Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017

SANS Institute · Advanced ·🎯 Management & AI-Era Leadership ·9y ago

Key Takeaways

The video discusses the unknown industrial control system threat landscape, highlighting the importance of understanding ICS security and the differences between ICS and IT security. It also touches on the challenges of detecting and remediating ICS malware, and the need for better research and validation of ICS threat cases. Tools such as VirusTotal, ICS-CERT, and Symantec are mentioned throughout the video.

Full Transcript

[Applause] we end up on one of two extremes either the grid is never going down and we have like 200 incidents a year or there's 500,000 attacks on a daily basis very very extreme numbers I wanted to help return some of the baseline discussion I know a lot of students I have and by 15 a lot of conversations I have look for data points to be able to say that security is important to what we do in the ICS industry but I've always made the point that hyping up the threats only lead us to a place where we're focusing on hyped up threats not the actual security challenges that we have so it was really the point of this so I wouldn't get through a talk if I didn't have at least one little Bobby comic on the slide this one actually happened to Tim Conway and I we were at a conference together recently and a man I very much respect was a national level leader got on stage was talking about how we really need to take security seriously in the industrial community especially in the power grid if only we had some sort of like regulations for the power grid we're in Tim and I are starting to look at each other like well we got the whole Newark SIP thing and he's like oh alright well we really need like a national level exercise to train for when you know things happen oh my god grid X we got that covered he said well we need a review of what we actually have today and only do we do this every year so very well-intentioned individual but maybe not aware of of what we have today so that's where we came up with some of the hypothesis for this research as well I listed in there on the slide one of the first hypotheses that we had is that there's a lot of infected sort of environments there's a lot of cases where we have non-targeted nothing to be concerned about in terms of taking down the power grid nothing to hype up but still things that matter especially for just simple reliability of the network and the systems that we rely on but there's a lot more of those than maybe we understand today number two that the public reports that do go outs when we actually see vendors release threat Intel reports or some discussion of what those threats are that those are actually contributing in some manner some people are actually looking at security because of those number three we wanted to note that although we don't typically hear a lot about ICS themed malware that it's much more popular than people realize not necessarily common but not uncommon it is in my experience working from government to private sector now that when I had classified you know clearances and all sorts of stuff in the government it was easier to violate those than some of the in das that you put in place for incident response and industrial environment so it's like scarier with more repercussions at least it seems so these days and the point of that is most people don't talk about things that actually go on in our community so we're gonna have a little bit of discussion of this and then lastly there's some maybe untrained IT security teams that need to have a better appreciation the files and data in our environments that are important so we don't see a lot of our sensitive files going up to public databases so to do all of this research we relied solely on public data we don't want to reach into customer networks or anything that we'd have to come up and talk about incidents with particularly customers specifically just public datasets what has been on the surface and just gone on unexplored what is IT security teams missed for years because it wasn't an interesting enough or maybe they didn't understand ICS software what's there in plain sight so I sort of note that point what I typically thought excuse me what I typically find is security teams that look to IT security metrics or IT threats and try to wholesale copy paste that into the ICS and while they'll get us somewhere in the discussion we have different things that happen our environment I constantly see things like the ics-cert metrics which are really good and a lot of good focus goes on there but they tell a different story than I think most people realize so I pulled these from the 2015 Year in Review the 2014 year interview is the exact same and the construct that number one attack vector that I'm on infection vector is unknown what that's not great the number two is spearfishing which would make a lot of sense if we had email servers and SCADA environments but we don't what the metrics typically actually say and you can kind of see it in the second graph is when we see infections or threats in our environment it's because they came through IT but if they're already in the environment we don't necessarily know how they got there and that's something that we're all as a community trying to work on but that's because there's things not only like USBs but also those vendors connections when I see incidents in the community one of the first places always check is a VPN connections I commonly see those being leveraged by adversaries so there's different priorities and what we're doing we have databases Rizzy and others that have tried over the years to look at the ICS threat landscape but there's a couple problems again either people don't actively keep these things up and keep contributing to them there's a good effort that starts and then it sort of fades off a bit or we don't really validate some of the cases that we have I don't know for how many years now Mike Tim and I have been Tzar ringing the bell that the BTC pipeline in Turkey did not explode because of a cyber attack by Russia yet you'll see that news articles and every conference agenda going around it's like you should come to our conference because pipelines can explode and like we know but that didn't happen go to cyber it's an important thought to actually have a baseline of knowledge does remember we might have a lot of