Michael Assante is currently the SANS lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security and Co-founder of NexDefense an Atlanta-based ICS security company. He served as Vice President and Chief Security Officer of the North American Electric Reliability (NERC) Corporation, where he oversaw industry-wide implementation of cyber security standards across the continent. Prior to joining NERC, Mr. Assante held a number of high-level positions at Idaho National Labs and served and as Vice President and Chief Security Officer for American Electric Power. Mr. Assante’s work in ICS security has been widely recognized and was selected by his peers as the winner of Information Security Magazine’s security leadership award for his efforts as a strategic thinker. The RSA 2005 Conference awarded him its outstanding achievement award in the practice of security within an organization.
He has testified before the US Senate and House and was an initial member of the member of the Commission on Cyber Security for the 44th Presidency. Before his career in security served in various naval intelligence and information warfare roles, he developed and gave presentations on the latest technology and security threats to the Chairman of the Joint Chiefs of Staff, Director of the National Security Agency, and other leading government officials. In 1997, he was honored as a Naval Intelligence Officer of the Year.
Phil is VP of Industrial Cybersecurity for CyberX, a Boston-based OT cybersecurity company founded in 2013 by military cyber experts with nation-state experience defending critical national infrastructure. CyberX is the only OT security firm selected for the SINET Innovator Award sponsored by the US DHS and DoD; the only one recognized by the International Society of Automation (ISA); and the only one selected by the Israeli national consortium providing critical infrastructure protection for the Tokyo 2020 Olympics. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Guardium, Veracode, and Symantec. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.
Good day everyone and welcome to today’s SANS webinar. It’s about active cyber defense, and our special guest is Mike Assante, the SANS lead for industrial control systems. He was recently recognized as one of the most influential people in security by Security Magazine. Mike’s going to be talking about recent targeted attacks and more sophisticated forms of malware that we’ve seen, how they work, and how active cyber defense can help. I’ll follow Mike with a brief overview of nation state attacks on infrastructures around the world. Some examples of how modern cybersecurity platforms can help. We’ve got a lot of information to cover today, so I’m going to hand it right over to Mike. Mike, it’s up to you. Go ahead.
Thanks so much Phil. You embarrassed me there, but Phil definitely came to me and said, “Hey, it’s time. We’ve had lots of big events in the last couple of months in the ICS security universe. The idea is pulling all these eye opening events together and exploring, ‘What do they mean? What do they tell us?’ That’s what we’re going to do here today.
Let me set the stage really quickly. You’ll hear things like nation states attacks, but you have to focus on the idea of business impact. Most of these infrastructures, industrial operations, exist for a purpose, that purpose being to create value, to create a product or deliver an essential service. In today’s world, we are worried now about attacks that lead to disruption of those processes and quite honestly damage. Damage coming in the form of losing access to data, to software. Damage in some cases of having hardware devices fail, something that you can’t recover in the field, and that’s what we’re going to talk about.
I’d like to explore three different examples that Carol talked about. We’re going to start in with ransomware. We had two major events. In the late spring, we had WannaCry as an outbreak, followed by NotPetya. That was in the June 27 timeframe in Ukraine. We’re going to explore how they both happened, what vulnerabilities were exploited, why they happened in the scale of which they did. We’ll take a good honest look at all those things in today’s webcast. I’ll cover aspects of what do you do about them as I go a little further in depth here in the presentation.
Let’s move on to, Carol, if you can advance me to the next slide, thanks. Here’s one of the problems, this idea of criminal extortion. Now some of these events might not have been criminal extortion. However, in that sphere of extortion we’re familiar now over the last two to three years with ransomware, the idea of selling encrypted files and saying ‘Pass money and we’ll give you the keys to encrypt those files’. We’ve seen this activity now that some of it’s under the guise of extortion, but there is no way to unencrypt your files—the files are actually destroyed. That is causing quite a bit of concern, and it should.
Why is this happening? If you look at WannaCry or WannaCrypt and if you think about it, the explorations I’ve been able to do if you look at some of the incidents and you dissect them what you’re finding is ICS hosts, OS and software that’s out of date with vulnerable operating systems. You’re finding out of date endpoint signatures on some of the devices within a controlled network. You’re finding in some cases, unfortunately, dual-homed historians where you don’t have proper segmentation put into place and proper ACLs and you’re having a path that defeats all that segmentation. We’re finding very little monitoring of practices or tools within the control system environment, in the plant floor or out in the field, very few capabilities. Of course, we’re all familiar with default passwords being out there and credentials that are stale. Those are the kind of recipe for allowing these types of things to happen.
If we go to the slide, we definitely need to be cognizant that we have some hygiene issues and we have some architecture problems that we need to clean up. The WannaCrypt and NotPetya ransomware outbreaks became significant in a control systems case because of the disruptions they lead to. They brought real factories into down time. They caused significant cleanup efforts and rebuilds. In some cases, some of those rebuilds were so difficult that weren’t able to recover the data and had to start from scratch. Right now, in just the material financial reporting alone, we’re seeing over one billion dollars of financial damages being tied particularly to NotPetya more than WannaCry.
If you just take a look at this list you’ll see some of those impacts, those material impacts where we have production loss, service disruptions and financial control problems. These are all being reported properly from those publicly traded companies. It’s been eye opening. That’s causing people to pause and say, “How do we stop this from happening again?”
