Why does the Ukrainian power outage news still get so much ... · • Why does the Ukrainian power outage news still get so much attention? – Top 10 Reason Why I think it still

Why does the Ukrainian power outage news still get so much attention?

Walter Sikora 22 February, 2016

LOCKHEED MARTIN, LOCKHEED, CYBER KILL CHAIN, INTELLIGENCE DRIVEN DEFENSE and star logo trademarks used throughout are registered trademarks in the U.S. Patent and Trademark Office owned by Lockheed MarMn CorporaMon.

In this presentation we will cover • Why does the Ukrainian power outage news still get so much attention?

– Top 10 Reason Why I think it still does

• The importance of sharing factual information – News you can use – Cyber Kill Chain – Defense in Depth

• The solutions and suggestions to be considered now – End point protection – the 80/20 rule –  Intelligent Driven Defense – Being able to create your own threat indicators

SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL

UKRAINE POWER

OUTAGE SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL

Top 10 reasons why stories like Ukraine power outage s6ll get so much a9en6on…

10. It drives traffic to blog sites and news sites so they can increase their adverMsing revenue.

9. Security soluMon vendors need opportuniMes to sell tell you why their product would/could have stopped/prevented/detected it.

8. ICS Security Industry needs more validaMon “see I told you this could, happen”.

7. ICS “wanna be experts” all want to weigh in to tell us how and why it happened and then speculate on who made it happen.

6. SOC analyst did not have enough to do, so they love geZng “higher ups” asking them if this incident could be affecMng them.


Top 10 reasons why stories like Ukraine power outage still get so much attention…

5. So Joe Weiss doesn’t have to use Maroochy, Stuxnet or human errors as a cyber example any more.

4. DHS, NCCIC, ICS-‐CERT, ICS-‐ISAC, ES-‐ISAC, NERC… All need reasons and jusMficaMon for why they should be funded.

3. ICS Cyber security informaMon and disclosure is sMll not openly shared and discussed between public, private, owners, operators and vendors.

2. There is deep thirst for informaMon and knowledge on threat indicators for compromise.

1. So FireEye can jusMfy to their shareholders why they spent $200 M to acquire iSight.


Hackers shut down Ukraine power grid

The power grid’s greatest enemy has four legs and

bushy tail

Ukraine Sees Russian Hand in Cyber Attacks

on Power Grid inside

“KillDisk” & BlackEnergy were not the

culprits

US helping Ukraine investigate power grid hack

It finally happened. The power grid went down, affecting 100,000

Ukraine Power Outage Maybe the First One Caused by Hackers

U.S. official blames Russia for power grid

attack in Ukraine


fredzone.wordpress.com

Reality is this news will always make the news

• So forget about the news and stop relying on the news

• As security practitioners – we need to learn to focus on understanding how to mature our security programs and people

• We all know how vulnerable and how easy it is to compromise an ICS – so focus on mitigations

• Use the news to help your cause

these events are educational Opportunities – use them

Ken Catalino/Creators Syndicate


REFINE YOUR

PROCESS

So Why does the Ukrainian electric power attack matter?

TUNE YOUR

TOOLS

GET YOUR PEOPLE SKILLED

© 2015 Lockheed MarMn CorporaMon. All rights reserved.

ü  It maybe the first real cyber attack contributing to a production power outage.

ü  It clearly demonstrates

the community need for OT event data and intelligence.

ü  It re-enforces why the IT and OT security are not mutually exclusive.

Learning Opportunity

AND DO NOT FORGET TO ASK FOR

MORE RESOURCES

RECONNAISANCE

1

Identify the targets

WEAPONIZATION MS Office document weaponized

with malicious VBA

2 DELIVERY

3

E-‐mail with malicious Office alachment

EXPLOITATION Socially engineer users to enable macros

4 INSTALLATION

5

Executes BE dropper; Creates LNK file in startup

COMMAND & CONTROL Connects to C2 IP (5.149.254.114)

6

ACTIONS ON OBJECTIVES

7

Achieve the goal

© 2015 Lockheed MarMn CorporaMon. All rights reserved. Cyber Kill Chain® soluMons Cyber Threat Model © 2011 Lockheed MarMn CorporaMon. All rights reserved.

