SlideShare une entreprise Scribd logo

Defcon 23 - Chris Sistrunk - nsm 101 for ics

Felipe Prado
Felipe Prado

Defcon 23 - Chris Sistrunk - nsm 101 for ics

Technologie
1  sur  50
Télécharger pour lire hors ligne
NSM 101 for ICS
About me Chris Sistrunk, PE Electrical Engineer Sr. ICS Security Consultant – Control system security assessments – ICS Village (DEF CON & RSA Conference) Entergy (11+ years) – SCADA Engineer (10 years) – Project Robus (ICS Protocol Fuzzing) • 30+ implementation vulnerabilities in DNP3 stacks – Substation Security Team BSidesJackson
What happens when you use nmap or a fuzzer on an ICS?
If ICS are so vulnerable, why haven’t we seen more attacks? We aren’t looking!
Two Key Reasons Intent Visibility
Intent Very little ICS targeted attack data Maroochy Shire to Stuxnet to German Steel Plant Why are targeted attacks different? It’s a “Who” not a “What” Professional, organized, well-funded If you kick them out, they will return
Visibility
Visibility
Public ICS Vulnerabilities Per Year
If your ICS gets hacked… gadgets water electricity you can’t make anymore
Now what? More Gov’t security regulations ICS security still lagging Breaches are inevitable Attacks aren’t stopping Every sector Including ICS What can we do to get ahead of this???
Network Security Monitoring “The collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise.” - The Practice of Network Security Monitoring
Network Security Monitoring Invented in 1990, still in use today Cliff Stoll “Stalking the Wily Hacker” 1988 Todd Herberlein et al. “A Network Security Monitor” 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002
Before we start looking… We need At least one person (to watch and hunt) The right tools to collect and analyze the data
The NSM Cycle Collection DetectionAnalysis Model for action, based on network-derived data Requires people and process, not just technology Focuses on the adversary, not the vulnerability
Methods of Monitoring Network tap – physical device which relays a copy of packets to an NSM sensor SPAN or mirrored ports – switch configuration which sends copies of packets to a separate port where NSM sensor can connect Host NIC – configured to watch all network traffic flowing on its segment (usually on NSM sensor) Serial port tap – physical device which relays serial traffic to another port, usually requires additional software to interpret data Fluke Networks Stratus Engineering
Types of Data Collected Full content data – unfiltered collection of packets Extracted content – data streams, files, Web pages, etc. Session data – conversation between nodes Transaction data – requests and replies between nodes Statistical data – description of traffic, such as protocol and volume Metadata – aspects of data, e.g. who owns this IP address Alert/log data – triggers from IDS tools, tracking user logins, etc.
Difficulties for NSM Encrypted networks Widespread NAT Devices moving between network segments Extreme traffic volume Privacy concerns Issues that most ICS do not face!
Example ICS Enterprise/IT DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
Anatomy of an Attack 20 Over all Mandiant attack investigations, only a little more than half of victim computers have malware on them. While attackers often use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks. Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files
Attacker Objectives Attacker’s goals: Damage equipment Affect or steal process info Cause safety or compliance issue Pivot from vulnerable ICS to enterprise Attacker’s options: Gain physical access to an ICS host Gain remote access to an ICS host Compromise a highly-privileged client machine with access to the ICS network Enterprise/IT Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
Let’s do some NSM!
Let’s do some NSM! Inquisitive mind NSM collection tools NSM hunting tools Protection
NSM Collection Firewall Logs Session Data NIDS/HIDS Logs Full packet capture Windows Logs and syslog SNMP (CPU % etc.) Alerts from security agents (AV, whitelisting, etc.) Enterprise/ITEnterprise technology collectors Logs and/or Agent Network sensors Logs only Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
NSM Collection http://3.bp.blogspot.com/-B6PtheVJ9Jg/Uj4EErYhHdI/AAAAAAAAAFE/i_2dk9emrp4/s1600/Deer+tracks.jpg
