introduction - justanswer · web viewthe cyber kill chain model was first introduced by lockheed...
TRANSCRIPT
Western Interconnection Power Grid APT Attack and Defense In-Depth 1
Western Interconnection Power Grid APT Attack and Defense In-Depth
Western Interconnection Power Grid APT Attack and Defense In-Depth 2
Introduction
The Western Interconnection Power Grid is a prime target for malicious nation states for
several reasons, which is most likely why an APT cyberattack is currently aimed at the power
grid. Since APT is a very calculated and stealthy attack that typically results in at will remote
access for the attackers, a successful APT attack on a major power grid interconnection
organization would facilitate first strike capabilities for a nation-state or terrorist organization
that is planning an attack on the United States and/or the entire eastern seaboard of North
America. Another reason why an APT attack would be aimed at the Western Interconnection
Power Grid is that control over the power grid would offer a terrorist group the ability to
shutdown power in specific locations, such as airports, with the potential for causing a disaster
not unlike the events that took place on September 11, 2001. For this reason it is essential that
the Western Interconnection Power Grid management and IT staff understand how APT works
and how the organization can improve cybersecurity readiness through a defense in-depth
strategy to protect the grid from APT attacks.
Cyber Kill Chain ICS Vulnerabilities
The Cyber Kill Chain model was first introduced by Lockheed Martin as a template that
conveys an understanding of exactly how attacks like APT are conducted in order to properly
defend against the same. Knowing how an attack is conducted will enable the Western
Interconnection Power Grid IT management and administration team to proactively configure
networks within the grid to both detect and thwart APT attacks.
Western Interconnection Power Grid APT Attack and Defense In-Depth 3
Reconnaissance
The first step in the Cyber Kill Chain sequence, which is also the first step in an APT
attack, is to assess the target and find potential weaknesses that can be exploited as part of an
overall plan. Typically reconnaissance efforts involve the use of several tools including port
scanners such as Nmap (Nmap, 2017) that can identify services running on all accessible systems
within the target network, read service type and version information, read operating system type
and version information, and even scan and map networks through firewalls if the firewall is not
configured to block incomplete or fragmented TCP conversations. Other reconnaissance
techniques include the use of Google to search for system information, IP addresses, and even
company information that may reveal configurations that can be used in the next phase of the
attack. The Shodan search engine (Shodan, 2017) is another that in some ways is even more
effective because it is designed specifically to catalog systems connected to the Internet and
display each system's configuration in the search results. ICS systems in particular, until recently
were developed without cybersecurity in mind, so services such as SNMPv1, telnet, HTTP, and
protocols such as Bacnet that all send information in clear text, unencrypted, are prime targets
for APT attacks that will be a focus of the reconnaissance phase against the Western
Interconnection Power Grid networks.
Weaponization
The Weaponization phase processes the information gleaned from the Reconnaissance
phase by identifying the items in which vulnerabilities exist. For example, the service
information and operating system information gathered through Nmap (Nmap, 2017) and
vulnerability scanners such as Tenable Nessus (Tenable, 2017) can be searched in a vulnerability
Western Interconnection Power Grid APT Attack and Defense In-Depth 4
database such as the databases such as the Mitre CVE database, (Mitre, 2017) and the U.S.
Federal Government NVD database (NVD, 2017) for any vulnerabilities that may exist with each
service type and version. Once the vulnerabilities are identified they can be used in the next
phase of the Cyber Kill Chain for exploitation.
Other information gained during the Reconnaissance phase that may be useful during
Weaponization includes identification of vulnerabilities vendors are not aware of and for which
no security patches currently exist. This type of vulnerability is called a “zero day” vulnerability,
and networks such as the Western Interconnection Power Grid can only defend against such
unknown weaknesses with a well structured information security program that includes a
framework built around a layered, defense in-depth strategy.
Exploitation
Once the Weaponization phase is completed, the Exploitation phase starts by designing
and developing tools intended to install and exploit the vulnerabilities identified during the
Weaponization phase. For example, if an analysis of information gleaned during the
Reconnaissance phase identifies a firewall vulnerability in which ICMP Type 13 or Timestamp
packets to traverse the firewall from the public network, the APT attack group may develop a
remote access service program payload that is delivered to a group of Western Interconnection
Power Grid administrators via a phishing attack and installs to a workstation once one of the
recipients clicks on a link within the phishing email. Once installed a service such as this could
use ICMP Type 13 packets as a covert channel for both communication and remote access
through the company's firewall.
Western Interconnection Power Grid APT Attack and Defense In-Depth 5
Command & Control
The Command and Control phase of an APT attack is focused on using the tools
developed or identified and installed in the target network during the Exploitation phase to
expand control over the target network. Once the APT attack group has remote access to the
Western Interconnection Power Grid, they will use remote access through covert channels to also
access systems within the network that are their main focus. In this case the APT attack group
may install keystroke loggers on the remote access system to capture the authentication
credentials of administrators as they access ICS systems. Once the credentials are captured, the
APT group can access and compromise targeted ICS systems.