Cyber Kill Chain® Analysis Example for BE3 / Ukraine

? PRIORITY EFFECTIVENESS

HolisMc Defense is Made Possible Through Accurate and Timely MiMgaMons

Cyber Kill Chain® Detect Deny Disrupt Degrade Deceive

Reconnaissance

Weaponize

Delivery

Exploit

Installa6on

Command & Control

Ac6ons on Objec6ves

OPSEC

Malware Scanner, IDS

User Awareness

AV

Host IDS, AV

Web Blocking

SIEM, Aggregated Logs

Firewall ACL’s

IPS Systems

Email, AV, Proxy Services

AV, HIDS & GPO Rules, Patching

Limited User Privileges

DNS Blocking, IP, Proxy

ApplicaNon WhitelisNng

Firewall

Restricted User Access

Host IPS

Network IDS, FPC

AcNve Email DetecNons

DNS Sinkhole

Web App Scanning

Custom AV Rules

Mitigations – Who, What, When, Where, Why & How

It is 2016 and we still have no “silver bullet”…


hlps://ics-‐cert.us-‐cert.gov/sites/default/files/documents/Seven%20Steps%20to%20EffecMvely%20Defend%20Industrial%20Control%20Systems_S508C.pdf

a. Incidents miMgated by more than one strategy are listed under the strategy ICS-‐CERT judged as more effecMve.

Defense-In-Depth

End point protection is ok for “broad based” known threats

12 | Commercial Cyber Solutions

hlps://blog.knowbe4.com/bid/355390/The-‐AnMvirus-‐Industry-‐s-‐Dirty-‐Lille-‐Secret

Not so good for detecting and preventing APT

APT

Threat Information - Pyramid of Pain

David Bianco: hlp://detect-‐respond.blogspot.com/2013/03/the-‐pyramid-‐of-‐pain.html

13 | Commercial Cyber Services

Cyber security Maturity


Defense in Depth – use the tools investment


Don’t be a follower - be a leader!

• You need to augment commercial IOC with your own dynamic analysis and correlation of the data collected from all your “sensors” within the organization

• Think of your “sensors” as a maze. Adversaries will likely make a mistake somewhere and that’s your best opportunity to stop them

• Work on instrumenting sensors and aggregating all data

• Leverage “big data” pattern / correlation tools, automation

• Invest in your security analyst and processes adversaries are humans too

Intelligence Driven Defense® Defined

At the core of cybersecurity maturity is intelligence – not just consuming intelligence – but understanding, collabora1ng, and genera1ng your own intel.

SITUATIONAL AWARENESS •  System and network visibility •  Effec@ve monitoring •  Threat profiling •  Enterprise defense

methodology

5 COMPONENTS

CAPABILITY •  Integrated defense model •  Thought leadership •  Cyber Kill Chain® alignment •  Collabora@ve leadership

INTELLIGENCE •  Consump@on and produc@on •  Synthesis and fusion •  Correla@on •  Collabora@on

ACCOUNTABILITY •  Ac@onable metrics •  Measuring success •  Proac@ve remedia@on •  Ownership and transparency

EMPOWERMENT •  Execu@ve support •  Code of ethics •  Security culture •  Authority to defend and

protect

INTELLIGENCE DRIVEN

DEFENSE READY

Derive new intelligence

Implement miMgaMons based on intelligence

Determine best course of acMon

Isolate advanced threat acMvity from

normal traffic

Monitor cyber acMvity

A threat-‐focused security program requires ongoing commitment to Intelligence Driven Defense® principles.

Intelligence Driven Defense® Lifecycle

Its more than a lifecycle for defense, it’s a culture shiO!

© 2015 Lockheed Martin Corporation. All rights reserved.

Develop a Knowledgebase of Vulnerabilities and Mitigations

Track all activity across your enterprise – tools you can use

Track Campaigns and Mitigation Success Rate

Deploy a purpose built platform to collect security and configuration data from OT

Collect Security and configuration data from OT assets with a single

view, vendor agnostic platform.

!" OT Infrastructure Tackle increasing security, compliance, and change management challenges

despite resource constraints.

!" Applications Simple rapid deployment across ICS assets including PLC, RTU, IED, HMI, and many

more devices.

!" Enable Visibility for OT

Automation Systems Manager ASM

Unified Defence across the Entire Enterprise

Your “higher up’s” IT/OT Convergence vision

© 2015 Lockheed MarMn CorporaMon. All rights reserved.

