Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Emulating Adversary Tactics Safely in Industrial Networks
Robert M. LeeTwitter: @RobertMLee
Email: [email protected] Web: www.dragos.com
Emulating Adversary Tactics Safely in Industrial Networks
Robert M. LeeTwitter: @RobertMLee
Email: [email protected] Web: www.dragos.com
How Not to be an Asshole in ICS
Agenda
• Intel and Red Teaming • Dymalloy, Electrum, Covellite:• Industrial Threat Background • Doing it Wrong • Achieving Success
Agenda
• Intel and Red Teaming (Indicators Aren’t Intel)• Dymalloy, Electrum, Covellite:• Industrial Threat Background (What You’ll Emulate)• Doing it Wrong (Asshole Moves)• Achieving Success (How Not to be an Asshole)
@_LittleBobby_www.LittleBobbyComic.com
Intelligence and Red Teaming
The Making of an Activity Group
6
IntrusionsIntrusion
SetsCampaignsGroup
Group
Campaign 1
Victim Organization
Intrusion Analysis
Victim Organization
Intrusion Analysis
Campaign 2
Victim Organization
Intrusion Analysis
Victim Organization
Intrusion Analysis
Campaign 3
Victim Organization
Intrusion Analysis
Victim Organization
Intrusion Analysis
The Diamond Model
Victim
Capability/TTPsInfrastructure
Adversary
Ref: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
Dymalloy
DYMALLOY
• North American electric operators• Turkish energy providers• Western Europe electric operators
Multi-State Adversary Interests
• Malicious docs w/ credential harvesting via external SMB connections
• RATs from publicly available toolkits• Custom-developed information
theft toolkits built on public tools• One non-public toolkit
• Compromise ISP IPs• Compromised business
connections for initial infection and subsequent implants
Links: Dragonfly 2.0Not Dragonfly 1.0Industrial Threat Background
Doing it Wrong
• Electric Utility Story• Scanning non-common ports• SMB lateral movement• Aggressive scanning
Achieving Success
Leverage Known RATs
Hardcoded IPs pulling down PNGs
Exfiltration of HMI info via DNS
Success: Leveraging the Right Detection
Environment Threat
Modeling Threat Behavioral Analytics
Configuration Analysis Indicators
Covellite
COVELLITE
• Electric utility companies in the United States
North Korean State Interests
• Sophisticated implant with secure communication channels
• Similar features to malware used against South Korean targets
• Specific session key used for payload and second encrypted layer
• 41 minute and 30 second sleep
• Legitimate infrastructure• University IPs for C2
Links: Unknown
Industrial Threat Background
Doing it Wrong
• Gas Pipeline Story:• Not getting authorization for
each new system• Gaining access and not
emulating the threat• Thinking you understand the
engineering
Achieving Success
• Properly themed phishing email• Encoded Payload in .Doc
• Access IT systems and pivot to OT• Leverage self-registered C2 servers themed to
universities• Leverage implant with anti-forensic features and
41 minute sleep• In OT environment (with approval and
Operations oversight) exfiltrate HMI screenshots
Success: Test Their Collection Management Framework
EndpointProtection
System
Windows Systems Network Firewall
Data Type System Alert Host Based Logs Netflow System Alert
Kill Chain Coverage
Exploitation & Installation
Exploitation,Installation, and
Actions on Objectives
InternalReconnaissance, Delivery, and C2
InternalReconnaissance, Deliver, and c2
Follow on Collection
Malware sample Files and timelines Packet Capture Netflow
Typical Storage in Days 30 days 60 days 23 days 60 days
Electrum
ELECTRUM
• Ukrainian Utility Companies• Electric • Water
Russian State Interests
• Long term access to ICS• CRASHOVERRIDE• ICS Specific Modules• Operations Knowledge
• Dual-use infrastructure such as TOR to host C2
• Internal proxies setup
Links: Development team for Sandworm
Industrial Threat Background
CRASHOVERRIDE
What Not To Do
• Energy Company:• Conducted the test 100% right• Recommendations 100% off• Over-hyped the importance
such as CRASHOVERRIDE IOCs
Achieving Success
Understand Detection Type
Understand the Business Unit
Goals
Recommendations to a Threat Model
Do Not Touch Final Control
Elements
Success: Tailoring Their Threat Model