We’ll go to the next slide. Let’s shift gears. We have the one problem that we just put a thumbnail case around. Let’s talk about targeted attacks and intrusion campaigns, Dragonfly 2.0. In the United States, in particular, there’s been an intrusion campaign focused on not only electrical entities, but that’s been one of the primary targets, but other entities. It appears to be gathering intelligence. That intelligence after a network is intruded upon it includes the filling of technical diagrams, of credentials, but also Symantec which did some excellent reporting, suggested that they’re stealing files that are HMI screen scrapes coming out of the environment.
Now not knowing the environment, we can’t assume that there’s been stage two access necessarily. Sometimes people do have simulators or versions of their HMI sitting on a corporate network or in the support network. However, it is disconcerting, obviously. Symantec said we’re not experts in control systems per se, but we’re seeing plant control network information being pulled out during these campaigns.
We’ll go to the next slide. Just a thumbnail on a targeted intrusion campaign like this, the big question in everyone’s mind is that it’s more than just intrusions, right? What makes these types of things different?
Nation state programs tend to be multifaceted. That means that they have capabilities from engineering, building engineered software or scripts that they intend to use in their environments. They have targeting groups, groups that go out there and conduct research and develop a profile so they can tailor and access campaign, for example, build a spear phishing or water holing campaign that is a high likelihood of being able to capture the types of companies that they’re after. Of course, you have the access campaign itself. Once they’re inside, the big question is: are they just exploiting and pulling information out, or do they actually have groups that are focusing on doing something more with that information?
We had several events around the world or incidents, Ukraine in 2015 and 2016 and a few others, where obviously information was pulled out, and then used to develop an attack. Now our national security leaders have reported more than 30 countries that are developing offensive cyber-attack capabilities, and those attack capabilities have exercised against critical infrastructure. That is of cause for concern that countries build these programs. These are the types of capabilities that we might be up against.
We’ll go to the next slide. Now it’s really important when you think about those types of targeted attacks to consider what does that mean from a defensive perspective? That’s what we’ll go into here in a moment.
Let’s talk about the last case study that I’m going to cover which is the identification of modular malware that has been tailored to work within a control system environment. That modular malware is a combination of payloads that tend to work in ways to either schedule or deliver. In this case, CrashOverride or Industroyer was such tailored malware, specific right now to the electric industries related in particularly in Europe, are taking advantage of commonly used industrial protocols and the vulnerabilities within being able to develop communication packages that can inject and be part of that communication stream.
We’ll go to the next slide. This does lead us to believe that perimeter security which has been a stalwart of protecting our control system environments just might not be enough. You can see some of the popular headlines here, this idea that this malware being found potentially in Ukraine is not surprising because of the evolution that we’ve seen in terms of attacking, in this case, power systems within Ukraine itself. There’s lots of speculation about who’s doing it and that as it’s happening, evolution in learning is occurring. It’s kind of a test bed, if you will, some people have suggested.
We’ll go to the next slide. Let’s start breaking down the technical aspects of these problems and how they work. In the case of the Industroyer or CrashOverride, here’s a good diagram provided by ESET of the major components of the malware tool set. There are back doors that allow access. There was an additional back door that was provided as a tool that could be used by the attackers, clearly delivered and moved in position to have access to operational network communication streams. There was a launcher module that could launch the different payloads to do things. There was a destructive payload called a data wiper that was customized particularly for the control system that was in place.
Then, there were these payloads that could interact and communicate with industrial protocols. There was the IC 101 protocol which is a serial version of their protocol commonly used for power systems. There was the 104 which is the IP version of that protocol, and a 61850 which is a common protocol used throughout the world for both fast messaging and for control, and then OPC as well.
If you look at a kill chain, classically SANS has provided this idea of an ICS kill chain that has a stage I component and a stage II component. It’s a good model that helps us think about it. There’s not a lot of information from Ukraine that even this modular malware toolset was even found at the December 2016 incident that resulted in a power outage. However, it’s quite possible that obviously the attack could’ve been more manual or scripted or used only one of these payloads, for example. We don’t know a lot about the stage I aspects of this. Most likely spear phishing to gain access using techniques to take control of the corporate IT environment, developed the credentials necessary to get into the ICS networks, and then positioning this tool there.
What this tool allows you to do is collapse the time necessary for an attacker to formulate an attack. That’s important for us defenders. We talk about stage II being a long-gated kill chain, meaning we have multiple opportunities to observe and disrupt the attacker. This is still true, but tools like this begin to reduce the time a defender has to be able to do that. It allows the attacker to more quickly have something to put into place and put into play once they get the necessary information.
Some of these tools can actually generate that necessary information, meaning the 61850 or the OPC can query for devices that can communicate that they can make changes to state, for example. These tools allow the attacker the ability to develop a concept to operate in that control system environment.
We’ll go to the next slide. Thank you. The big question is, how do attackers get in in these targeted attacks? Quite honestly, in the ICS world there are three major techniques that we’ve been seeing in these different campaigns from Dragonfly 2.0 to other campaigns around the world. Phishing, particularly phishing against engineers with files that are infected with droppers that engineers would be attracted to. For example, resumes about control system engineers looking for jobs, those types of things, data sheets related to automation equipment. There’s water holing attacks where a legitimate website is taken over that engineers would go to, and redirected to a malicious site, and from that would take over your box, that operating system, that desktop, and from there attackers would try to get foothold and pivot. Those are the two primary ways.