Takeaway : Intelligence Driven Defense® matters for OT

ü  ICS is vulnerable and is being target

ü  IOC will be limited and hard to come by due to lack of information sharing

ü  Invest in transforming your people from “whack a moles” to data analysts

ü Obtain Visibility ü Apply Intelligence ü  Effect Change

Invest in technologies and proven processes to enable your people accomplish their mission

Q & A

hlp://cyber.lockheedmarMn.com Twiler: @i_defender

Blog/ongoing discussion: hlp://cyber.lockheedmarMn.com/blog

Thank you for alending Walter Sikora

[email protected] +1.508.718.6700 Twiler: @nerccip


For more information visit:

www.lockheedmartin.com

@LockheedMartin


VBA Downloaders

Commercial Cyber Services

hlps://nakedsecurity.sophos.com/2014/09/17/vba-‐injectors/


The innocuous spreadsheet

Commercial Cyber Services


Cyber Intelligence Integra6on

Advanced Threat Monitoring

Suite of Capabilities •  Detection and alerts on covert malicious command &

control channels •  DetecMon of advanced file exploits •  On-‐going, focused network visibility •  Custom exploit signatures •  Notification of adversarial tactics, techniques, and

procedures observed at internet points of presence

APT Sensors integrate into exisMng corporate security environment to deliver wide visibility of IT assets and criMcal network infrastructure providing security at the Delivery, ExploitaMon, InstallaMon, and Command and Control steps of the Cyber Kill Chain®.

Provides on-going, focused, APT detections by skilled Cyber Intelligence Analysts

Protected EnMty CSP DHS GFI Provider

SensiMve & Classified Threat Indicators DHS Developed Indicators

OpMonal StaMsMcal InformaMon Sharing

• CSPs receive Government furnished threat indicators from DHS – DHS aggregates threat indicator data from across intel community

• CSPs are responsible for handling, using and maintaining all sensitive and classified information in accordance with defined security requirements

• CSP delivers services to validated critical infrastructure entities through commercial relationships

System located within SCIF and air gapped from classified networks

Enhanced Cyber Services

Noon to 2pm

ATM & ECS Integra6on

Enhanced Security Services “Bolts On” to Exis8ng ATM Service Capabili8es

LM Advanced Threat Monitoring

Intelligence

Enhanced Cyber Services

Visibility Operations Tradecraft

E-M

ail L

inks

E-M

ail B

ody

Scan

E-M

ail A

ttach

men

ts

DN

S Tr

ansa

ctio

ns

HTT

P Tr

affic

Insp

ectio

n

SSL

Traf

fic In

spec

tion

RD

P Tr

affic

Insp

ectio

n

FTP

Traf

fic In

spec

tion

Cov

ert C

2 C

hann

els

LM In

telli

genc

e

DH

S In

telli

genc

e

APT

Atta

cker

TTP

’s

Com

mer

cial

SIC

Ana

lysi

s In

fras

truc

ture

ECS

Bus

ines

s Pl

an

ECS

Tech

nolo

gy P

lan

Cyb

er K

ill C

hain

®

Inte

llige

nce

Driv

en D

efen

se®

Miti

gatio

n G

uida

nce

ATM has established infrastructure, supporting environments and multiple customer qualifications Business/Technology Plans established with defined processes on data handling and customer alerting

DHS Intelligence bolsters established and industry recognized LM commercial Cyber Intelligence LM ATM provides full visibility network security unlike any other ECS Commercial Service Provider

Service Capability =

Analysis on Demand (AOD)

Analysis on Demand (AOD) is a unique service that enables clients to security transmit threat related data to Lockheed Martin for analysis. Our world class Security Intelligence Center analysts provide a detailed report outlining their findings and recommendations for mitigation.

Providing Advanced Analy8cs for Advanced Threats

Analysis on Demand •  Analysis developed uMlizing the Cyber Kill Chain® Framework

•  Access to Lockheed MarMn Analysts Subject Maler ExperMse

•  AddiMonal Threat Insight and Enterprise MiMgaMon Guidance

•  Extensive Porwolio of Analysis on Demand Services & Support

Malicious E-mails

System Logs & Data

Malware Analysis

Attack Attribution

Detailed Analysis Report

Secure 2-Factor Portal

Client Data Lockheed Martin Security Intelligence Center

DNS Blocking

Suite of Capabilities •  IdenMfies and stops DNS requests for APT ‘badness’

• UMlizes LM security intelligence to enhance visibility into APT acMvity

•  Seamlessly integrates with exisMng infrastructure

• Operates without noMceable impact to end user

DNS Command and Control Blocking Managed Service provides security against they of intellectual property by direcMng Domain Name System requests to secure Lockheed MarMn DNS Servers providing security at the Command and Control step of the Cyber Kill Chain®.

