How to Increase ICS Cybersecurity Return on Investment (ROI)
•Télécharger en tant que PPTX, PDF•
3 j'aime•2,240 vues
In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à How to Increase ICS Cybersecurity Return on Investment (ROI)
Similaire à How to Increase ICS Cybersecurity Return on Investment (ROI) (20)
Plus de Dragos, Inc.
Plus de Dragos, Inc. (16)
Dernier
Dernier (20)
How to Increase ICS Cybersecurity Return on Investment (ROI)
- 1. Austin Scott (GICSP, CISSP, OSCP) Dragos ICS Penetration Testing Principal ICSJWG June 2020 Virtual Meeting How to IncreaseICSCybersecurityReturn on Investment (ROI)
- 2. v C:>whoami 2 Austin Scott Principal Industrial Penetration Tester Dragos Professional Services @Austin_m_Scott https://www.linkedin.com/in/synergist/
- 3. 2019 DRAGOS YEAR IN REVIEW 3 71 have poor security perimeters 66 adversaries directly accessing the ICS76 organizations could not detect Dragos’ Red Team activities routable network connections into their operational environments 100 54 lacked separate IT and OT user management systems 81 Limited or no visibility into ICS/OT network 90 incidents involved shared credentials for lateral movement
- 4. v ICS CYBERSECURITY RAPID SELF-CHECK 4 Take ownership of understanding Cyber Risk in your environment.
- 6. WHAT WE SEE: CYBER RISK IMPACT Reduce interactive protocol traversal points. 6 OPERATIONAL RISK Medium – Verify firewall rule changes with ICS Vendors. TOOLS REQUIRED Solar Winds FREE Firewall Browser ICSFIREWALLRULES WHAT WE SEE WHAT TO DO • ICS Access from Corporate network • Temporary rules • Vendor solution dictated rules • Vendor access rules • Use Firewall Browser and Identify: SSH, Telnet, Remote Desktop, VNC, WMI, PowerShell RM, RPC, SMB ( PSEXEC )
- 8. WHAT WE SEE: CYBER RISK IMPACT Increase difficulties in gaining access to Domain Administrator accounts. 8 OPERATIONAL RISK Very Low TOOLS REQUIRED Bloodhound, Active Directory Enum Script ACCESSMANAGEMENT WHAT WE SEE WHAT TO DO • Domain Admins Galore • Overprivileged Service Accounts • Numerous Paths to Domain Admin • Download and Run BloodHound • Review Paths to Admins • Review Overprivileged Accounts
- 10. WHAT WE SEE: CYBER RISK IMPACT Increase the level of effort required to obtain credentials. 10 OPERATIONAL RISK Very low TOOLS REQUIRED Session Gopher, LSASS Dump and Mimikatz, Mimikittenz, Nirsoft.net Password Utils ACCESS MANAGEMENT #2 WHAT WE SEE WHAT TO DO • We almost always find Credentials • We often find default Credentials • We often find Credentials that are stored and not properly encrypted. • Understand where and how Credentials are stored. • Implement Access Management.
- 11. v MIMIKATZ CREDENTIAL HUNT DEMO 11
- 12. v MIMIKATZ CREDENTIAL HUNT DEMO 12
- 13. v SESSION GOPHER CREDENTIAL HUNT DEMO 13
- 14. WHAT WE SEE: CYBER RISK IMPACT Greatly increase the difficulty for adversaries to escalate privileges and move laterally. 14 OPERATIONAL RISK Medium – Verify system hardening changes with ICS vendor. TOOLS REQUIRED • Configuration Hardening Assessment PowerShell Script (CHAPS) • Microsoft Security Compliance Toolkit • CIS tools • STIG tools HARDENING WHAT WE SEE WHAT TO DO • Common system hardening issues allow for hash reflecting, passing and clear-text password recovery. • Windows - Run CHAPS • Linux - Run Linux Bash script
- 16. v CHAPS HARDENING DEMO 16 [*] Testing if WDigest is disabled. [-] WDigest UseLogonCredential key does not exist. [*] Testing if LLMNR is disabled. [-] DNSClient.EnableMulticast is enabled: [*] Testing if Computer Browser service is disabled. [-] Computer Browser service is: Running [*] Testing Lanman Authentication for NoLmHash. [-] NoLmHash registry key is configured: 0 [*] Testing if PowerShell Version 2 is permitted [-] PowerShell Version 2 is permitted. [+] = TEST PASS [-] = TEST FAIL
- 17. CYBER RISK IMPACT Improve Threat Detection Capability Improve Incident Response Capability 17 OPERATIONAL RISK Low – Centralized logging can increase network traffic within ICS environment TOOLS REQUIRED Configuration Hardening Assessment PowerShell Script (CHAPS) LOGGING WHAT WE SEE WHAT TO DO • Not Logging the Right Stuff • Lack of Centralized Logging • Run CHAPS • Implement Centralized Logging • Validate Event Logging
- 18. v CHAPS WINDOWS EVENTLOG CONFIG DEMO 18 [*] Testing if PowerShell Moduling is Enabled [-] EnableModuleLogging Is Not Set [*] Testing if PowerShell EnableScriptBlockLogging is Enabled [-] EnableScriptBlockLogging Is Not Set [*] Testing if PowerShell EnableScriptBlockInvocationLogging is Enabled [-] EnableScriptBlockInvocationLogging Is Not Set [*] Testing if PowerShell EnableTranscripting is Enabled [-] EnableTranscripting Is Not Set [*] Testing if PowerShell EnableInvocationHeader is Enabled [-] EnableInvocationHeader Is Not Set [*] Testing if PowerShell ProtectedEventLogging is Enabled [-] EnableProtectedEventLogging Is Not Set [*] Event logs settings defaults are too small. Test that max sizes have been increased. [x] Testing Microsoft-Windows-SMBServer/Audit log size failed. [x] Testing Security log size failed. [-] Microsoft-Windows-PowerShell/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-Pow [-] Microsoft-Windows-TaskScheduler/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows- [-] Microsoft-Windows-WinRM/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-WinRM/Op [-] Microsoft-Windows-Security-Netlogon/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Wind [-] Microsoft-Windows-WMI-Activity/Operational max log size is smaller than System.Collections.Hashtable[Microsoft-Windows-W [-] Windows PowerShell max log size is smaller than System.Collections.Hashtable[Windows PowerShell] GB: 0.015 GB [-] System max log size is smaller than System.Collections.Hashtable[System] GB: 0.02 GB [-] Application max log size is smaller than System.Collections.Hashtable[Application] GB: 0.02 GB [-] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational max log size is smaller than System.Collections.Hasht