different threats hiding behind that pixelated view like the only difference is we don't seriously think that the squirrels are the biggest threat to the grid all right so the idea of what we tried to do is have this mimics project and so Ben's going to walk you through a lot of this research significant portion of it was actually done by Ben for anybody that knows him will know that he's very much a go-getter and knocking down some really cool research mimmik stands for malware and modern ICS again the only data source we had was virus total and public databases we specifically wanted to find what was in plain sight what was available to the community over years but maybe hasn't taken advantage of have this discussion again of almost like a census data what can we set as baseline metrics to have a conversation around what we're seeing in the community and hopefully at the end of this talk you'll be able to have a more reasoned discussion around malware in the industry remember the malware is not always the threat the human is the threat but you'll be able to have a better discussion around malware in the industry than relying on hyped up numbers to make a point around security that's really the point so with that I couldn't get through a presentation without referencing the ICS ever kill chain at least once what I want to note here is all the malware and all the things we're talking about is at stage 1 components we're not doing we didn't find we're not looking at anything that's causing you know systems to fail disruption in terms of destruction levels of attack that can actually take down infrastructure and I want to stress that because anytime you come out and talk about malware or threats in the community in the journalism community it can very quickly spin out of control so we're going to make the point now to everybody watching this on YouTube in the future and all sorts of good stuff we're not talking about headlines that should read oMG cyber attacks power grid goes down like it's just to have a reasoned discussion non-targeted first stage intrusion type activity that's important to document and understand from a words that matter perspective what we want to know as well is we typically just say malware so there's differences in our environments and why that matters we'll spend too much time on this slide but you'll see us use these words the difference between a downloader and a dropper the file that's actually gone on to the system verse that file that then reaches out to the internet or some of the location and has a second stage that it pulls down and does further acts in the environment or a virus that might spread which in our environment may be completely non targeted but as we know from years of case studies of things like Conficker it can still take down operations or still cause disruption on the networks unintentionally versus a Trojan which is more of your backdoor capability the ability to load additional malware or potentially be able to have remote access the virus of the self-propagating aspect we saw a lot of this in our research as you would expect because it is more spreading what I want to note as well before Ben gets into the metrics is why we might say you know 15,000 examples of a virus that doesn't necessarily mean it's more impactful than the samples the trojans that we found because by their very nature you wouldn't expect them to spread as commonly but those trojans generally give some level of access to an adversary if they want it I've worked instant response cases before where we look zero access botnets and people like oh that's just crime where and then very quickly found out no more sophisticated adversaries taking advantage of this you know we look at back at have X in black energy black energy to is based off crime where a lot of folks love to get in the habit of saying oh it's crime where oh it's this where it's that where no it's just a capability and the right adversary can take advantage of it and to their means so when we look at viruses in general a lot of stuff that we want to talk about around viruses this is a precursor generally you'll have completely legitimate software this is just a recap for everybody completely legitimate software at some sort of PE entry point or some sort of points in the portable executable file of PE you will have the insertion of malicious code right what's the problem there you're not easily ripping it out so if you just go deploy antivirus as an example across your ICS and then a virus actually spreads all across your ICS what's going to happen well if it's something like salad T or V ruit's you're going to delete all your ICS files and we've seen that time and time again so it's very important to understand the type of capability you're dealing with even just from a classification perspective in terms of how you're going to remediate or clean that up without damaging the ICS in the same way when you have the Trojan a lot of people will make the mistake of saying I found the Trojan I cleaned it up I'm good to go and completely forget the fact that there's usually a downloader in a second stage and other activity that follows this happened in I think I can't get to a talk with an alpha mentioning Ukraine now as well this happened in Ukraine as well where there were Oh Blair goes that were impacted or were sort of infected with black energy too and found black energy too and found the command control address and ran the indicators of compromise and cleaned it up and completely missed that the adversaries were still active in their environment because they once they got access to the environment they then move to more like mike says living on the land and leveraging VPNs and things in the environment so just because you find the malware especially as a trojan we might not actually have cleaned up the human threat that you're facing alright so with that I'll get over to more of the sexy data components and let then do his song and dance about some of the interesting finds we've had and really some of the impact around it well not dance okay well no dancing then we have a couple broad categories of data the first one is just the at scale what does the data look like in particular for p infectors this is generally what we see so we query virustotal which to back up on what virustotal is for those who may not be familiar with it it's a website it's owned by Google and it's open to