What are we looking for? Exceptions from baseline (e.g. A talks to B but never C) “Top Talkers” Unexpected connectivity (to Internet, Business network) Known malicious IPs and domains Logins using default accounts Error messages that could correlate to vulnerabilities Unusual system and firewall log entries Host-based IDS or other security system alerts Unexpected file and firmware updates Antivirus alerts And others….
NSM Detection & “Hunting” Analyst looks at detected anomalies or alerts then escalates to IR ! IDS alerts Anomaly detection Firmware updates, other commands Login with default credentials High CPU or network bandwidth Door alarms when nobody is supposed to be working Devices going off-line or behaving strangely Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
NSM Detection http://www.buckmasters.com http://www.jimyuskavitchphotography.com/data/photos/56_1wolf_track4.jpg
NSM Analysis Incident responders analyze the detected anomalies to find evil Application exploitation Third-party connections (ex. ICCP or vendor access) ICS-specific communication protocol attacks (ex. Modbus, DNP3, Profinet, EtherNet/IP) Remote access exploitation Direct network access due to poor physical security USB-delivered malware Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
NSM Analysis http://alistairpott.com/wp-content/uploads/2008/05/rabbit-owl.jpg http://www.youtube.com
ICS NSM Examples
Session Data “Top Talkers” FlowBAT characterizes Session Data, showing which nodes have the most traffic Web traffic Web traffic NetBios NTP SiLK and FlowBAT can be easily installed in Security Onion
Pcap Analysis for anomalies NetworkMiner can find potential ARP spoofing (as well as many other indicators)
Pcaps - Abnormal DNS Traffic NetworkMiner sees“strange” DNS requests originating from within the ICS
IDS alerts - Abnormal DNS Traffic DNS requests shown in the Bro IDS log in ELSA
Pcaps - Malformed Modbus Deep packet inspection of Modbus by Wireshark
IDS Logs Bro IDS – DNP3 & Modbus – More ICS protocols being developed by UIUC Snort IDS – DNP3 & Modbus preprocessors – ET SCADA & DigitalBond Quickdraw Snort rules Suricata IDS – New DNP3 parser & ET SCADA rules
IDS Logs Modbus DNP3 Bro IDS parses Modbus and DNP3 packets, ELSA consolidates Bro logs
IDS GUIs Alerts in Sguil of scanning activity
Syslog Syslog can be configured to send to a NSM sensor or detected in network traffic if sent elsewhere. This is the Bro IDS Log for Syslog from an RTU.
RTUs with Syslog • SEL-3530 RTAC • GE D20MX • Novatech OrionLX • Cooper SMP 16 If not…require syslog and other logs in the ICS procurement language
NSM Tools for the 7 Data Types Security Onion Linux distribution – Easy to install and lots of documentation Full packet capture – Tcpdump/Wireshark/NetworkMiner Extracted content – Xplico/NetworkMiner Session data – Bro/FlowBAT Transaction data – Bro Statistical data – Capinfos/Wireshark Metadata – ELSA (Whois) Alert data – Snort, Suricata, Sguil, Snorby Peel Back the Layers of Your Network
Security Onion Tools
NetFlow Tools SiLK & FlowBAT Install on Security Onion with 2 scripts www.flowbat.com
Security Onion Implementation Test in a lab first Select suitable hardware platform More RAM is better Bigger hard drive is better (longer retention) Mirrored/SPAN port on router/switch or a good network tap Select proper placement of SO sensor The Practice of Network Security Monitoring Applied Network Security Monitoring Work with the right stakeholders if placing in production
SO for ICS = Security Ogre
The Cuckoo’s Egg by Cliff Stoll https://www.youtube.com/watch?v=EcKxaq1FTac 1-hour NOVA Special (1990) The Practice of Network Security Monitoring by Richard Bejtlich http://www.nostarch.com/nsm Applied Network Security Monitoring by Chris Sanders & Jason Smith http://www.appliednsm.com/ The NSM Wiki http://nsmwiki.org http://securityonion.net NSM References/Resources
Takeaways You can implement NSM in ICS today – without impacting your operations There are free tools available to help you start looking at your ICS and hunting for evil
People… …the most important part of NSM! Gigabytes of data and 1000s of IDS alerts are useless without interpretation Analyze data collected to understand what’s normal – and what’s not Identify adversary TTPs and act to disrupt them Remember Adversaries are a “Who”, not a “What”
Find Evil chris.sistrunk@mandiant.com @chrissistrunk