- 19. CYBER RISK IMPACT Improve Threat Detection Capability Improve Threat Hunting Capability Improve Incident Response Capability 1 9 OPERATIONAL RISK Low – Connecting to SPAN ports is nonroutable – BUT CPU usage of switches should be monitored. TOOLS REQUIRED Dragos Community Tools Network Miner - $$ NETWORK VISIBILITY WHAT WE SEE WHAT TO DO • Operate in ICS networks undetected • Maintain perpetual access • Do not know what is on networks • Identify SPAN ports for monitoring • Create procedure for collecting network packet captures • Use a free tool to view them
- 20. v Two Free (FOREVER) Community ICS Network Visibility Products from Dragos 20
- 22. THANK YOU
Notes de l'éditeur
- 3:30pm - 4:10pm - Simple Wins During Slow Downs, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc. Recent events have added some additional constraints to our ability as an industry to move ICS cyber security programs forward. How do we continue to identify and reduce cyber risk in our ICS environments when we cannot hire consultants or meet with vendors? As ICS operations team are actively working to minimize contact with the outside world, how do we add implement new technology or improve the security posture of our environments? In my presentation, I will detail several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk. Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues.
- Really this presentation is based on the recommendations we have for some of the most common findings we see in the field. Today thanks to the Covid-19 Pandemic, Dragos and other vendors are unable to do assessments. However, I am going to review some simple checks you can easily do internally to continue to drive your ICS cybersecurity program forward… even during Quarintine. We find these issues in the vast majority of assessments we do. So as a thought exercise, during this presentation you COULD pretend that I am providing an executive outbriefing after doing an assessment on your ICS network. I would love to hear that some of you in the audience have stood up a project or initiative internally to identify and address these findings after this presentation.
- Okay – So what I propose is creating a small project internally to give yourself a bit of a self checkup. I am going to share some of the techniques that we use during our assessments that are: 1. Low cost 2. Easy to use 3. And can quickly identify Cyber Risk in your environment Take ownership. I am going to show you some of the same tools or similar tools that we would run in your environment to identify cyberrisk, privilege escalation and lateral movement. These are ALSO the same tools or similar to the ones that activity groups are using against their targets today.
- Identify Interactive Service Rules that traverse security levels SSH, Telnet, Remote Desktop, VNC, TeamViewer, DameWare, WMI, PowerShell, RPC, SMB ( PSEXEC ) Firewall Browser Free Firewall Browser helps test and verify firewall rules Key Features Import and search unlimited Cisco, Check Point, and NetScreen configs Search rules and objects based on IP address, object name, service, or port Verify if a change request is already handled by the security rules https://www.solarwinds.com/free-tools/firewall-browser
- Many Domain admins in ICS networks Service accounts that are also Domain admins or have Admin like privs. Many service accounts are kerberoastable Many paths to domain admin Understand how an Adversary views your domain can be very helpful.
- Search for password files in network shares Look for applications that are capable to storing Credentials.
- Allow us to collect Hashes, Allows us to Reflect Hashes, Allows us to collect Clear-text passwords, allows us to pull sensitive data from memory. We have a tool we have developed internally to handle this which collects way more data and allows us to hunt for things, do vulnerability analysis, threat hunting and forensic analysis in one. But this open source tool that was recently released will go a long way to hardening your Windows Based ICS endpoints. Linux Systems you can use this github tool.
- https://github.com/cutaway-security/chaps Configuration Hardening Assessment PowerShell Script (CHAPS) Windows Event Forwarder
- As industrial penetration testers, we frequently are able to operate within ICS networks undetected and unhindered as these networks often lack the capabilities of detecting us. Quite often, Windows Host logs are being collected, but not in a centralized manner where they can be easily reviewed. In other cases, we encounter ICS networks that have a Centralized collection capability, but they are not logging data that is of value. Sometimes we encounter cases where IT-based solutions have been deployed into ICS environments for monitoring the network traffic. These IT technologies are effective at stopping IT attacks but are not capable of detecting ICS specific tradecraft.