anyone you don't need a user account it's open to the public to upload files and then it scans that file that you upload and checks against I think it's surf 60 antivirus engines and reports back what it found so if you add one hit or sixty hits they'll report that out it's a repository as well though really handy for researchers or others to search and see what the infections are when they were first seen last seen etc etc so we use virustotal in pull down approximately 90 to 120 days worth of data looking at ICS specific files ICS vendors a path registry keys that sort of thing and what we we see when you graph it out I'll skip to the next slide so I if you include zero detections this is this is the graph so the vast majority is a clean file a legitimate file that's not compromised while the rest all along the x-axis there a low hit rate meaning 10 a V engine flagged it and then the high hit rate of we're 50 flagging that particular file when you take out 0-0 detections you have a graph that more looks more like this generally speaking the high threshold there at the 50 count those are from from our observations generally P in sectors so the viruses that Rob was talking about where it is embedding itself in the executable and then spreading through the environment those tend to have the high detection rates okay I can add one of the reasons that tends to be especially with antivirus is a lot of your antivirus systems these days or looking more for heuristics patterns that are obviously malicious regardless of signatures so a virus is going to exhibit a lot more patterns for malicious behavior by the spreading than you would necessarily with trojans so typically have at least in the day that we saw with ICS related software higher infection or higher AV count rate but we also found of course and we'll get to it later all the AV systems that looked at ICS software that was infected and didn't alert on it because ICS software is kind of weird anyways and so we had a lot of stuff going sort of flying below the radar so I don't think this is the total data but as we're talking about sort of the baseline expectations of what you might find in a dataset and again this was only 90 to 120 days based on the wind I was doing the coffee table so it's a small sample size yeah it gives a good understanding of the volume of pee in sectors that are out there that are directly tied to ICS files so we're not talking about tens we're not talking about hundreds we're in the thousands over approximately 100 or 100 a period which I found interesting we never really had a number to put to that maybe it was a really bad a couple months up so I think yeah go ahead so if we then take that chart and spread it out by vendor I don't have the vendor names listed here but I was curious just to see what the differences are based on the the actual ICS vendor looked like as far as infection rates and if there would be any differences in there as you can see some some notable differences as well as counts the middle top chart is the thousands I think around 12 1200 whereas the one bright below it is at 3 is the high bar and one of the reasons we decided not to put the vendor names in there is we don't want that to become the story like Siemens is worse than Emerson is worse than ABB and that's not really true it's what adversaries are targeting the environments the vendors will have control over that so we abstract the vendor name specifically because it doesn't really matter for the data set it's just a note that you can definitely tell a difference and what interest adversaries and as you would expect the vendor names that are not your top 10 they have a lot less interest from adversaries because it's not something they're gonna quickly find on Google and go oh I want to target a Siemens environment when you start talking about some lesser-known vendors it's harder for adversaries typically to research those and start targeting those environments it's also a bias towards the end users the volume of users and the volume of users that are actively using virustotal directly correlates to to a lot of these charts as well so when a VD text something usually it has a weird acronym W 32 slash Trojan dot AZ tality whatever so I chopped up all of those words and graphed them based on detection count in what's notable do I have a laser yeah so it does matter what does a big arrow the big arrow is pointing towards Stuxnet so Stuxnet is in the data set which is interesting from this isn't from a couple years ago this is from the last hundred or so days so that is regularly being scanned and uploaded by either end users or possibly researchers but that is in the minority compared to the rest of the data so when you do all the counts so this a brutality remnant are all in the top list also that's why we were talking about p.m. factors before the vast majority of everything we're seeing was exactly that the low-hanging USB enabled peon factors spreading through the environment yep and I was just add it's always funny to me when folks are like oh my gosh we got gonna defend against Stuxnet gonna send against the NSA SS BG are you a Jew hundred it's like you have a pastor system in five years yeah yeah we'll get to that we got focus on this the threat so yeah well you've got other issues guys yeah yeah Brut isn't sexy but it is a pain to clean up and it is more than likely what you would see and in your course of your work day so if you were to grasp the tables these are the counts based on the the labels that we did the black check mark is an X and a little white one is a check so as far as capabilities in timelines all what you're seeing here is the vast majority of all the but I think this is top 12 now somewhere than that the top list are all virus like T infectors and include storage hopping and more some of the more successful ones like Peru also have a Trojan light capability so Beru itself is I think I have a slide on that there we go it uses irc2 for command and control and it can download additional payloads that doesn't mean it needs IRC to spread so if you're blocking IRC like you should egress wise it will still spread in your environment through the P infector and it can be speaking from experience quite difficult to clean up as well because it will infect processes as they run so you're in a constant kind of battle or fending off the virus as it hops around you especially if you're executing