We’ve also seen some supply chain compromises. When we say that it comes mostly in the form of that water holing, this idea that their trojanizing actual files in place at a legitimate website. If you bring that file down that becomes one of the ways the attacker tends to get into the environment. We’re seeing a lot of that. Now other access techniques after they have a foothold include remote access, but in this slide I was trying to talk about the big two as it relates to getting initial footholds.
We’ll go to the next slide. Now let’s talk about what that means for us? We’ve known for a while that perimeter security is not enough. Adversaries are demonstrating the types of techniques and trade craft necessary to bypass or undermine, or what we like to describe as bridge, between the corporate IT environment and the firewalls and segmentation or ACL routing that we’ve put up between the enterprise and the control system of the plant. You have to, as an attacker, bridge the gap.
You have to go from that corporate enterprise, and it gives you access to a lot of information potentially to credentials and those things, how you and the company are doing business, a lot of the IT administrative tools are residing in that IT enterprise. Attackers are basically learning and building the tool sets to allow them to bridge. In the case of most of the attacks that we’ve seen in the Ukraine, for example, and other places we’re seeing attackers use valid VPN credentials, try to use infected files that might get moved into the control system. Also in the case of the ransomware, we’re going to talk about this, but using 0-day exploits that allow them to take advantage of some type of permissible communication link between stage I and stage II.
We’ll go to the next slide. Let’s talk about that in particular. A Microsoft 0-day, there’s quite a bit of back story on this one. ETERNALBLUE, there was a family of them as it related to Microsoft Windows operating system exploits, so it’s not just ETERNALBLUE.
Let’s take a look at the vulnerability and the exploit that’s used to take advantage of it. Basically, this exploit was released by the Shadow Brokers. The ideas was it was stolen from the NASA. We might see more of that, by the way, in the future. You always have to worry about these 30 programs that are developing, losing control of their own capabilities or tools is obviously a concern, particularly if they focus in on things like 0-day like this case.
Now the 0-day was built around the Microsoft 17-010 vulnerability. Microsoft immediately patched this vulnerability. There was a patch available for it. It basically allows for an over write of an SMBv1 buffer. The capabilities that we’ve seen operationalize also would go after use anonymous log in and user credentials to also take advantage of SMBv1 connections. Typically, the port in which that communication’s going occur over is 445. It is important, by the way, in a control system environment there are some controlled symptoms implementations that have used SMBv1 communication links, so you have to check with your vendor. It’s not necessary in most cases to use that as a communication capability. In my personal opinion, blocking that and disabling that which is Microsoft’s mitigation recommendation, and of course patching all the hosts in the environment.
There are SNORT signatures available for ETERNALBLUE and for a few others. Both WannaCry and NotPetya did use exploitations and vulnerabilities associated with MS17-010 for propagation. NotPetya had some additional propagation capabilities. Let’s talk about that here in a moment. We also did a series of communication about this at SANS. There’s a link there for you to take a look at that.
The big question is should SMB access from and IT to OT be disabled? Is that practical? Let’s go the next slide. My answer’s going to be of course it’s practical. You could do it you just have to do it right.
I’m going to focus less on WannaCry. WannaCry was interesting because it was propagated in a wormable package, meaning the exploit was a worm which allowed it to achieve some real level of scale after initial infection. That is significant, and so seeing the worm as a ransomware is not typical. Typically, ransomware is individually delivered by spear phishing, and then the individual target is exploited. The worm was capable of going from target to target. Let’s take a look at NotPetya, though, because they have some additional propagation capabilities on here.
Like other malware, the ransomware utilized a highly effective exploit, in this case the ETERNALBLUE exploit with one of the exploits that NotPetya was capable taking advantage of. Basically, the NotPetya would test for a vulnerable condition, so an infected server would send a message looking for a vulnerable condition at another server or a workstation. It would check the Windows version. It would trigger the MS17-010 vulnerability, and then it would deploy an SMB back door, and then it would actually replicate itself. It would infect the other machine. That’s the basic steps for what was occurring with NotPetya.
It could use the SMB exploit we just talked about with ETERNALBLUE, but it also could attempt to establish default administrative network shares using default well known user name and password credentials to create a connection as well. It had multiple ways of trying to communicate to a device that could be vulnerable.
It definitely could use that SMBv1 exploit, so patching is still an imperative. If you have unpatched machines you absolutely should be patching those machines. Microsoft provided the patch. Make sure you work with your manger and test that patch.
Here’s the big you need to take away, it potentially can only require one infected machine in an organization to take down all the other systems in the network. The reason is, the multiple infection techniques allowed it not only to rely on the SMBv1, but using some other types of ways to replicate itself to include a standard way to create files, write files, and API routines. If a workstation that’s trusted has been infected, then you’re at risk. It only takes one.
My feeling is with industrial protocols deploy nicely as environments that it’s critical to consideration all communication that cross security zones. Native additional protocols rarely ever need to leave the ICS environment. We sometimes do it to communicate to auxiliary systems, but rarely. Those architectures can be dangerous as we see here. There’s little practical reason or defensible justification for SMB communications to cross IT/OT boundaries in my opinion. While it’s important to check with the ICS system designer, prior blocking in these services if they exist, SMB transversing the boundaries has very few places or applications in what I would call secure ICS deployment. I think it’s really responsible to block such traffic and obviously use another type of service to communicate if necessary.
