Transcription
: HOW TO :Extreme PI System HardeningHarry PaulOSIsoft Cyber Security Advisory Team, Customer Success#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Agenda – a three act production Prologue Act I: Power Tools Act II: Threat Modeling Act III: TTPs EpilogueNote: all examples in this presentation are on 0fd9228bca9e0f1dde23f6#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Three Laws of SCADA Security1. Nothing is secure2. All software can be hacked3. Every piece of information can be an attackGinter, Andrew (2016) SCADA Security: What’s broken and how to fix it. Calgary: Abterra#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Threat SpectrumThreatResourcesAttacksNation States Military GradeNearly UnlimitedAutonomous Targeted MalwareIntelligence AgenciesProfessionalRemote Control0-Day VulnerabilitiesHacktivistsSkilled AmateurRemote ControlExploit PermissionsSCADA InsidersAmateurExploit PermissionsOrganized CrimeProfessionalMalwareKnown vulnerabilitiesCorporate InsidersAmateurExploit PermissionsGinter, Andrew (2016) SCADA Security: What’s broken and how to fix it. Calgary: Abterra#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
HD Moore’s Law#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Act I: Power ToolsOr, how I learned to stop worrying and love PowerShell#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
You’re recommending PowerShell?. For security?.“Many targeted attack groups already use PowerShell in their attack chain” Symantec Increased use of PowerShell in attacks“52% of all attacks seen in 2017 were non-malware attacks.” Carbon Black 2017 Threat Report“PowerShell malware grow by 267% in Q4, and by 432% year over year” McAfee Labs Threats Report, March 2018#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Attackers are living off the land PS Attack by Jared HaightPowerShell Empire by @harmj0y,@sixdub, @enigma0x3, rvrsh3ll,@killswitch gui, & @xorriorPowerSploit by PowerShellMafia#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Top 10 reasons attackers 3 PS (annotated)ubiquitystealth configurationdependent Installed by defaultRemote access by default with encryptionGrowing communitySystem admins use and trustExecute payloads from memoryFew traces by defaultEasy to obfuscateGateway sandboxes lagging on script-based malware detectionDefenders overlook it when hardening their systemsBypass whitelisting tools depending on the configurationSymantec, Increased use of PowerShell in attacks#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Sysadmins need to harness the power too!Security features dramatically improved in latest platform Great overview in PowerShell at Enterprise Customers on MSDN Stealth: script block logging, module logging, & system-wide transcription Configuration: AuthN & AuthZ, default encryption, platform defensesPowerShell Team Blog: A Comparison of Shell and Scripting Language Security (4/10/2017 post)#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Bottom Line“The improvements in WMF 5.0 (or WMF 4.0 withKB3000850) make PowerShell the worst tool of choice for ahacker when you enable script block logging and systemwide transcription. Hackers will leave fingerprintseverywhere, unlike popular CMD utilities.” Ashley McGlone, Who’s afraid of PowerShell security#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
With PS, we get DSC I mean, “Configuration as Code”Declarative: separate intent from execution Decreased complexityIncreased agilityConsistency across applicationsFunctional documentationBroad scope (OS and applications) Baseline Configuration Hardening Site specific controls#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
So, how does it work? Configuration – declarative script which define andconfigure Resources Resource – lightweight component (psm1 file)containing code to Get, Set or Test properties of an itemfrom a Configuration Local Configuration Manager (LCM) – engine thatfacilitates interaction between Configurations andResources.#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