from Network shares then everyone who's executing from that network share is basically compromised very rapidly and instead of over focusing on things like we have IOC is to look for a common piece of malware you could much more appropriately use a behavior to say we don't have I or C in our environment so if we start seeing IRC communication maybe we're infected with these common pieces of malware that we're seeing inside the ICS and then take the appropriate action based off that in salad e is also a very well-known ease everyone talks about stuff tonight like we said brew and tality are in the top list of viruses yet there how many can't show of hands how many people offer of either versality I can't see you I assume no black for hands alright haha unknown audience landscape yeah but salad e uses a botnet very much like Zeus and some of the other botnets that you're familiar with and it's all based on peer to peer it actually has a cool reputation score as well so if if it spear has a lower reputation it just stops talking to it and your reroute traffic to other peers that it's aware of so neat stuff so take away their brutality much more likely to see in the wild P infectors are the vast majority of what we saw over the course of the 100 days of log collection and so what I would add to that for a base number is we end up finding around 30,000 pieces of software that were legitimate ICF's software being infected as we try to hone down the data as much as possible with user submission IDs and the rest we got to a number of about 3000 so it looked like it was about 3,000 potentially unique sites that we're getting infected in the last hunt was on 20 or 180 days and what that says to me is these type of infections are much more common or environments than people like to admit but again it's not the world is ending it's just let's take a better approach to cleaning up our environments yeah cyber hygiene so if you yeah so you come up with 500,000 in a news article eventually that's wrong you hear 200 that's wrong we're at the minimum around a couple thousand yeah so that that was the first category as far as looking at a high level what the data set says now we'll look at some things we already know and if virustotal has a unique perspective on that so to that point so one of the things that again I'd like to note is when we see vendors put out Intel reports it helps both the the series and the defenders and it's usually a race to take advantage of it your adversary I promise you has a virus total intelligence subscription and it's pulling down samples as you submit it's why we don't like people to submit actual samples from their environment because then your adversary can see that you're compromised if it's something targeted they'll do other actions based on you tipping the hat that you found it in the same way we try to have some discussion around the reporting does ics-cert reports does viruses as a you know reports coming out from Symantec about dragon fly these things actually encourage people to look into their environments and so that's what bins gonna talk about max um so there are many eye charts but this one's mine we looked I looked at the four hashes the four binaries that were published over the course of approximately a month on havoc that specifically the OPC enabled havoc in each of those timelines is the timeline of each of those binaries that the very first upload was actually from the United States and April 17th which is all prior to anything being released I thought that was interesting but the actual release itself was first done by f-secure they posted a blog entry June 23rd and in that same day they uploaded their binary to virustotal what's interesting from that aspect the light blue big dots are other uploads so you see approximately four days later you see additional uploads to virustotal on the two middle binaries both of those were uploaded in the June early July time frame from Ukraine and then you continue down and you see a pattern of Ukraine in Korea also uploading the samples in a very regimented fashion so each each day they would upload all three samples and then it progresses what's interesting is it then kind of jump into the future December 1 of the binaries was uploaded by Russia and won one of the binaries I found that wasn't covered in any blog post was uploaded from a site in Israel in January of I think 2016 is what that is so nothing that we don't really know I found it interesting viewing the have X campaign in the eyes of I are startled to see what story that tells and and I would add a couple of the takeaways that it was for me it was number one we generally see vendors pick up things from the ICS community after the submissions of hours total and so this is the same with like all the Ukraine stuff coming out and everything's reporting on things that are going on you can usually track back there their samples that they're finding to submissions the virustotal months before the reporting it so acid owners and operators and security teams that do submit things at times are kicking off that discussion in the community anyways which means it could been going on for years before but also as the timelines progressed and we see more submissions and once the report comes out there's a misconception that's what's done we've got systems in place and well the Dragonfly campaigns over but we continually see new and unique samples and modules that aren't being discussed once the press and the headlines clear that we can still see accurately getting submitted to places like virustotal map in fact yeah I think from a Havok perspective having a hold in Ukraine and some of the activity there is in hindsight based on all the activity that's going on there interesting that wasn't a conclusion that was drawn out early on when have X OPC enabled was talked about a couple years ago also moving on black energy I took the binaries that specifically the hashes that Kyle talked about on his Trend Micro report from I think it's 26 yeah in February and looked to see what was there what I found really interesting and why include this slide was the night of December 23rd when Ukraine experienced a power outage was the first time we saw an upload that killed this cache of from Ukraine which is really so I believe the power outage began in the afternoon of the 23rd this adjusting in local time and Kiev time is approximately midnight of that same