Disabling SMB services and blocking port for TCP port 445 is important. Microsoft describes that as their mitigation function. There are SNORT signatures available, by the way, for these what we know about NotPetya and WannaCry. I’d recommend that organizations are doing that type of thing it’s critical to do, but it goes back to the original question do we need to move from segmentation, hygiene and architecture to more? Do we need build to an active cyber defense? I think what we’re seeing around the world the answer in my opinion is yes.
Go to the next slide. Let’s pivot a little bit. We’re going to leave the ransomware problem behind and we’re going to focus a little bit on those advanced intrusions. Let’s talk about Dragonfly 2.0. Carol, if you can get me advanced to the next slide.
Thank you so much. The Dragonfly 2.0, now we’ve seen Dragonfly. It’s called 2.0 for a reason. There’s been a 1.0. In 1.0 it was an access campaign that focused on the use of spear phishing, water holing and trojanizing software or files that legitimate websites associated with control system engineering applications. Those were the three primary ways with what we called, some people called it Havex, Symantec calls Dragonfly 1.0, was used to initially infect systems.
Within 1.0, there was a modular package within Havex that could query and OPC server and pull information off that OPC server, so it had an additional ICS nexus. Not only was it tailored as it relates to delivery in terms of how best to deliver to control system environment or to the people that interact with control system environments, it also had a module which would identify a bridging function like OPC.
That’s important to note that 1.0, and that happened years ago. We’re talking the 2013 timeframe, 2014. Now we fast forward, next slide, to Dragonfly 2.0 which is an intrusion access campaign that we’ve seen recently. Again, this potentially goes all the way back to December 2015. It’s one of these rear-view mirror situations. What we’ve seen over the last couple of months included emails being sent to include everything from an invitation to a New Year’s party, to emails about general energy industry business and practices, resumes, those types of potential things. Dragonfly continues to compromise legitimate software to infect victims as well. Symantec has reported that trojanizing potential files is also a way for them to be delivering.
There’s been several potential intrusions out there being reported in different types of media outlets. You’ve seen this, targeted attacks against infrastructure. We just need to really keep in mind if these are the techniques, spear phishing, water holing to infecting web pages or redirecting to malicious web pages and trojanizing the files that engineers rely on, really spurs me to say it’s time to sit down with all your engineers and have this discussion of their practices, how they interact with files, how they conduct themselves on the Internet, and just be very aware that these things can happen. Awareness is only half the battle because it could break down and it does as we’ve seen. We need to move on to what happens after the attacker gets his initial foothold.
Let’s hit the next slide. We have heavy graphic files here, so it takes a little bit. Here’s my feeling. I’m going to give you a little minuet here. It used to be that at the plant level cyber security was considered very costly. It was confusing on how to implement it. To be fair, there weren’t a lot of tools back then. It was quite of denial. We saw quite bit of denial about we’re doing some things, we have antivirus deployed and we feel like we’re doing a good thing. That’s been the response over the last several years.
The next slide. I think times are changing. We’re getting to a place now where my feeling is it’s actually much less popular to take this position. It’s risky. It opens the organization up to dangers that are hard to anticipate, understand get your arms around. Quite honestly, at some point, you’d consider it negligent if you continue to keep your head that deeply in the sand.
Hit the next slide. The reason why I’m saying now it’s becoming negligent is we’re being taught by a series of incidents around the world that there’s a rising tide where control systems are not only being targeted by there are capabilities being designed to work in those environments and even broad capabilities that are being used and designed to even affect IT environments that are getting into OT environments and causing all sorts of problems. Here’s our rising tide, everything from espionage to WannaCry, Petya to CrashOverride and Industroyer. These are all things that when we need to think about with this rising tide.
Go to the next slide. To put a cap on it, when that rising tide is coming up and it is coming up, folks, you don’t want to be this person. You don’t want to be the terminal response to cyber which is you keep your head in the sand and you will be underwater with these attacks and not prepared. We need to learn from each one of these. NotPetya was a wakeup call. A lot of industries are learning from what happened. What does it take to recover from that? What do we do to avoid it? Those are the right questions to be asking. We don’t want to be reckless. I think this strategy of head in the sand is I’m declaring it outdated, and quite honestly, it’s self-destructive.
We’ll go to the next slide. I’m done with the infomercial, by the way. I feel very strongly that it is time to start building on our segmentation and our architectures and building what we call an active cyber defense capability. We have a paper in the SANS reading room called the Sliding Scale of Cyber Security. It talks about an active cyber defense and all the components that enable it.
It absolutely isn’t about just having an active cyber defense, it’s about building from a good architecture. You’ll find those places where you have dual-homed historians, or you have an SMBv1 connection from the IT or the OT, or you have some poor practice to move files from the engineer’s console out in the enterprise to their engineering workstations within the OT environment. It’s about building on a good architecture which actually enables an active cyber defense.