Recommandé

Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
EnergySec
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
Eng. Mohammed Ahmed Siddiqui
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
Simone Tino
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 

Recommandé

Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
EnergySec
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
Eng. Mohammed Ahmed Siddiqui
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
Simone Tino
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
Disha Bedi
 
Firewalls
FirewallsFirewalls
Firewalls
Sonali Parab
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
Using Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionUsing Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion Detection
Sagar Uday Kumar
 
Snort
SnortSnort
Snort
Rahul Jain
 
Snort
SnortSnort
Snort
Stickman Hai
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
Firewall
FirewallFirewall
Firewall
ArchanaMani2
 
What is firewall
What is firewallWhat is firewall
What is firewall
Harshana Jayarathna
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Wei-Yu Chen
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
YOU SHENG CHEN
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environments
Mohamed Jelidi
 
Day4
Day4Day4
Day4
Jai4uk
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
Jai4uk
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
LakshmiSamivel
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 

Contenu connexe

Tendances

Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Wei-Yu Chen
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 

Tendances (20)

Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
 
Firewalls
FirewallsFirewalls
Firewalls
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Using Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionUsing Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion Detection
 
Snort
SnortSnort
Snort
 
Snort
SnortSnort
Snort
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Firewall
FirewallFirewall
Firewall
 
What is firewall
What is firewallWhat is firewall
What is firewall
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environments
 
Day4
Day4Day4
Day4
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 

Similaire à Defcon 23 - Chris Sistrunk - nsm 101 for ics

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 

Similaire à Defcon 23 - Chris Sistrunk - nsm 101 for ics (20)

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security DevicesCh13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
A Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecurityA Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive Security
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 

Plus de Felipe Prado

Plus de Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Defcon 23 - Chris Sistrunk - nsm 101 for ics