day and well the day after technically and what you're seeing there is the response activity from presumably from folks on site who found kill desk uploaded its virustotal and you see the artifact there of the actual response activities and this is also what I'm talking about where adversary can see this as well as you can imagine if you're whoever did the blackout because nobody liked to say Russia but if you're you know if you whoever did the outage and you're looking for your victim and you're looking at their submissions and you see that they're starting to throw kill disk or black energy up on virustotal that's exactly what it would look like where you go okay they found my capability maybe I need to roll a new capability or leverage of different tactic to perceive it need the the file pass in that last example there is a translates to Dmitry so apparently Dmitry had a sample and he uploaded it which is interesting timeline wise so you see it was uploaded at midnight and then they went to bed in the next morning at 8 o'clock they started again and they also you see an API post ah suggesting a tool or an automated script began doing stuff so I'm guessing Dimitri was the senior guy who who eventually started working on it after the initial guy who uploaded it the night before it's my assessment so new thing next category yeah so the hypothesis I wanted to highlight excuse me was a number of these themed pieces of malware and these themed intrusions so one of the things I noted is we generally don't have a lot of discussion around ICS deemed or specifically targeted the headlines always focused around Stuxnet have X black energy to things like that when in my assessment and my experience doing in response cases it's far more the theming because it works if you targeted towards and dust revisers you can get in it doesn't need to be some sophisticated capability to do that I'm I usually joke with folks that in my previous life I spent time on defense and intelligence but I'd also done offense for a while for the US government and never in my day did I think to myself hmm how do I make this really fancy so the ones offenders find it they're impressed playing them and I never crossed my mind it was how do I get off my day I've got things to do so the same way if it just works that's awesome it doesn't need to be fancy but what I wanted to highlight was there's only a couple of cases where we see themed things so first of all we've seen like iron gate which the mandiant team put out which was researcher stuff it was never in the wild it couldn't have infected anybody it was just proof of concept type stuff but then we've seen some stuff recently like operation electric powder from the clear sky group so clear skies a company in Israel that was looking at specific Israeli power stations that were being targeted and specifically LinkedIn groups and Facebook groups targeting industrial operators to then theme and go after those environments things like ransomware Roskam Askins Rock will update although that one I thought was very trivial it was like a zip file that just said Alan Bradley and everybody freaked out my point here is there's not a lot of these cases and so we wanted a return a couple new cases the community as well yeah so the first one it was actually I found on Google so I was doing some research on a binary that I found which led me to this report that was completely unrelated I'm not familiar with anyone who knows of this particular analysis I've asked around but it was found on GFI's website they had a random automated analysis report of a binary the md5 is there however I couldn't actually find the binary he's our on wires total or anywhere else and what stood out to me is I used to get these newsletters and it's from a department of energy nuclear materials management and safeguard system is what an N mm SS stands for safeguards is a key word that buzzed off in my head so for those not in the nuclear sector safeguards is generally all of the physical security around the nuclear fuel material that's used at nuclear power plants so when when you say safeguards in front of a nuclear person he is thinking a retired marine with really big guns who is running from Guard Station Guard Station in a very regimented and efficient process to secure all of the the particular sites at the facility that they care about so when I see something themed as safeguards and nuclear materials that's what's going off in my head and the dropper in this example used I am MMS theme so after I execute it then it opens up the PDF in the screenshot here and as far as I can tell GFI found it it's it's there they don't have any sort of person talking about it's just an automated pedia automated report that was generated it's on their website and presumably it's been there for six years and nobody's perfect and and that was one of the things we want to be able find the research in general is more of the cases that have been there again hiding in plain view but I've never been interesting enough to larger IT security companies even talk about where they might really be important to our community if you're not getting a lot of submissions on virustotal about something you're not going to get a semantic or a Microsoft or someone else necessarily looking at that one oh wow that's cool let's take a look at it if it's flying much more under the radar like this was this happened 2011 never been discussed before to our knowledge specifically targeting folks in that sector and that's why these things can be very important for us in the community another example that I found on virustotal is a bit more interesting so it is as Rob explained from some of the opening slides a downloader so this is a very basic binary that goes out to the internet and tries to download malware and then it executes it and then typically the downloader either deletes itself or stays in the background running sourcing oh but it's not itself having backdoor capability or spreading in the environment its sole job Oh generally speaking is to download something so it's called downloader in this particular downloader is themed under Siemens so you have the file description of a Siemens automation project name our product name Siemens PLC the first instance I found of this I was in the wild from November of 2013 and I found a whole series of binaries over ten slightly different each time however both Siemens and