DSC Resource – a special kind of module Requires 3 functions Get-TargetResource Set-TargetResource Test-TargetResourceSupports helper functionsDSC Resource Structure ExampleDSC Resource Schema Example#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Example: Windows Feature BlacklistPathologically unfit, yet defaultenabled features. SMBv1 Stop using SMB1 by Ned Pyle Securing Windows Workstations byADSecurity PSv2 Windows PowerShell 2.0 Deprecation Medium severity finding with STIGViewer (V-70637) Detecting and Preventing PSDowngrade Attacks by Lee Holmes All those benefits I talked about in 5.0aren’t there!#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
DSC Configuration – a special kind of functionScope configurationitems to a nodeConfigurations can have parametersBuilt-in resource tomanipulate featuresImport whatever resourcesyour config needsMake sure it’s not Present#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Example: Windows Feature WhitelistSpecify a whitelistInterrogate the systemImplement logic/loopsFilter out itemsResource ID must be unique#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Demo 1: Microsoft OS Baseline a la DSC Server 2016 Baseline from MicrosoftSecurity Guidance BlogApplies 100 recommended settingsAuditing for security events, e.g. Logon/Logoff Removable storage Policy changeLock down privileges, e.g. SeCreatePermanentPrivilege SeTcbPrivilege SeTrustedCredManAccessPrivilege#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Leveraging PowerShell for the PI SystemSystem Administration PowerShell Tools for the PI System Packaged with PI System Management ToolsSecurity Configuration Auditing PI Security Audit Tools Available on TS site Open source on GitHub [repo]Configuration as Code PI Security DSC Resources Open source on GitHub [repo location]#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
PI Security Audit ToolsValidated components: Machine (General) PI Data Archive PI AF Server MS SQL Server PI Vision PI Web APIRequirements: PSv3 Run as Admin (AF & Vision) OSIsoft.PowerShell WinRM enabled (if remote)#OSIsoftUC#PIWorld 2018 OSIsoft, LLC20
Demo 2: Produce an Audit Report#OSIsoftUC#PIWorld 2018 OSIsoft, LLC21
PI Security DSC Resources Getting Started Guide in Wiki Resource syntax PI Security DSC Resource Reference Ad hoc with Get-DscResourceConfiguration AF DB AFAttributePI AF Security AFIdentity AFMappingPI Data Archive PIDatabaseSecurity PIFirewall PIIdentity PIMapping PIPoint – PtSecurity & DataSecurity only PITrust PITuningParameter#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Demo 3: PI Mappings (and more) via DSCSpecify desired PI MappingsLoop through the PI MappingsSet the desired attributes#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Hardened Baseline ConfigurationStep 1: Microsoft OS BaselineLatest Server OSStep 2: OSIsoft Recommended OS HardeningCore InstallationDomain Member BaselineDisabled FeaturesStep 3: OSIsoft PI Data Archive BaselineDisabled ServicesCrypto SuitesFirewall RulesDEMO 1Windows Defender AccessControlField Service TechnicalStandard best practices High Availability Backups Role based access Performance tuningStep 4: OSIsoft RecommendedPI Data Archive HardeningAuthentication methodsLeast PrivilegeApplication specific defensesTODO!DEMO 3aPurple Enabled by MS DSC resourcesGreen Enabled by PI Security DSC resourcesDEMO 3b#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Benefits of Windows Integrated SecurityLess work for administrators Identity and Access Management SSOImproved security Strong authentication Transport security for native protection Authentication management Audit connectionsFlexibility Role-based access Leverage existing paradigm#OSIsoftUC#PIWorld 2018 OSIsoft, LLC25
Less work for administrators Leverage standard platform technologiesAD provides SSO and Identity and Access ManagementAD GroupAuthorizedAccessDenied UserAD User#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Strong AuthenticationPI User and PI Trust (WEAK) AL00206 – Security Alert: PIAuthentication Weakness AL00309 – Windows IntegratedSecurity (WIS) replaces PI Trusts andExplicit Logins in PI API 2016PI Mappings (STRONG) Authenticate through Windows SSPI. Leverage KerberosAllow only the strongest method server-side.#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Transport Security Enabled automatically for WIS connections Messages signed for integrity and encrypted for privacy Supported with PI Data Archive 2015 with theconnecting client: PI Buffer Subsystem 4.4 or later PI AF SDK 2015 or later PI SDK 2016 or later PI API 2016 for WISKB01092 – PI System and Data Encryption#OSIsoftUC#PIWorld 2018 OSIsoft, LLC28
