Upload
lamliem
View
223
Download
7
Embed Size (px)
Citation preview
2014 Honeywell Users Group Europe, Middle East and Africa
Eric D Knapp, Honeywell
Security Intelligence and Analytics in Industrial Systems
Honeywell Proprietary
2 2014
About the Presenter
Eric D. Knapp • Global Director of Cyber Security Solutions and
Technology for Honeywell Process Solutions
• Over 20 years of experience in Information Technology; Over 10 years in Industrial Cyber Security
• Specializing in cyber security for ICS, security analytics, and advanced cyber security controls
• North American Technical Advisor to the Industrial Cyber Security Center
• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid
@ericdknapp
Honeywell Proprietary
3 2014
Agenda
• What is “Security Intelligence and Analytics”? • Evolution of Cyber Threat • What to look for • Where to Look • Understanding the Data • Drawing Conclusions • What an Attack Might Look Like • Perspective • Same Attack, Different Lens
Honeywell Proprietary
4 2014
What the Heck Am I Talking About?
Security Analytics. (An-uh-lit-iks). 1) the process of analyzing large volumes of security data, originating
from distributed sources throughout a network communication system, with the intention to identify unknown cyber security risks and threats.
2) a common process used in obtaining Situational Awareness, enabling cyber security threats to be identified, evaluated and mitigated.
3) something that SIEM and Log Management vendors used to do before they came up with the term “Big Data.”
Honeywell Proprietary
5 2014
Evolution of the Cyber Threat
1971… Malware was simple. Malware was Loud.
Honeywell Proprietary
6 2014
Evolution of the Cyber Threat
Today malware is commercial grade software Targeted Adaptable Complex Conditional Learning Persistent Evasive
Honeywell Proprietary
7 2014
What to Look For
“The world is full of obvious things which
nobody by any chance ever observes”
~Sherlock Holmes
Honeywell Proprietary
8 2014
What to Look For
Honeywell Proprietary
9 2014
What Creates The Data We Need?
Diagram courtesy of Elsevier Publishing, ©2014 Langill/Knapp
(All
of T
his)
Honeywell Proprietary
10 2014
Example 1: Remote Access
What to Look For: • Anomalous inbound
connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound
connections (possible C2) • Account Anomalies / New
User Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled
Possible Vectors: • Software vendor
support portal (inbound malware or penetration)
• Social engineering
(compromised accounts)
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Unexpected
traffic/connections from or to the RA DMZ
What to Look For: • Unexpected outbound
connections (possible C2)
What to Look For: • Performance and/or Risk
Indicators
Honeywell Proprietary
11 2014
Example 2: Inbound From L4
What to Look For: • Anomalous inbound
connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound
connections (possible C2)
Possible Vectors: • Inbound targetted attack
(inbound malware or penetration)
What to Look For: • Unexpected connections
from or to the L3.5 DMZ
What to Look For: • Unexpected outbound
connections (possible C2)
What to Look For: • Performance and/or Risk
Indicators
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Account Anomalies / New User
Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled
Honeywell Proprietary
12 2014
Clues of Complex Threats
• Indicators in registry • Presence of certain files
– .pnf and .cfg
• C2 calls / updates • Mutations:
– Unexpected writes – File changes
• And on… and on… and on…
Honeywell Proprietary
13 2014
Understand the Data
“You gotta convince me that you know what this
is all about, that you aren't just fiddling around hoping it'll all... come out
right in the end”
~Sam Spade
Honeywell Proprietary
14 2014
Understand the Data
Source: Knapp, “Industrial Network Security” © Elsevier, Inc. All Rights Reserved. Republished with permission.
Honeywell Proprietary
15 2014
Drawing Conclusions
“It is the brain, the little gray cells on
which one must rely!”
~ Hercule Poirot
Honeywell Proprietary
16 2014
① An inbound attack from the Internet compromises a business PC (L4) using a common exploit.
② The attacker penetrates the L3.5 firewall to gain access to the DMZ
③ That PC then attempts to identify and then pivot to L3 systems using known SCADA exploits
④ A Compromised L3 server then tunnels a command shell back through the Business PC … all the way back to malicious offshore server
⑤ The L3 server is then used to alter the control environment, flip bits, write new code, etc.
What an attack might look like 1
2
3 4
5
Honeywell Proprietary
17 2014
① A business PC was unpatched or somehow exploited … we can assume that L4 is “contested ground”
② Weak Firewall Policies allow the attacker penetrates the L3.5 firewall to gain access to the DMZ
③ The compromise of L3.5 increases the risk to any connected systems at L3 and below. An L3 system that is also vulnerable the attacker to detect that vulnerability and exploit the system. This adds additional risk.
④ Exfiltration of data from L3 further increases the risk to everything L1 to L3.
⑤ Anomalous behavior, at this point, should be taken very seriously due to the increased Risk Exposure of the total system.
What an attack might look like 1
2
3 4
5
Same Attack. Same Data. Different Lens.
Honeywell Proprietary
18 2014
What it really looks like
An IPS Event Log indicating Metasploit PexCall:
0,0,1003977,941621258,69.20.3.102,64.12.174.249,1847,80,895863428312,16009005201,6,0,0,2,"05/11/2011 12:24:35.000","05/11/2011 12:24:35.000",543636, "09/06/2011 17:00:58.000”, 841296, 5, 0, 25, 0, 0, 1423146292302823429, 1423146279415840768, "-", "-", "-", "-", "-” ,"-", "-”
Honeywell Proprietary
19 2014
We Need Tools to Translate
“Any fool can
know. The point is to understand.”
~ Albert Einstein
Honeywell Proprietary
20 2014
Perspective: Looking Through Lenses
Is there a Risk to Operations? Is there a Risk to the Business? Is there a Larger Threat or Campaign? Is there more to be found?
Honeywell Proprietary
21 2014
Intelligence = Data + Context + Perspective
Single Data Point
Industrial Analytics
Enterprise Analytics Compliance Analytics
Business Analytics
Honeywell Proprietary
22 2014
Problems with Commercial InfoSec Tools
Requires knowledge of latest threats (what is a pexcall?)
Requires understanding of the network (who is 12.30.40.2?)
Requires time to investigate, follow leads, examine events… (who has time?)
Lacks the context of what this might mean to operations (what is the impact?)
Honeywell Proprietary
23 2014
Intelligence = Data + Context + Perspective
Enterprise Analytics = Many complex steps
Honeywell Proprietary
24 2014
Intelligence = Data + Context + Perspective
Industrial Analytics… Something easier please?
Enterprise Analytics = Many complex steps
Honeywell Proprietary
25 2014
Let’s look at security in the context of Risk
① Lets look at the same data…
② Think of it in terms of Risk (a function of Vulnerability, Threat and Consequence)…
③ And make it easy to see without being a detective
Honeywell Proprietary
26 2014
Honeywell Proprietary
27 2014
Drawing Conclusions
“Just one more thing…”
~ Columbo
Honeywell Proprietary
28 2014
Risk Manager preview is available in the Integrated Safety and Security area of the
Knowledge Center
Please consider taking a short survey to help us make Risk Manager better
Thank You Eric D Knapp e: [email protected] t: @ericdknapp