plc I tend to end up in the D metadata in some fashion and it was less observed this month yeah so there's a story there that it unfolds as well that he's going to go into mostly around the submissions where it's something that's been ongoing for the last four years again I wouldn't jump to the conclusion of saying this is some new dragonfly like campaign it's much more there's an adversary steaming specifically towards daemon automation products that is infecting multiple sites around the world and only the ones that are getting flagged by the Avs are then being seen in public data sets like virustotal I would suspect but it's an opinion but I would suspect it's much more rampant than what's being flagged by AV yeah we don't have we see this missions geographically fairly dispersed it's not in one country or anything along those lines it but we do not know the source of it so if I were to have a guess it's probably a website that is themed say a PLC training forum or something along those lines where this dropper is being used as a ler to then install additional payloads generally what we what we saw was a when it first downloads it grabs a config file in this case it's VIP HTML it that's encrypted that the binary unencrypted that and then that config file has the remaining URLs that has been downloads more payloads all of these samples that I tried were either 404 the site wasn't active or I found one binary that actually wasn't seemed as Siemens at all it had no metadata attached to it and I was able to get a packet capture of that and it was a commodity malware Chinese Baidu themed crimeware type stuff one of the URLs in the binary was project 1j HTML if you type that in Google there's only one result that has that in the URL which is a Chinese based ICS vendor uh that's been around for a number of years and I presume legitimate I don't know what the correlation between that URL and the one that we saw on the binary if there is one although it's certainly a coincidence that that very unique je in there uh is and that's where you can start combining things together if you did this own research on your own and you looked into your environments and you found something like maybe one of your operators or folks or engineers told you hey I download the cyma software and exited out and acted really strange this is where you could then take this knowledge go to places like your proxy logs or any sort of DNS resolutions and say okay am i starting to see two or three different things that line up to a pattern that then say there's something malicious in my environment instead of freaking out over a single single occurrence another example of Rob mentioned allen-bradley a themed uh an hour and I I saw this in previous roles in that manual was being used a lot manually XE and sometime most of the time it was not very interesting like a bread oven or a GPS or air brake system however occasionally it would have correlations with PLC themed things uh so I know there's been themes of radiological equipment that would be used during outage and nuke plant there is stairs harmony is medical equipment lights that were used and I had another example in for you it was um but there seems to be a when you receive it by itself Alan Bradley go oh my goodness it seemed dr. Alan Bradley but if you are on a site that's mimicking thousands and hundreds of thousands of manuals then you're going to get that collision occasionally where if you look at the broad scheme of things it's just manuals and there happen to be a subset of manuals that are themed around PLC's or industrial equipment that doesn't mean it's targeting PLC's or industrial equipment it means welcome to the Internet and it's going to be used in whatever means it can't another welcome to the internet mask mailers so I found this had an analyze and was concerned initially ABB Emerson and there's also consider under there oh my goodness they're sending out our spearfishing but really it's just alphabetically a is near near the top and then Emerson's down there I cut some out long to show the correlation there so could it be used all for targeting a mass mailer which this was actually a fairly sophisticated a mass mailer that had a lot of anti forensics and a lot of encryption and generating legitimate traffic to kind of I'll fall in the background of noise um so it was fairly sophisticated it could be used for targeting - targeted campaigns um based on whoever's buying services for email addressing and whatnot however this particular example and everything and we looked at was generally broad the themed phishing and spam that is anyone would see on course of doing business including employees of ABB and employees of Emerson one of the reasons I want to highlight this one as well as as your folks are doing security or as you were doing security in the environment it is definitely a more concerning thing when there's something that ICS themed or it seemed to be targeted but this is the kind of thing need to be aware of also be able to slow that train down a little bit to say oh my gosh I'm sorry to see ATB stuff I'm sorry to see Emerson maybe this is specific and in fact you need to take a step back analyze the bigger picture and realize it's a potential risk yes we see cyber crime groups selling these types of accesses to more sophisticated groups but no we don't need to see the run to the media or college I Nansen response team in just because Emerson has showed up in a domain request when you're a seaman site in a lot of those are kind of form letters that are taking like the domain name so Capcom it will take cat and it will put it in the the email addresses and so saying you remember your account at cat is about to expire reading that it looks like it's targeting towards your company in reality it's just taking your domain name and cutting off the dot-com and putting it in there it's making it look like they know more than they do and I've seen lots of people kind of jump to conclusions based on that kind of data way also welcome to the internet people like to reverse things and crack things a lot of the binaries there I wouldn't say are entirely legitimate but I also found a key generators for for every semen product imaginable that's available in this tool that was uploaded by our sotell apparently wherever that person downloaded it wasn't sure if it was legitimate and uploaded by our store and so this is a real thing