You cannot go conduct security operations in an ICS environment without doing these things first. They build. In fact, if you only had one dollar to spend I would tell you go spend in a good architecture and go spend it in patching and hardening your systems. If you have another dollar I’d say, “Sure, deploy passive defenses in and around your control system”. Those defenses reduce the noises that you have to deal with and allows you to focus.
Then, when you get your next dollar now it’s time to actually develop a capability, deploy tools and technologies and build practices to allow you to go into a control system environment, to look at what information is meeting it, to query it and actually deploy a security monitoring capability and be able to develop an effective incident response strategy. That’s really what an active cyber defense is. It anticipates what could be going wrong, it allows you analyze information to determine what might be happening, and then gives you the capabilities to develop a disruption strategy and see if an adversary has actually crossed that boundary. These proper investments all build.
I’m telling you the days where we said we have some antivirus in there and we have firewall, those days are over. We spent those dollars. We need to find the next dollar. We need to continue to go a little bit further.
If we go to the next slide, again, that paper talks about the importance of architecture, passive defense, active defense and being able to collect data within an environment and analyze that, to be your own intelligence capability for the purpose of shaping your defenses, not for writing intelligence reports and telling people what happened in the world. It’s good to share that information to protect others, but more importantly, to identify what’s occurring within your environment, what could you do differently and shape your defenses to make yourself less vulnerable.
With that, it brings us to the active cyber defense cycle. Cyber defenders must identify those surfaces that can be attacked in the pathways that attackers might use to reach target. Cyber defenders must assemble the proper tools that implement them sufficiently to cover both the most likely path and also prioritizes the most consequential paths to critical systems like safety systems. Don’t take the universal IT protection strategy.
Hello again. This is Phil Neray. I’m going to talk about nation state threats to critical infrastructure. I’m going to wrap up with some examples of how to implement some of the active cyber defense activities that Mike talked about. In this presentation, I’m definitely standing on the shoulders of security researchers and some very thoughtful journalists who’ve come before me, so a lot of what you’re going to see here is publicly available material, but I’ve tried to put it in one place to give you a picture of how we’re seeing the world today.
I started with this picture in our webinar a few months ago. Really, nothing has changed in terms of looking at the world and saying, “What’s going on? Do we really understand what’s going on and are we just going nuts, or is this is really happening?” This was from Def Con 22 which was a couple of years ago, but I feel that this quote here is very relevant to the world that we’re in today. A perfect example would be this article and the other stories around it that showed up just yesterday about North Korea targeting the US power grid based on a blog post that FireEye put out the day before in which they talked about how North Korean linked actors are bold. We’ve see what they’ve done before. We’re going to see some of that in this presentation. Really, the key goal is to demonstrate national strength and results.
I was quoted in this article as talking about not being fooled by some of the quotes that we’re seeing from the operator that say, “Don’t worry about this. No controlled networks are breached.” We’ve just heard from Mike that one of the attack vectors is to compromise control engineer’s machines, install malware on them and steal their credentials, and then use those credentials to either go through the IT/OT firewall which is what the folks who did the first Ukrainian grid attack did, exactly what they did. They used BlackEnergy to grab credentials, and then use SSH to go through that firewall, or to steal their VPN credentials which is even a much better way because those VPN credentials will give them direct access to the OT network bypassing any perimeter security that might be there and looking just like anybody else, like a maintenance vendor perhaps, who already has that access to your OT network.
That’s North Korea. One of the themes that will show up in this presentation and this idea of asymmetric warfare, North Korea definitely falls in the category of using cyber as an asymmetric weapon. They have far fewer resources than the other adversary we’re going to be talking about today, Russia, and certainly far fewer than the United States. For them, cyber is a great way for them to make their voices heard in the world and show that they are a power in the world.
This is a book that just came out from Richard Clarke. Richard Clarke, you probably know him, was in several administrations, both Republican and Democratic administrations as a national security advisor, a cyber advisor, and a counter terrorism advisor. I’m going to talk about a presentation that Richard made at the S417 conference earlier this year that was about this concept of Cassandra’s. Cassandra was a Greek mythological figure who sort of predicted that bad things were going to happen, and nobody listened to her. He gives several examples of when this has happened in the past.
I don’t want you to think that any of the things I’m talking about today are fud. I see them as taking a threat modeling approach, looking at historical events and connecting the dots together in a reasonable way that would say, “If we’ve seen these things happen in the past, if we know we have these vulnerabilities, what might an adversary do to get into our control system networks?” That’s really what was the point of this book by Richard.
If I look at Through the Looking Glass: 2016, what are the things we saw? In February 2016, we saw the SWIFT system being hacked. This had never happened before. Richard Clarke tells a story of when he was in the first Bush administration and they were looking at war against Iraq, and they considered hacking Saddam Hussein’s banks. The advisors and the administration said, “No, we can’t do that. That would destroy the trust in our global financial system.” We saw that happen last year.
Second thing, ransomware hitting hospitals. Hospitals are protected by the Geneva Convention. You’re not supposed to attack them. I know that in certain parts of the world that is ignored. We saw for the first time ransomware attacking cyber hospitals and shutting down services for patients.
Then, as Mike mentioned, in August 2016, NSA’s top-secret hacking tools were posted. This strange group called the Shadow Brokers that speaks in a strange language started talking about it and offering those tools, definitely a Through the Looking Glass kind of thing. In fall of last year, we saw an OT botnet bring down the Internet, and then we saw the second Ukraine grid attack in December 2016. These are all to me definite indications that the world is changing fast.
