

number, will greatly decrease the chances that a brute force password cracking attack will be

successful.

Similarly, mandatory password change every 60 to 90 days decreases the chances that a

brute force password cracking attack will be successful because in the time it takes to gather the

information necessary to mount the attack, the password will change rendering all work

performed to mount the attack useless.

Strong multi-factor authentication requires that authentication include something a person

knows (usually a username and password), something a person has (such as a smart card or

magnetic strip card), and/or something a person is (this would be a biometric token such as a


fingerprint, palm print or retina scan). Strong multi-factor authentication is effective because it

requires an attacker to have two pieces of information in different forms before they can gain

unauthorized access. Using strong multi-factor authentication ensures that stolen passwords or

smart cards does not enable an attacker to immediate system access.

Conclusion

An APT attack such as the one mounted against the Western Interconnection Power Grid

must be addressed before the attackers gains a solid remote access foothold inside the power grid

network. Planning a cybersecurity program strategy around the Cyber Kill Chain model ensures

that the organization addresses vulnerabilities at each stage of an APT attack and deploys the

countermeasures necessary to ensure APT attacks are detected and blocked from penetrating

power grid systems. Then through best practice defense in-depth countermeasure planning and

deployment the organization can proactively as well as defensively protect against both current

and future attacks which are only increasing in this age of cyberwarfare.


References

Mitre, (2017). CVE Details Home. Web. Retrieved from https://www.cvedetails.com/

NMAP.org, (2017), NMAP Security Scanner. Web. Retrieved from http://nmap.org/

NVD, (2017). National Vulnerability Database. Web. Retrieved from https://nvd.nist.gov/

OWASP, (2015). Defense in Depth. Web. Retrieved from

https://www.owasp.org/index.php/Defense_in_depth

Shodan.io, (2017). Search Engine for The Internet of Things. Web. Retrieved from

https://www.shodan.io/

Tenable, (2017). Nessus Vulnerability Scanner. Web. Retrieved from

https://www.tenable.com/products/nessus-vulnerability-scanner

Wireshark, (2017). Wireshark Home. Web. Retrieved from https://www.wireshark.org/

https://www.wireshark.org/

https://www.tenable.com/products/nessus-vulnerability-scanner

https://www.shodan.io/

https://www.owasp.org/index.php/Defense_in_depth

https://nvd.nist.gov/

http://nmap.org/

https://www.cvedetails.com/

introduction - justanswer · web viewthe cyber kill chain model was first introduced by lockheed...

Documents