Transcription
Steven DyerNSA IAM, NSA IEM, CISSP, CCSP, CCDPChief Technology OfficerCentral Service Association
Cyber Incident Response and Analysis
Blue Team SecurityAudits 205 Utilities41 Banks13 Secure Buildings3 EnergyGenerationLocations
Security Agenda Latest Events Who are the Real PlayersHow Hackers Do It TrainingBreaking In Log IT
Group Exercise
Who is your assignedCyber Security person?
"Many of the most damaging security penetrations are,and will continue to be, due to Social Engineering, notelectronic hacking or cracking . . . Social Engineeringis the single greatest security risk in the decade ahead."(2014)“91% of successful data breaches started with a spear-phishingemail” - security software firm Trend Micro (2013)
HACKING 101 DemoSpear-Phishing
Homeland Security Information
March 2015 Logs
March 2015 Logs
Utilities struggle to manage the securitychallenge Primary Challenges1Nature & Motivation of Attacks(Fame fortune, market adversary)Today,securityis aA new marketadversaryboard-level agendaitem ResearchInfiltrationDiscoveryCaptureExfiltration
The Department of Homeland Security released this mapshowing the locations of 7,200 key industrial control systemsthat appear to be directly linked to the Internet andvulnerable to attack CNN Money Article 2013
HighZombieBotsWeb BrowserPop-UpsDoS, Buffer Overflow,Service OverwhelmPacket Forgingand sVBA, ActiveXFlash TricksOS SpecificAttack ToolsStealthDiagnosticsSweepers andSniffersBack DoorsExploiting uessingLow19801985199019952000Present
HACKING 201 DemoStuxnet
CURRENT CYBERESPIONAGE CAMPAIGN TARGETSINDUSTRIAL CONTROL SYSTEMS(DRAGONFLY / ENERGETIC BEAR - HAVEX)On June 23, 2014, Finnish securityresearch firm F-Secure reported on acyber campaign targeting SCADA andthe suppliers of equipment to thesesectors, including many in criticalinfrastructure.
HAVEX Info According to a Symantec report on June30 2014, Havex is what is known as a“remote access Trojan,” or RAT, malwarethat secretly enters a computer to givehackers control of the machine. Symantecand F-Secure say the malware ordinarily isused only for spying, but can be modifiedto sabotage a machine.
Top 10% of Hackers Never Caught1. Hacker Determines that direct attack maybe too risky Professional Hacker Would NotDirectly Attack Networks orSCADA/DCS Systems in the U.S.Creates a Trojan (RootKit) ThatWill Allow Remote ControlPlants Trojan in Zombie Host inthe South PacificTrojan “listens” for a specific stringof characters in a chat room hostedin Europe (maybe even in anotherlanguage)When Zombie finds a match on theset of characters, it thenAutomatically Begins AttackingPre-Determined Sites and Systems4. Hacker posts message on ChatRoom2. Plant Trojanin Zombie HostSCADA5. TrojanattacksTargetNetworksUNIVERSITY3. Trojan is programmed to listen toChat Room in Europe for a specificmessage string.CHATROOM
Attacks from Last Traceable Point of Origin10-30%3-4%1%0.6%0.3%32.5% Unknown originUSA Hosted 50% of all phishingsites in 1Q 2014 Hosted 45% of all phishing-basedkeyloggers or Trojan downloadersRussia Produces 77% of all spam Source of many successful botnets;Rustock, Grum, Cutwail , and moreChina 55,000 malware/intrusion incidents on DoD systems in2010; large but unspecified number blamed on China *Trustwave Breach Report 2014 Highest level of malware infections
Group Exercise Training on up-to-dateways to protect yourSCADA system Needs to be updatedevery two years
Utility SCADA TrainingThe AttackThe CountermeasureResearchImproved security awareness and counter intelligenceInfiltrationSystems to proactively monitor, improve, and protectDiscoveryAbility to track and remediateCaptureControls to protect target assets internally andexternallyExfiltrationDamage remediation and counter intelligence
Research Google / Internet MiningWhat Compliance Is RequiredSocial EngineeringDigging Through Trash Talk To Your Vendors
Infiltration Physical Infiltration Vendor Test Hot Vendor Test Customer Test Walk In Off The Street Test Warehouse Walkabout Substation Bolt-Cutters
Infiltration Pen Test External Pen Test Internal Pen Test Secure Room Pen Test Email – Spear Phishing Plant Thumb Drives
Group Exercise Put 5,000 in yourbudget for a dedicatedlog server and cheapstorage
Log Everything That Can Be Logged Syslog Server Firewall SCADA Systems Control Systems Anything Log Analyzer Sawmill Splunk
What are we missing?– Lack of a formal documented program andprocedures– Need for an established cybersecurity team– Need for incident response and disasterrecovery policies and/or directives
Insufficient control of remote logging andaccess.– Weak enforcement of remote login policies– Weak port security– Network architecture not well understood andinternal networks not segmented– Flat networks--devices not properlyconfigured
Media protection and control.– Weak control of incoming andoutgoing media – use of USB drives– Lack of encryption implementation Audit/logging events.– Insufficient methods for monitoringand control network events– Lack of understanding of disasterrecovery techniques
Group Exercise Who do you contactwhen somethinghappens?
Steven DyerChief Technology OfficerCentral Service AssociationCell: 662-491-2661 sdyer@csa1.com
Log Analyzer Sawmill Splunk. What are we missing? –Lack of a formal documented program and procedures –Need for an established cybersecurity team –Need for incident response and disaster recovery policies and/