At CyberX we have our own threat intelligence research team and we’ve also seen some of these things. In December 2016, the first ransomware patch that was publicly talked about for a Michigan utility was written about in this Wall Street Journal. At the ICS Cyber Security Conference in Atlanta last year, we announced that we had found 0-day vulnerabilities in an industrial firewall. The idea that the firewall upon which you rely to separate your IT and OT network or to separate segments in your OT network would itself have vulnerabilities that would give RCE privileges to an attacker is pretty scary.
It turns out anyways that there’re so many unpatched publicly available vulnerabilities, CVEs, that attackers don’t necessarily need to use 0-days, but that was pretty scary. In February of this year, we announced that we had discovered a cyber espionage operation. We called it operation bug drop, and it was using Dropbox as an exfiltration mechanism. Very clever because most organizations don’t block access to Dropbox. It was also using PC microphones to bug conversations, and so that’s why we called it bug drop. It wasn’t directly going after control system networks, but it was going after firms that designed them which is often the first step in terms of cyber reconnaissance.
Then, going way back to May 2015, we see the SMB protocol being used. Once again, it’s going to show up a few times. In this case, we analyzed Black Energy. We reversed engineered it in our threat intelligence group and found that it had been evolved to support data exfiltration over SMB, over named pipes.
Then, in December of 2016, before we saw anything with NotPetya or WannaCry, which weren’t really ransomware – they were masquerading as ransomware. We reversed engineered KillDisk the malware that was used in the first Ukrainian grid attack and found that it had evolved to include ransomware. We conjectured that ransomware will one day hit control networks as well.
Then, Mike talked about the effects of WannaCry and NotPetya, so I just want to repeat them here. Material impact on financial results. Really, the first time that the boards and the management teams of our manufacturing companies. For years, I think they were able to say, “We’re not going to be attacked by a nation state. We know about the Ukrainian grid attack, but we’re not going to be attacked like that.” I think this was a wake-up call as well.
Then, in June of this year, we saw these articles about the Palmetto fusion attacks on the Wolf Creek facility and others attributed to Energetic Bear, the Russian group that we’ve seen in the past going after energy companies. In July, we saw this blog post from Cisco’s Talos group which was very interesting. They talked about attackers going after the energy sector and industrial automation vendors which be another example of going after the supply chain that Mike mentioned before with the goal of obtaining privileged credentials to get into OT networks and obviously bypassing any air gaps that might exist. You see it on the right, the document they were using. It’s a resume from an engineer talking about their experience in control systems.
Instead of relying on macros which the old way of doing things, these guys used something ingenious where the file attempted to connect with an external SMB server to retrieve a template. If outbound SMB traffic is enabled in your network this would’ve worked. They went out to this server, downloaded malware, and then that file was used to harvest their credentials.
Then, in September, last month, we saw Dragonfly which Mike just talked about in terms of how it worked. This quote from Symantec was kind of interesting which basically said, “Yeah, we’ve seen them intruding before. We’ve seen them be one step away, but now the only thing left in the way is whether they’re really willing to do it.”
Let’s talk about cyber war and what does it mean to say cyber war. Now I’m going to specifically look at destructive attacks and a history of them, and I’m going to rely on this timeline that I adapted from Shawn McBride of Mandieth. Very excellent blog post that he did earlier this year in which he tracked the history of only three types of attacks: DDoS attacks, wiper attacks and attacks that cause physical destruction. He started way back when with the DDoS attacks against Estonia believed to be associated with Russian groups. The next year, similar thing in Georgia. In 2009, we saw STUXNET, and we also saw Dozer which was an attack from now we’re talking about the Koreans.
Skipping ahead to 2011, Koredos. We’re going to see a bunch of attacks from North Koreans mainly on South Korea, but at least one of these was directed towards US targets like the White House. Way back when in 2009, Dozer was one of those. 2012, he saw Iran getting into the picture with attacks on the oil companies called Shamoon as well as attacks on US banks called Ababil. 2013, we saw the Koreans going after South Korean targets again. 2014, we saw North Koreans going after Sony. We also saw interesting attacks by Iran on a US entertainment hospitality industry target that they were upset with.
We also saw the first of the first Ukrainian attacks by a group called CyberBerkut which is a Russian affiliated group. It did some really interesting things may sound familiar to you. For example, they hacked into the election systems of the election that was going on at the time. People wanted to elect politicians were independent of Russia. They hacked into those systems and tried to change the results and actually got Russian television to broadcast results showing that ultra-nationalist right-wing guys had won and that would’ve justified an incursion into the Ukraine. Luckily, the local election commission figured it out quickly enough, about an hour before, and made sure those results didn’t appear on Ukrainian TV.
The other things these guys did was hack physical billboards to basically impugn local officials that were running for election. That’s it for the CyberBerkut guys.
Going on to 2015, we saw the Russians destroy equipment of TV5 which is one the television companies in France. First, it was attributed to Islamic terrorist group, but it turned out to be the Russians after all. Not sure exactly why they wanted to destroy the TV equipment, but in any case, that was one of them. Then, we saw the first Ukrainian grid attack at the end of 2015, and also a wiper attack on Ukrainian banks and other institutions performed by Russia.