Auditability Connection auditing through Security event logs PI Message Logs (Message ID: 7082) PI Data Archive connection history#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
WIS Best PracticesCodified in KB01072 Practical Access Levels– Administrator– PI Interfaces– PI Buffers– PI Users– PI Point and Analysis creator– PI Web Apps No god user– piadmin for disaster recovery only– piadmins for admin tasks#OSIsoftUC#PIWorld 2018 OSIsoft, LLC30
Myth Busting!MYTH #1: PI Mappings cannot be used in a workgroupTRUTH: Applications can use PI Mappings between untrusteddomains or workgroup nodes.KB01457 – Using Windows Credential Manager with PI ApplicationsMYTH #2: PI Mappings require more open ports than PI TrustsTRUTH: No additional ports required to migrate to mappings.2820OSI8 – Which firewall ports should be opened for a PIData Archive.#OSIsoftUC#PIWorld 2018 OSIsoft, LLC31
Act II: Threat ModelingBeyond F!R3W@LLZ#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Core Security Value of the PI SystemCritical SystemsTransmission& DistributionSCADALimits direct access to critical systems whileexpanding the value use of information.Plant DCSInfrastructurePLCsOther criticaloperations systemsReduce the risks on critical systemsSecurityPerimeter#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Data Flow Architecture AD DS & DNS Administrator Workstation File Server PI Connector Relay PI Data Archive Server (Primary) PI Data Archive Server (Secondary) PI System Connector PI Vision Server Windows Update Server#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Network ZonesNote: Segment system components! Security Data protocol only across segmentsRestricted ZoneOperational ZoneDMZBack End ZoneFront End Zone#OSIsoftUC#PIWorldUser Zone 2018 OSIsoft, LLC
Built-in vs Bolt-on defenses: SANS ‘Sliding Scale’ Active Directory DMZ / PItoPI PI Vision 2FA OS defenses Whitelisting SSL/TLS Server Core Backups Logging Managed PI SOC? Bow Ties Data Models Reputation 3P Feeds?#OSIsoftUC#PIWorld 2018 OSIsoft, LLC36
Modern PI System Kill Chain#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Application Server Threats and ImpactsInfo LeakageSnooping/SpoofingMisleading ReportsInsider Threat/Stolen CredsLost Data/BackdoorPwn OS/AdminCall Home/Move DeeperMalware/0-DayRATs/RansomwareExpensive calls/BotnetCritical Data Unavailable#OSIsoftUC#PIWorld 2018 OSIsoft, LLC38
PI Data Archive Bow Tie#OSIsoftUC#PIWorld 2018 OSIsoft, LLC39
WindowsServer CorePI Data Archive Bow TieOS cationWhitelisting 2018 OSIsoft, LLC40
WISEverywherePI Data Archive Bow TiePI toring 2018 OSIsoft, LLC41
PI Server Security: Bringing it all together #OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Want more on Bow Tie? Presentations UC 2016: Bow-Tying it All Together: Analyzing Your Attack Surface(Video) UC 2017: How secure are your PI Systems? A primer for PI Systemsecurity baselining (Video) S4x17: Tying Bow Ties: Using Bow Tie Analysis to Secure ICS (Video) Articles & Papers PI Square: Bow Tie for Cyber Security (parts 1-3) (Post) SANS White Paper: Evaluating Cyber Risk in EngineeringEnvironments: A Proposed Framework and Methodology, Rebekah Mohr(PDF)#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
PI Data Archive CSDS Structured Security Documentation Forward looking Modern Platform Recommended Architecture Supplemental Configuration Document/Tools Verification via Configuration as Code#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Act III: TacticsThe blocking and tackling of cyber security#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Benefits of Server 2016 Core Reduced Servicing Reduced Management Reduced Attack Surface 40% fewer services running 50% less disk for OS#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Benefits of PI Data Archive Upgrades*Defense/Version 2010CompilerVC 2008SP1Heap Metadata NoProtectionMigration of2% completebuffer-overrunprone functionsto safe versionsSDL CheckNoControl FlowNoGuardLeast Required NonePrivileges2012VC 2010SP1Yes2015VC 2012Update 4Yes2016VC 2015Update 1Yes2017VC 2015Update 2Yes2017 R2VC 15.3.5Yes80% complete 95% complete 95% complete 95% complete95% completeNoNoYesNoYesNoPI AFLinkPI AFLinkPI AFLinkYesOn CoreSubsystemsPIAFLink,PINetMgrYesOn coresubsystemsPI AFLink*All versions listed: WIS; 64-bit; core support; stack buffer overrun protection; DEP/NX; ASLR; SEHOP; SafeSEH#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