this is cost of doing business on the Internet and it just as Microsoft has problems with it so do industrial customers go I'll take the section alright so from a user behavior perspective of what we want you to do differently as well one of the things you want to be aware of is those poor OPSEC things one of our hypotheses was with the convergence of itno T with security teams trying to do better in these environments we thought that was probably going to be a lot of ICS software that was completely legitimate but getting flagged as malicious because heuristics compared to our software tends to have a clash in other words it was a heuristics based AV engine it's probably going to look at ICS software and get really freaked out as an example of like a delta V server you'll have like 43 child processes Spahn often executable in anywhere but ICS that's malicious in our way in our environments that's just custom development hi Emerson so it depends on your environments and understanding that our software looks a little different so let's take a look at it number one one of the things we found is over the last 90 days over 120 different project files we're getting uploaded there's a lot of them that were exercise or sort of play data if you will or test files and defaults but a lot of legitimate files as well so you're thinking of very sensitive data sets getting uploaded to the public databases because I got flagged as malicious when they're not a key takeaway there as well is if you're helping your adversary do exfiltration out of your environment and you're shortening their kill chain process from the data files we also saw some particular interesting things that were getting flagged that we're again completely legitimate discussions of incidence and nuclear environment substation mappings Newark sip findings in our C findings a lot of again very sensitive data that does not need to be in public datasets if you're an adversary and you wanted to understand how a system is laid out and understand how to attack it if you can just go download a system drawing and engineering drawing from a public database again that's going to help you out and based on the one NRC upload the the metadata that was attached that virustotal it appeared to be not the end user that uploaded it but there was a a vendor that was kind of in the middle that was hosting that file and it looked like they submitted the sample for being scanned to virustotal which I think should be against there there's not something we've tried to highlight before in classes and one might get I give presentations that your most sensitive ICS data isn't necessarily in the ICS other people are holding on to your information if you don't have some sort of chain of custody around your sensitive information you may not even know it's being uploaded at such databases we also found a ton of installers for legitimate software so we always talked about in the ICS kill chain construct that an adversary needs to be able to test out their attacks well if they can download your specific versions of HMIS data historians alarm servers etc and download them to their environment and the key generators that you also uploaded and all the information found it you can get a pretty good working environment I also have a lot of students that come and complain that they don't have a test environment of their own to do defense in turns out you can probably just go download your own from the internet and do some testing for your free own security practices but be rest assured your adversaries are downloading your software that you're submitting through this information so first of all scan your public datasets use your security team search public data sets like virustotal look for your company name look for your key information your types of software find it before it gets indexed and you can actually call virustotal as well and request that it be taken down granted we don't want you to submit in the first place but as a backup take all of your sensitive installers and files and get them off the internet as it were one of the things that I want to highlight as we wrap it up about why that data gets there is generally speaking there's two methods outside of you that are submitting that data set your a/v is not directly submitting it usually they'll do hash checks and they'll see if other vendors see it they don't submit the raw files what happens is after they're done with their analysis they'll do bulk data submissions so you're relying on your a/v to know and sanitize your data before they're submitting a bunch of it to virustotal and a lot of end users don't know that not all AV systems do that there are some very reputable vendors that will not but out of the 50 something on virustotal not all of them are reputable the other aspect that happens that we see the biggest defenders is your outsourced IT security teams so if they've never been inside an ICS they're not going to know the difference between a legitimate ICS software path and a malicious one what happens is they treat virustotal like a poor-man's sandbox they take all the different files or C and come into the IT security team and do bulk submissions the virustotal so all of your data again is getting Auto exfilled based off of outsourced IT security teams not all of them are bad but ask those questions have in your service level agreement some level of standardization and B of where what's going out there so in conclusion of our data set and again a lot of the research that have been put together from a virus propagation and ICS we should add a base be talking about the thousands from a ICS themed perspective we saw a dozen so we should at least be talking in the tents from the ICS tailored malware we still only have Stuxnet have X and black energy to to our knowledge I've always surmised there's other stuff out there but based on the trends of uploads and things that we're seeing it's unlikely to get indexed in virustotal in a meaningful way [Music]

Original Description

Register for the 2018 SANS ICS Security Summit & Training: http://www.sans.org/u/yzD Industrial Control System (in)security is hiding in plain sight. This presentation will be our first public discussion on unique research on industrial control system software, malware, and the consequences of poor operations security. Our premise for this project is the belief that there is a wealth of information surrounding Industrial Control Systems that is unrecognized by the traditional IT cyber security industry. We will walk through our methodology, show real-world findings and conclusions of what this means in our space. Robert M. Lee, CEO, Dragos Inc. & Ben Miller, Director of Threat Operations, Dragos Inc. Join the SANS ICS Forum: https://ics-community.sans.org/login