2016, we had a trifecta of Russian attacks. DDoS attacks on Russian banks and financial institutions, wiper attacks, same thing, and then the second Ukrainian grid attack that we’ll talk about in a few minutes which was the Industroyer/CrashOverride malware that Mike talked about.
I’ve added a couple things in 2017 that weren’t in the original blog post by Shawn McBride because they happened after he posted it. Shamoon 2.0 was again against the energy companies from Iran, but WannaCry and NotPetya added to those. WannaCry being attributed to Korea and the Lazarus group, NotPetya being attributed to Russia. Then, one of them that we just heard about last week, so it’s the second time we’ve seen a public attack by the US in which an article in the Washington Post talked about US cyber command DDoSing North Korean servers. That connected to another story we then heard about which was North Korea getting a second ISP connection, their first being to China. They had to get another one to go to Russia, probably related to this DDoS account, so kind of interesting. Second time we’ve seen public examples of the US going after another nation state.
Let’s talk about Unit 586 and historically what we’ve seen them doing in North Korea. They’ve been around for a while. In the 50’s they were known for all kinds of bad stuff, bombings, assassination attempts, running a heroin trade, counterfeiting US dollars. 2009 as I talked about, they went after the White House, the Pentagon. 2011, they went after some South Korean sites, went after Sony in 2014, SWIFT hacked in 2016. They really wanted to get a lot more, luckily somebody noticed what was going on and stopped it at 81 million, still not a bad take, and then WannaCry in 2017.
There’s a history of these guys doing things. I’m only going to talk about North Korea and Russia in this presentation. I’m going to leave out Iran and China. What we’ve seen is this blurred line between nation states and cyber criminals. In the case of North Korea, it’s the same group doing both. We’ve seen in the IT security world how quickly sophisticated tools move from nation states to cyber criminals, so there’s no reason why we shouldn’t start seeing the same thing with respect to OT security. Some of the more advanced tools like Industroyer/CrashOverride, that we saw the Russians using in Ukraine, we’re going to start seeing some of those I predict show up in non-nation state attacks against critical infrastructure and the industrial organizations.
This is an example of a quote from this summer from the DHS saying, “WannaCry and NotPetya weren’t really targeted malware. They just spread.” We’re going to start seeing targeted malware, and specifically ransomware, if you think about millions of dollars an hour that you would lose if your manufacturing facility was shut down or your pharmaceutical facility was shut down. It’s easy to imagine cyber criminals starting to use some of these techniques to do ransomware against those organizations.
Let’s move to the second nation state we’re going to about here which is the Russians. This is a quote from somebody in President Putin’s cabinet, not he himself, but he was talking about how Russia has shown the world that they have a lot of power in this domain and they call themselves cyber elephants.
If you go back to 2013, this article written by General Gerasimov who as at the time Chief of General Staff, now he’s part of Putin’s cabinet, in which he again brought up this concept of asymmetrical warfare and of hybrid warfare. Hybrid warfare being blending both physical and information warfare and certainly Facebook ads and Google ads are part of information warfare. This is something that we’ve seen articulated by somebody in the Russia government from a long time ago.
We know from this advisory that the ICS-CERT published in 2014 in which they talked about sophisticated malware compromising industrial control systems from overseas and they were talking about BlackEnergy specifically. This is not surprising. It’s not like the first time we’re talking about these things. Way back in 2014, in fact, in the ICS-CERT advisory they said these attacks have been going on since 2011.
Let’s talk about the second grid attack in the Ukraine, the one at the end of 2016. This is from a presentation that Mike did for SANS with CyberX a few months ago in which he compared the two attacks. If you look, for example, in 2015 the reconnaissance was performed manually using BlackEnergy, shut down of the relays was performed manually by people basically doing RDP-type connection to SCADA workstations, taking them over, locking out the local administrator, and then you could see the video of them in shock as relays were being shut down by somebody over remote control. Then, the destroyed the SCADA drives using KillDisk. They disabled battery backup and just as a last measure destroyed all the serial-to-Ethernet devices. They bricked them. That was a human driven attack. They went after 50 substations and very significant as Mike pointed out in his original presentation because of it being the first public cyber-attack on civilian infrastructure.
If you look at December 2016, the reconnaissance was automated, and I’m sure there were lots of manual reconnaissance ahead of time. There’s no doubt about that. The malware was smart enough to go out and use OPC and other mechanisms to query the environment and map the environment and find out what was in the environment and how it was configured. The shutdown of the relays was performed automatically as well by a native ICS command, so there was embedded knowledge in that malware of how to manipulate ICS devices. For good measure, they DDoS’ed some Siemens relays, and then destroyed a bunch of configuration files for ABB equipment.
In comparison, this was modular, extensible, automated and autonomous malware. Very cleverly, they went after single transmissions stations, so it’s more at the source of the power grid in the Ukraine and were able to impact 20% of the population with this attack. Again, you might be thinking to yourself, “I’m not a nation state or I’m not a nation state target.” Again, I think it’s reasonable to expect this type of sophisticated malware to move from purely nation state control to other groups that might be after what you have in your environment.
Then, going back to the defense in depth for the layered defense approach that Mike talked about with respect to active cyber defense. Perimeter security is no longer sufficient, and we learned this a long time ago in IT security. Ten years ago, people were saying: “I have firewall, what else I need?” We realized that you need layered defenses, and one of those aspects of layered defense is continuous monitoring which now has evolved to anomaly detection using behavioral analytics.