AttackSurface Host Analyzer Developed by ESIC, WashingtonState University Dave Anderson Adam Hahn Repo: https://github.com/ESIC-DA/ Analysis and VisualizationComponents Scraper (PowerShell) GUI (Java)#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
AttackSurface AnalysisVisualization Graphs communicating executables Scores executables on defenses Hide/Show OS processes Suggests FW RulesAnalysis: Identifies all connections with cports Aggregates executables for connections Defensive attributes: Authenticode ControlFlowGuard HighentropyVA#OSIsoftUC#PIWorld 2018 OSIsoft, LLC49
Demo 4: Further Reducing Surface AreaFeatures to Disable FS-SMB1 (Handled automatically as of 2016 RS3) Disable IPv6 Tunnels LLMNR, NetCease, NetBIOS (AD Security 10/21 post)Services to Disable SharedAccess, lltdsvc, Spooler, PrintNotify, ScDeviceEnum, Wisvc – MicrosoftDocs WinHttpAutoProxySvc – Project Zero December blog post DiagTrack, SNMPTRAP, sacsvr – Not used for PI apps#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Communication WhitelistingWindowsFirewallConnectionSecurity RulesWindowsServiceHardeningWhy focus on services? Run without user interaction Always on, often on the network Often run with unnecessarily highprivilege Ports are opened Not limited by AppLocker#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Windows Filtering Platform Development platform Windows firewall implemented using WFP NetFwServiceRestriction and INetFwRule part of Windows firewall Verbose tracing built into netsh (wfp capture start stop) Windows Service Hardening Restricted network access for service Rules stored in registry keys#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
ProsWSH vs. Windows Firewall Cannot be disabled-Lack of GUI Enforced by kernel, not -Native PS cmdlets notfirewall serviceavailable in olderplatforms Evaluated beforefirewall rules Cannot grant access;only restricts accessCons#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Demo 5: Communication Whitelisting#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Application Control with AppLockerTHE GOOD Granular control Available with OS bydefault Audit and Enforceoptions Associated loggingTHE BAD Compliance focus, notsecurity boundary Not supported on Coreeditions( ) ︵ THE UGLY Major limitations Services .WSF Macros MS Office embeddedcontent Multiple bypassesavailable on metasploit Regsvr32 InstallUtil#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Device Guard & AppLocker Core: Device Guard & Antivirus (recommended) Limit attack surface Limit local server access Desktop Experience: Device Guard & AppLocker Device Guard: strict enforcement of codeintegrity AppLocker: granular control and role basedoptions Antivirus: detection & clean up for knownthreats#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Demo 6: Application Control#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Hardened Baseline ConfigurationStep 1: Microsoft OS RecommendationsLatest Server OSStep 2: OSIsoft OS Recommendations for PI Data ArchiveCore InstallationDomain Member BaselineDisabled FeaturesStep 3: OSIsoft PI Data Archive BaselineDisabled ServicesCrypto SuitesFirewall RulesDEMO 1Windows Defender AccessControlField Service TechnicalStandard best practices High Availability Backups Role based access Performance tuningStep 4: OSIsoft PI DataArchive HardeningAuthentication methodsLeast PrivilegeApplication specific defensesDEMO 4, 5 & 6DEMO 3aDEMO 3bPurple Enabled with Built-in DSC resourcesGreen Enabled with PI Security DSC resources#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
Contact InformationHarry Paulhpaul@osisoft.comCyber Security AdvisorOSIsoft, LLC#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
QuestionsPlease wait for themicrophone before askingyour questionsPlease remember to Complete the Online Surveyfor this sessionState yourname & company#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
MerciThank YouGrazieOptional: Click to add a takeaway youwish the audience to leave with.#OSIsoftUC#PIWorld 2018 OSIsoft, LLC
PI AF Server MS SQL Server PI Vision PI Web API Requirements: PSv3 . Performance tuning Step 4: OSIsoft Recommended PI Data Archive Hardening Authentication methods . Compiler VC 2008 SP1 VC 2010 SP1 VC 2012 Update 4 VC 2015 Update 1 VC 2015 Update 2 VC 15.3.5