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from SANS Institute · SANS Institute · 17 of 60

1 SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
2 SANS Institute Cybersecurity Training Customer Stories
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
3 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
4 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
5 CISSP® Prep Exam, MGT414, by SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
6 SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
7 Information Security Training from SANS Institute - Student Testimonials
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
8 SANS NetWars
SANS NetWars
SANS Institute
9 SANS DFIR NetWars
SANS DFIR NetWars
SANS Institute
10 Hack The Drone - SANS Cyber Academy UK
Hack The Drone - SANS Cyber Academy UK
SANS Institute
11 SANS VetSuccess Immersion Academy
SANS VetSuccess Immersion Academy
SANS Institute
12 SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
13 The 2015 SANS Holiday Hack Challenge
The 2015 SANS Holiday Hack Challenge
SANS Institute
14 SANS VetSuccess Academy: Hands-on Skills
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
15 SANS VetSuccess Academy Overview
SANS VetSuccess Academy Overview
SANS Institute
16 SANS ICS Security Summit & Training 2017
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
18 WannaCry recap, patches, and analysis
WannaCry recap, patches, and analysis
SANS Institute
19 If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
20 Graduation Day - SANS HM Gov Cyber Retraining Academy
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
21 Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
22 SANS Data Breach Summit & Training 2017
SANS Data Breach Summit & Training 2017
SANS Institute
23 SANS Secure DevOps Summit & Training 2017
SANS Secure DevOps Summit & Training 2017
SANS Institute
24 How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
25 SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
26 SANS Cybersecurity Programs for the Department of Defense
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
27 SANS Pen Test HackFest Summit & Training 2017
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
28 SANS SIEM & Tactical Analytics Summit & Training
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
29 If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
30 SANS Institute
SANS Institute
SANS Institute
31 ICS515: ICS Active Defense and Incident Response
ICS515: ICS Active Defense and Incident Response
SANS Institute
32 SANS Institute
SANS Institute
SANS Institute
33 Introducing the NEW SANS Pen Test Poster
Introducing the NEW SANS Pen Test Poster
SANS Institute
34 SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
35 SANS ICS Security Training, Munich, Germany
SANS ICS Security Training, Munich, Germany
SANS Institute
36 SANS Automotive Summit Webcast
SANS Automotive Summit Webcast
SANS Institute
37 Privesc Playground - SANS Pen Test HackFest Summit 2017
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
38 Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
39 Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
40 SANS Security Operations Summit & Training 2018
SANS Security Operations Summit & Training 2018
SANS Institute
41 Sh*t Happens!  (But You Still Need to Drink the Water) – SANS ICS Summit 2018
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
42 ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
43 You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
44 A Sneak Peak at the New ICS410
A Sneak Peak at the New ICS410
SANS Institute
45 Jumping Air Gaps – SANS ICS Summit 2018
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
46 Introduction to Linux
Introduction to Linux
SANS Institute
47 Introduction to Malware Analysis
Introduction to Malware Analysis
SANS Institute
48 You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
49 Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
50 Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
51 Apples and Oranges?:  A CompariSIEM – SANS Security Operations Summit 2018
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
52 SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
53 SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
54 The Science of Security: The Psychological Impacts of Security Awareness Programs
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
55 How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
56 Practical Advice for Submitting to Speak at a Cybersecurity Conference
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
57 SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
58 SANS Webcast - Zero Trust Architecture
SANS Webcast - Zero Trust Architecture
SANS Institute
59 SANS STX Cyber Range
SANS STX Cyber Range
SANS Institute
60 Part 1 – SANS Institute and Tenable talk about cloud security
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute

This video teaches viewers about the importance of understanding ICS security and the challenges of detecting and remediating ICS malware. It highlights the need for better research and validation of ICS threat cases, and provides an overview of the current ICS threat landscape. Viewers will learn about the differences between ICS and IT security, and how to apply research methods and RAG basics to improve ICS security.

Key Takeaways
  1. Analyze ICS security research papers
  2. Understand ICS threat landscape
  3. Identify ICS malware
  4. Reproduce ICS security research findings
  5. Validate ICS threat cases
  6. Contribute to ICS security research
  7. Design ICS security research studies
  8. Collect and analyze ICS security data
  9. Draw conclusions from ICS security research
💡 ICS security is a unique and complex field that requires specialized knowledge and research methods. The current ICS threat landscape is not well understood, and there is a need for better research and validation of ICS threat cases.

Related Reads

Up next
US Navy Case Study: Key Lessons for Organizational Success #shorts
Digital Transformation with Eric Kimberling
Watch →