Provides active blocking of command and control channels to prevent “hands on the keyboard” by adversaries

Palisade™

Suite of Capabilities •  Advanced Threat Detection •  Knowledge Management •  Data Centralization and Retention •  Advanced Network Visibility •  Cross Domain Correlation •  Workflow Enhancement

PalisadeTM integrates into present security infrastructure to deliver enterprise wide visibility, awareness and alerting capability. Security operations analysts receive actionable security intelligence while your operation gains vital protection and remains resilient.

“We’ve worked with Lockheed Mar8n’s cyber security team to ensure the security of our Smart Grid roll out,” said Pablo Vegas, CIO, American Electric Power. “By sharing their knowledge in this area, they have helped us take our security to the next level.”

Palisade™ Options •  Palisade™ Standard •  Palisade™ Integrated •  Palisade™ Correlated

(C) Lockheed Mar6n Corpora6on 2013

Threat & Information Sharing

Technical Highlights •  Securely parMMoned group structure •  IntuiMve intelligence management •  Case and Campaign alignment to APT

•  Indicator and MiMgaMon idenMficaMon •  Threaded discussions and alachments

•  Customizable secure noMficaMon system

Threat & InformaMon Sharing provides a secure environment to share cyber intelligence. This technology is coupled with facilitated engagements where security experts host webinars and live training sessions. The focus of the Threat & InformaMon Sharing service is centered on operaMonal tacMcs and lessons learned.

Improves cyber security posture and increases tactical collaboration with trusted peer organizations.

The I CampaignTM

Suite of Tools and Techniques •  Campaign Strategy •  Baseline/Campaign Effectiveness Testing •  Periodic Testing with Just-in-Time Training •  Interactive Games •  Cyber Spotlight Videos •  Webinars & Podcasts •  Development of The I CampaignTM portal •  Print and Digital Media •  Visibly-Identifiable External Email consulting •  Advocate Program

A security awareness campaign that baselines risky behavior, educates employees on individual responsibility, and measure improvements throughout.

Drove 35-50% reduction in risky behavior and a ten-fold increase in reporting. Directly responsible for averting an attack on 1200 employees.

LM Wisdom® Open Source (OS)

Capabili6es • Integrated web, news, and social media analy6cs pla\orm • Provides collec6on, processing, persistence, and analysis of high volume/velocity/variety of primarily textual data

• Leads to improved situa6onal awareness and predic6ve analy6cs

Improves Analyst time by 10x over standard web search techniques

LM Wisdom® Insider Threat Identification (ITI)

•  Lead genera6on showing individuals of most concern

•  Evalua6on of employee aQributes, behaviors and acNons based on:

–  Data fusion from large disparate enterprise systems

–  Counterintelligence analyst-‐defined models

•  Drill-‐down for further inves6ga6on

•  Discover new info through automated link analysis

Advanced Algorithms Analyst Defined Models Big Data S/W Stack

• Network traffic logs • Data access logs • File download logs • Ingress/Egress • Etc.

• HR Records • Travel Records • Phone Records • Compliance • Etc..

Cyber Security Services

Cyber security experts that deliver unmatched expertise in implementing full lifecycle cyber security solutions for the most critical enterprise systems.

Technical Capabilities •  Over 3500 cyber professionals •  Recognized industry cerMficaMons •  LM Cyber University •  Cyber career path framework

Incident Response

Service Highlights •  Expert analysts •  LM Cyber Intelligence •  Cross Domain Correlation •  Malware analysis •  Mitigations for future prevention •  System Implementations

LM’s incident response support will assist in stabilizing the situation, analyze the provided data to characterize and reconstruct the incident, and provide recommendations for mitigation, remediation, and prevention.

Leverages LM’s Cyber Kill Chain® to recreate all steps of the aOack in order to iden8fy necessary countermeasures to be implemented to prevent future aOacks

EXCITE® Training

Experiential Cyber Immersion Training and Exercises (EXCITE®) accelerates the competency level of cyber intelligence analysts by offering courses that provide personnel with an understanding of security intelligence concepts, mindset, tools, and technologies.

Technical Capabilities •  Exercises based on real-‐world threats to build familiarity with alacks and miMgaMons

•  Technology and company process agnosMc concepts such as Cyber Kill Chain®, defensible architectures, incident response, and forensics analysis

•  CollaboraMve teamwork within a challenging and fast-‐paced environment

Accelerates the development of cyber intelligence analysts with industry-leading concepts and practices

Documents

Why does the Ukrainian power outage news still get so much ... · • Why does the Ukrainian power outage news still get so much attention? – Top 10 Reason Why I think it still