If you had ICS monitoring in your environment, you would’ve seen a lot of anomalies in the Industroyer case. You would’ve seen the malware scanning the network to do cyber reconnaissance. You would’ve seen the malware reading and writing to a bunch of targets using different protocols in a way that normal workstations would not be. You would’ve seen an unusual number of error messages. One of the things the malware did was probe devices, and if it got error messages it moved on, so you would’ve seen an unusual number of error messages being issued by these devices. The weirdest thing of all, they were exfiltrating the information through a local proxy going through a TOR server, so that obviously would’ve shown up as something suspicious if you were monitoring for that.
A quote from a really awesome article that Andy Greenberg wrote which is about Russia in general and what they’re trying to do in the Ukraine and his quote is an example of what he was talking about. Several commentators have said we need to speak out against these types of activities because they are unacceptable on the global stage. If we don’t, we’re just giving them permission to keep doing it.
Great quote here from John Hulquist of The FireEye which is pinned to his Twitter account. Again, it has to do with threat modeling and looking at history. If you look at these sequences of events, it’s not hard to image Sandworm Team and others going after our own infrastructure.
I think the key question as defenders would be if your OT network were breached how would you know? Not would you know, but even how would you know. Some stats here from a survey that Ponemon Institute did showing that these things are happening. If you talk to the people that run OT security, they believe, three out of five believe that there’s more risk in OT than IT.
Obviously, IT security isn’t the same as it OT security. There’re different protocols including proprietary protocols. If you want to do detect and inspection on these protocols, you need to be able to look inside and understand what’s going on with them. Your traditional IT tools typically aren’t able to do that.
Behavioral analytics, as I said before, has become part of the tool chest for IT security, but you can’t use the same types of analytics in an OT environment. The behaviors are different. In one case it’s humans clicking on links. It’s applications starting up on Windows machines. In the other case, it’s machines talking to machines, so it’s a different analytical model.
In the IT security world, you can do all the vulnerability scanning you want whether it’s for compliance or for real security. In the OT world, you can’t, in general, without being very careful for that scanning creates down time. We saw with NotPetya that everyone’s saying, “The answer is just patch.” It’s not that easy if you’re an OT security person. You can’t just go in and patch. It creates down time, and a lot of these older Windows boxes many of which are Windows 2000 and Windows XP, have SCADA software written on them that would require rewrites or at least a lot of testing if you were to upgrade those Windows boxes to newer versions of Windows. It’s interesting that in the case of NotPetya, Microsoft thought it was so serious that they sent out a patch even for those older boxes.
Quickly talking about who we are. We were founded in 2013 by military cyber experts, headquartered in Boston. We provide threat monitoring, asset discovery, threat intelligence, risk analytics. It’s a passive monitoring approach so it works with all your protocols and devices. It doesn’t matter whose vendor it’s from. It integrates with tools you already have, and we have this attack vector simulation technology I’m going to show you in a second.
Obviously, we’ve been recognized by a number of experts. Here are some examples here. What does active cyber defense say? It says know your assets, segment your network, continuously monitor, leverage threat intelligence, plan your instrument’s response which includes forensics, one of the things that we provide in our platform which is the ability to go back in time and do threat hunting in the past as well as threat hunting for future possible attacks, and continually assess for vulnerabilities.
The example I’m going to give you here is attack vector prediction. This is technology we announced a few months ago. We’re the only ones that have it. We look at your environment and using network traffic analysis take a look at all the vulnerabilities we’ve found both at the network layer and the end point layer. You say to the system, “You know what? I can’t fix everything. I can’t patch everything. I don’t have the time. I don’t have the resources, but this PLC here is the one controlling my most important production line or steel blast furnace, whatever it is. Tell me all of the possible attack paths to this PLC.”
We then analyze all the vulnerabilities found both in Windows machines and in the PLCs and other devices and come up with a risk prioritized list of various paths. In this case, we found that an attack could start with an interconnection in a subnet connected to control center number one, exploit a known Windows vulnerability, not a 0-day here, to get to control center number three, another one to get to the infrastructure, server, and then it turns out there is known CVE in that PLC. They would exploit that to take control of that machine.
What this does is it shows you a picture of an attack chain. It allows you to explain to business people and OT people what that looks like in a way that they can understand, and then you can try what-if scenarios. You can say, what if I segment or block this connection or patch this device, will that kill this attack path? It’s a way to prioritize your resources and proactively address vulnerabilities before they’re exploited which is one of the key concepts of active cyber defense.
For information, check out our knowledge base where you can download two chapters from ICS Hacking Exposed, which are great intro chapters for your security management that might not know so much about OT security. Come visit us at bunch of conferences and especially I want to point out this talk we’re doing at Black Hat Europe called Not Your Father’s AM Radio: Exfiltrating Reconnaissance Data from Air-gapped ICS/SCADA network, a very interesting attack approach. We’ll also explain how to protect against it, and then come see us at S4x18 in January and ICS Cyber Security in Atlanta.
I want to thank you for your time today. We ran out of time for questions, but I will be looking at all of the questions and feel free to reach out to me directly if you have any other questions.