The APT attackers may also use the remote access systems to scan the network for a
more thorough understanding and map of the network, or install a network sniffer such as
Wireshark (Wireshark, 2017) that can be used to capture more authentication credentials and
vulnerability information, and identify additional vulnerabilities that could not be discovered
from outside the target network. This is an example of a situation in which certain phases in the
Cyber Kill Chain may be used again during the course of an attack as the attackers gain even
greater control over the victim network.
The following is an example diagram of a possible APT attack path and remote access
covert channel that may take place once each phase of the Cyber Kill Chain is exercised:
Western Interconnection Power Grid APT Attack and Defense In-Depth 6
Actions
During the Action phase of the Cyber Kill Chain process, the APT attack group will
continue to expand control over the Western Interconnection Power Grid network while
maintaining an undetected posture. They will continue to repeat the Cyber Kill Chain process in
order to identify additional vulnerabilities in power grid systems from inside the power grid
network, develop additional tools for exploitation of vulnerabilities found, expand remote access
and control, and repeat the process. The APT will maintain their remote access and control for as
long as necessary to achieve their goals, which most likely include gathering as much
Western Interconnection Power Grid APT Attack and Defense In-Depth 7
information about the grid as possible and ability to shut down part or all of the grid for either
terror attack or political power play purposes when required.
Countermeasures – Defense In-depth
The defense in-depth approach that originated from NIST recommendations is based
upon the perspective that no single form of cybersecurity defense will thwart cyberattacks 100%
of the time, (OWASP, 2015). Hence, by planning and implementing multiple cybersecurity
countermeasures in a layered approach, in combination these countermeasure layers will serve to
slow down, stop and/or facilitate detection of an attack before attackers can complete their
objectives, be it to damage, steal or otherwise alter information systems for malicious intent.
Three areas that should be addressed in a defense in-depth strategy include the people,
technologies, and operations that serve as the foundation for the organization.
People
The people that work within an organization are often the organization's number one
cybersecurity weakness due to a focus on the information technology itself rather than the people
that use the technology. APT attackers are aware of this fact and often employ the use of social
engineering tactics such as phishing to bypass system technological defenses by “tricking”
someone internal to the company to install malware that provides the APT attackers with remote
access to systems within the organization. A combination of training and countermeasures can
greatly decrease the possibility that cyberattacks focused on the organization's employees will be
successful.
Cybersecurity training arms the organization's employees with the knowledge they need
Western Interconnection Power Grid APT Attack and Defense In-Depth 8
to be able to identify the difference between legitimate communications and activities on the
company network and an actual cyberattack. A cybersecurity training program for the Western
Interconnection Power Grid must require that each employee attend a cybersecurity training
course on at least an annual basis, with mandatory cybersecurity training update attendance on an
annual basis as well. In addition, new employees must be required to attend cybersecurity
training as part of the on-boarding process. The cybersecurity training should include education
in how to recognize cyberattacks, common signs of an attack, how every employee should
respond to an attack, and the internal contact personnel and protocol for alerting the organization
to a possible attack should one be discovered. Training on how to recognize social engineering
attacks, phishing and spear phishing attacks, recognizing and responding to cross-site scripting
attacks, and ways malware infections occur and prevention must all be included in the employee
training, which will greatly reduce the potential for personnel as a viable APT attack vector.
Countermeasures the organization can employ to protect against insider collusion with
APT attackers include job rotation and separation of duties, both of which must be implemented
within the Western Interconnection Power Grid organization. Job rotation is an essential and
effective countermeasure that prevents cybersecurity attacks by employees through the
identification of roles within the organization that handle highly sensitive information and/or
interact with critical systems or systems that process and store highly sensitive information and
then as a matter of policy require personnel that serve in those roles to periodically switch duties
and/or roles with other employees in the company that are qualified to perform the same tasks.
Job rotation decreasing the opportunity for insider attacks by requiring collusion by multiple
employees in order to perform an attack against the organization without detection. Separation of
Western Interconnection Power Grid APT Attack and Defense In-Depth 9
duties is a technique applied to the same critical roles as those to which job rotation applies and
involves dividing up and assigning tasks to multiple employees such that responsibilities cannot
be completed without the cooperation of multiple individuals (similar to job rotation). By
implementing both job rotation and separation of duties the Western Interconnection Power Grid
organization will ensure that insider compromise of information systems by critical roles within
the company cannot occur unless multiple individuals are involved.
Technology
Layers of countermeasures for each attack vector used for APT attacks will help ensure
that performing an attack is extremely difficult while also increasing the chances that attacks will
be detected by administrators and blocked before systems are compromised and an information
security incident occurs.