  • 2. About me Chris Sistrunk, PE Electrical Engineer Sr. ICS Security Consultant – Control system security assessments – ICS Village (DEF CON & RSA Conference) Entergy (11+ years) – SCADA Engineer (10 years) – Project Robus (ICS Protocol Fuzzing) • 30+ implementation vulnerabilities in DNP3 stacks – Substation Security Team BSidesJackson
  • 3. What happens when you use nmap or a fuzzer on an ICS?
  • 4. If ICS are so vulnerable, why haven’t we seen more attacks? We aren’t looking!
  • 6. Intent Very little ICS targeted attack data Maroochy Shire to Stuxnet to German Steel Plant Why are targeted attacks different? It’s a “Who” not a “What” Professional, organized, well-funded If you kick them out, they will return
  • 10. If your ICS gets hacked… gadgets water electricity you can’t make anymore
  • 11. Now what? More Gov’t security regulations ICS security still lagging Breaches are inevitable Attacks aren’t stopping Every sector Including ICS What can we do to get ahead of this???
  • 12. Network Security Monitoring “The collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise.” - The Practice of Network Security Monitoring
  • 13. Network Security Monitoring Invented in 1990, still in use today Cliff Stoll “Stalking the Wily Hacker” 1988 Todd Herberlein et al. “A Network Security Monitor” 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002
  • 14. Before we start looking… We need At least one person (to watch and hunt) The right tools to collect and analyze the data
  • 15. The NSM Cycle Collection DetectionAnalysis Model for action, based on network-derived data Requires people and process, not just technology Focuses on the adversary, not the vulnerability
  • 16. Methods of Monitoring Network tap – physical device which relays a copy of packets to an NSM sensor SPAN or mirrored ports – switch configuration which sends copies of packets to a separate port where NSM sensor can connect Host NIC – configured to watch all network traffic flowing on its segment (usually on NSM sensor) Serial port tap – physical device which relays serial traffic to another port, usually requires additional software to interpret data Fluke Networks Stratus Engineering
  • 17. Types of Data Collected Full content data – unfiltered collection of packets Extracted content – data streams, files, Web pages, etc. Session data – conversation between nodes Transaction data – requests and replies between nodes Statistical data – description of traffic, such as protocol and volume Metadata – aspects of data, e.g. who owns this IP address Alert/log data – triggers from IDS tools, tracking user logins, etc.
  • 18. Difficulties for NSM Encrypted networks Widespread NAT Devices moving between network segments Extreme traffic volume Privacy concerns Issues that most ICS do not face!
  • 19. Example ICS Enterprise/IT DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
  • 20. Anatomy of an Attack 20 Over all Mandiant attack investigations, only a little more than half of victim computers have malware on them. While attackers often use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks. Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files
  • 21. Attacker Objectives Attacker’s goals: Damage equipment Affect or steal process info Cause safety or compliance issue Pivot from vulnerable ICS to enterprise Attacker’s options: Gain physical access to an ICS host Gain remote access to an ICS host Compromise a highly-privileged client machine with access to the ICS network Enterprise/IT Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 23. Let’s do some NSM! Inquisitive mind NSM collection tools NSM hunting tools Protection
  • 24. NSM Collection Firewall Logs Session Data NIDS/HIDS Logs Full packet capture Windows Logs and syslog SNMP (CPU % etc.) Alerts from security agents (AV, whitelisting, etc.) Enterprise/ITEnterprise technology collectors Logs and/or Agent Network sensors Logs only Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 26. What are we looking for? Exceptions from baseline (e.g. A talks to B but never C) “Top Talkers” Unexpected connectivity (to Internet, Business network) Known malicious IPs and domains Logins using default accounts Error messages that could correlate to vulnerabilities Unusual system and firewall log entries Host-based IDS or other security system alerts Unexpected file and firmware updates Antivirus alerts And others….
  • 27. NSM Detection & “Hunting” Analyst looks at detected anomalies or alerts then escalates to IR ! IDS alerts Anomaly detection Firmware updates, other commands Login with default credentials High CPU or network bandwidth Door alarms when nobody is supposed to be working Devices going off-line or behaving strangely Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 29. NSM Analysis Incident responders analyze the detected anomalies to find evil Application exploitation Third-party connections (ex. ICCP or vendor access) ICS-specific communication protocol attacks (ex. Modbus, DNP3, Profinet, EtherNet/IP) Remote access exploitation Direct network access due to poor physical security USB-delivered malware Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 32. Session Data “Top Talkers” FlowBAT characterizes Session Data, showing which nodes have the most traffic Web traffic Web traffic NetBios NTP SiLK and FlowBAT can be easily installed in Security Onion
  • 33. Pcap Analysis for anomalies NetworkMiner can find potential ARP spoofing (as well as many other indicators)
  • 34. Pcaps - Abnormal DNS Traffic NetworkMiner sees“strange” DNS requests originating from within the ICS
  • 35. IDS alerts - Abnormal DNS Traffic DNS requests shown in the Bro IDS log in ELSA
  • 36. Pcaps - Malformed Modbus Deep packet inspection of Modbus by Wireshark
  • 37. IDS Logs Bro IDS – DNP3 & Modbus – More ICS protocols being developed by UIUC Snort IDS – DNP3 & Modbus preprocessors – ET SCADA & DigitalBond Quickdraw Snort rules Suricata IDS – New DNP3 parser & ET SCADA rules
  • 38. IDS Logs Modbus DNP3 Bro IDS parses Modbus and DNP3 packets, ELSA consolidates Bro logs
  • 39. IDS GUIs Alerts in Sguil of scanning activity
  • 40. Syslog Syslog can be configured to send to a NSM sensor or detected in network traffic if sent elsewhere. This is the Bro IDS Log for Syslog from an RTU.
  • 41. RTUs with Syslog • SEL-3530 RTAC • GE D20MX • Novatech OrionLX • Cooper SMP 16 If not…require syslog and other logs in the ICS procurement language
  • 42. NSM Tools for the 7 Data Types Security Onion Linux distribution – Easy to install and lots of documentation Full packet capture – Tcpdump/Wireshark/NetworkMiner Extracted content – Xplico/NetworkMiner Session data – Bro/FlowBAT Transaction data – Bro Statistical data – Capinfos/Wireshark Metadata – ELSA (Whois) Alert data – Snort, Suricata, Sguil, Snorby Peel Back the Layers of Your Network
  • 44. NetFlow Tools SiLK & FlowBAT Install on Security Onion with 2 scripts www.flowbat.com
  • 45. Security Onion Implementation Test in a lab first Select suitable hardware platform More RAM is better Bigger hard drive is better (longer retention) Mirrored/SPAN port on router/switch or a good network tap Select proper placement of SO sensor The Practice of Network Security Monitoring Applied Network Security Monitoring Work with the right stakeholders if placing in production
  • 46. SO for ICS = Security Ogre
  • 47. The Cuckoo’s Egg by Cliff Stoll https://www.youtube.com/watch?v=EcKxaq1FTac 1-hour NOVA Special (1990) The Practice of Network Security Monitoring by Richard Bejtlich http://www.nostarch.com/nsm Applied Network Security Monitoring by Chris Sanders & Jason Smith http://www.appliednsm.com/ The NSM Wiki http://nsmwiki.org http://securityonion.net NSM References/Resources
  • 48. Takeaways You can implement NSM in ICS today – without impacting your operations There are free tools available to help you start looking at your ICS and hunting for evil
  • 49. People… …the most important part of NSM! Gigabytes of data and 1000s of IDS alerts are useless without interpretation Analyze data collected to understand what’s normal – and what’s not Identify adversary TTPs and act to disrupt them Remember Adversaries are a “Who”, not a “What”