Firewalls and the routers in front of them most often serve as the first defense against
malicious traffic entering the organization through a public network ingress/egress interface. All
Internet facing routers should be equipped with firewall services that include access control lists
or ACLs that allow forwarding of only traffic that is absolutely necessary for company
operations. Firewalls should be equipped with deep packet inspection features that detect
malicious payloads as well as suspect packet types and block them from entering the company's
private network. Firewalls must also be configured to block all traffic except that which is
necessary for business operations, such as blocking ICMP and other protocols that should never
traverse the firewall, greatly decreasing the opportunity for a successful attack and/or
establishment of covert channels for unauthorized remote access.
IPS/IDS systems must be deployed at every ingress/egress interface to public, wireless,
Western Interconnection Power Grid APT Attack and Defense In-Depth 10
and critical network section interface, with both anomaly and signature based detection enabled
so that known attacks are immediately detected and new attacks are recognized as anomalies that
are either blocked through pre-programmed IPS actions, such as stopping the malicous traffic
traversing the internal network through ACLs and alerting system administrators when an attack
is detected.
Every workstation and server must be equipped with anti-malware software that is
centrally managed and updated to ensure that the most current anti-malware definitions are
installed on all systems at all times. Similarly, all system security updates and patches (including
ICS and SCADA systems) must be centrally managed and update installation verified
automatically so that security patches for all known vulnerabilities are immediately remediated
and patch installation verified for all systems connected to the power grid network.
All non-essential services on all systems must be disabled, including on ICS and SCADA
systems, which will substantially decrease the attack surface inside the company to only network
services that are essential for operations. In addition, all systems must be scanned for
vulnerabilities using a highly capable enterprise level scanner such as the Tenable Nessus
scanner to ensure that both known and potential vulnerabilities are detected and remediated
before they can be exploited by attackers, (Tenable, 2017).
Operations
Along with the vulnerability scanning and update management mentioned above (which
overlaps into operations as well) the company must pay close attention to how access control is
implemented within the organization. Typical system and network authentication involves the
use of username/account and password prior to granting authorization. However, passwords and
Western Interconnection Power Grid APT Attack and Defense In-Depth 11
account names can be stolen through the enumeration process, network sniffing attacks and even
by “dumpster diving” (a type of social engineering attack in which the attackers sift through
company refuse in order to find valuable information such as authentication credentials and
financial information which is often inadvertently thrown away). To prevent attacks against
username/password authentication, the company must implement and enforce authentication
policies that include mandatory password complexity, mandatory password change every 60 to
90 days, and strong multi-factor authentication.
Password complexity ensures that passwords cannot be easily guessed or broken using
brute force password techniques. Password lists that include common dictionary words and
passwords used to increase the speed of brute force password cracking software such as John the
Ripper can be easily downloaded from Internet hacking sites. Increasing the complexity of
passwords by requiring passwords to meet complexity rules such as being 14 characters in
length, and having at least one special character, upper case letter, lower case letter, and a
number, will greatly decrease the chances that a brute force password cracking attack will be
successful.
Similarly, mandatory password change every 60 to 90 days decreases the chances that a
brute force password cracking attack will be successful because in the time it takes to gather the
information necessary to mount the attack, the password will change rendering all work
performed to mount the attack useless.
Strong multi-factor authentication requires that authentication include something a person
knows (usually a username and password), something a person has (such as a smart card or
magnetic strip card), and/or something a person is (this would be a biometric token such as a
Western Interconnection Power Grid APT Attack and Defense In-Depth 12
fingerprint, palm print or retina scan). Strong multi-factor authentication is effective because it
requires an attacker to have two pieces of information in different forms before they can gain
unauthorized access. Using strong multi-factor authentication ensures that stolen passwords or
smart cards does not enable an attacker to immediate system access.
Conclusion
An APT attack such as the one mounted against the Western Interconnection Power Grid
must be addressed before the attackers gains a solid remote access foothold inside the power grid
network. Planning a cybersecurity program strategy around the Cyber Kill Chain model ensures
that the organization addresses vulnerabilities at each stage of an APT attack and deploys the
countermeasures necessary to ensure APT attacks are detected and blocked from penetrating
power grid systems. Then through best practice defense in-depth countermeasure planning and
deployment the organization can proactively as well as defensively protect against both current
and future attacks which are only increasing in this age of cyberwarfare.
Western Interconnection Power Grid APT Attack and Defense In-Depth 13
References
Mitre, (2017). CVE Details Home. Web. Retrieved from https://www.cvedetails.com/
NMAP.org, (2017), NMAP Security Scanner. Web. Retrieved from http://nmap.org/
NVD, (2017). National Vulnerability Database. Web. Retrieved from https://nvd.nist.gov/
OWASP, (2015). Defense in Depth. Web. Retrieved from
https://www.owasp.org/index.php/Defense_in_depth
Shodan.io, (2017). Search Engine for The Internet of Things. Web. Retrieved from
https://www.shodan.io/
Tenable, (2017). Nessus Vulnerability Scanner. Web. Retrieved from
https://www.tenable.com/products/nessus-vulnerability-scanner
Wireshark, (2017). Wireshark Home. Web. Retrieved from https://www.wireshark.org/