Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Why does the Ukrainian power outage news still get so much attention?
Walter Sikora 22 February, 2016
LOCKHEED MARTIN, LOCKHEED, CYBER KILL CHAIN, INTELLIGENCE DRIVEN DEFENSE and star logo trademarks used throughout are registered trademarks in the U.S. Patent and Trademark Office owned by Lockheed MarMn CorporaMon.
In this presentation we will cover • Why does the Ukrainian power outage news still get so much attention?
– Top 10 Reason Why I think it still does
• The importance of sharing factual information – News you can use – Cyber Kill Chain – Defense in Depth
• The solutions and suggestions to be considered now – End point protection – the 80/20 rule – Intelligent Driven Defense – Being able to create your own threat indicators
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
UKRAINE POWER
OUTAGE SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
Top 10 reasons why stories like Ukraine power outage s6ll get so much a9en6on…
10. It drives traffic to blog sites and news sites so they can increase their adverMsing revenue.
9. Security soluMon vendors need opportuniMes to sell tell you why their product would/could have stopped/prevented/detected it.
8. ICS Security Industry needs more validaMon “see I told you this could, happen”.
7. ICS “wanna be experts” all want to weigh in to tell us how and why it happened and then speculate on who made it happen.
6. SOC analyst did not have enough to do, so they love geZng “higher ups” asking them if this incident could be affecMng them.
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
Top 10 reasons why stories like Ukraine power outage still get so much attention…
5. So Joe Weiss doesn’t have to use Maroochy, Stuxnet or human errors as a cyber example any more.
4. DHS, NCCIC, ICS-‐CERT, ICS-‐ISAC, ES-‐ISAC, NERC… All need reasons and jusMficaMon for why they should be funded.
3. ICS Cyber security informaMon and disclosure is sMll not openly shared and discussed between public, private, owners, operators and vendors.
2. There is deep thirst for informaMon and knowledge on threat indicators for compromise.
1. So FireEye can jusMfy to their shareholders why they spent $200 M to acquire iSight.
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
Hackers shut down Ukraine power grid
The power grid’s greatest enemy has four legs and
bushy tail
Ukraine Sees Russian Hand in Cyber Attacks
on Power Grid inside
“KillDisk” & BlackEnergy were not the
culprits
US helping Ukraine investigate power grid hack
It finally happened. The power grid went down, affecting 100,000
Ukraine Power Outage Maybe the First One Caused by Hackers
U.S. official blames Russia for power grid
attack in Ukraine
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
fredzone.wordpress.com
Reality is this news will always make the news
• So forget about the news and stop relying on the news
• As security practitioners – we need to learn to focus on understanding how to mature our security programs and people
• We all know how vulnerable and how easy it is to compromise an ICS – so focus on mitigations
• Use the news to help your cause
these events are educational Opportunities – use them
Ken Catalino/Creators Syndicate
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
REFINE YOUR
PROCESS
So Why does the Ukrainian electric power attack matter?
TUNE YOUR
TOOLS
GET YOUR PEOPLE SKILLED
© 2015 Lockheed MarMn CorporaMon. All rights reserved.
ü It maybe the first real cyber attack contributing to a production power outage.
ü It clearly demonstrates
the community need for OT event data and intelligence.
ü It re-enforces why the IT and OT security are not mutually exclusive.
Learning Opportunity
AND DO NOT FORGET TO ASK FOR
MORE RESOURCES
RECONNAISANCE
1
Identify the targets
WEAPONIZATION MS Office document weaponized
with malicious VBA
2 DELIVERY
3
E-‐mail with malicious Office alachment
EXPLOITATION Socially engineer users to enable macros
4 INSTALLATION
5
Executes BE dropper; Creates LNK file in startup
COMMAND & CONTROL Connects to C2 IP (5.149.254.114)
6
ACTIONS ON OBJECTIVES
7
Achieve the goal
© 2015 Lockheed MarMn CorporaMon. All rights reserved. Cyber Kill Chain® soluMons Cyber Threat Model © 2011 Lockheed MarMn CorporaMon. All rights reserved.
Cyber Kill Chain® Analysis Example for BE3 / Ukraine
? PRIORITY EFFECTIVENESS
HolisMc Defense is Made Possible Through Accurate and Timely MiMgaMons
Cyber Kill Chain® Detect Deny Disrupt Degrade Deceive
Reconnaissance
Weaponize
Delivery
Exploit
Installa6on
Command & Control
Ac6ons on Objec6ves
OPSEC
Malware Scanner, IDS
User Awareness
AV
Host IDS, AV
Web Blocking
SIEM, Aggregated Logs
Firewall ACL’s
IPS Systems
Email, AV, Proxy Services
AV, HIDS & GPO Rules, Patching
Limited User Privileges
DNS Blocking, IP, Proxy
ApplicaNon WhitelisNng
Firewall
Restricted User Access
Host IPS
Network IDS, FPC
AcNve Email DetecNons
DNS Sinkhole
Web App Scanning
Custom AV Rules
Mitigations – Who, What, When, Where, Why & How
It is 2016 and we still have no “silver bullet”…
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
hlps://ics-‐cert.us-‐cert.gov/sites/default/files/documents/Seven%20Steps%20to%20EffecMvely%20Defend%20Industrial%20Control%20Systems_S508C.pdf
a. Incidents miMgated by more than one strategy are listed under the strategy ICS-‐CERT judged as more effecMve.
Defense-In-Depth
End point protection is ok for “broad based” known threats
12 | Commercial Cyber Solutions
hlps://blog.knowbe4.com/bid/355390/The-‐AnMvirus-‐Industry-‐s-‐Dirty-‐Lille-‐Secret
Not so good for detecting and preventing APT
APT
Threat Information - Pyramid of Pain
David Bianco: hlp://detect-‐respond.blogspot.com/2013/03/the-‐pyramid-‐of-‐pain.html
13 | Commercial Cyber Services
Cyber security Maturity
14 | Commercial Cyber Solutions
Defense in Depth – use the tools investment
15 | Commercial Cyber Solutions
Don’t be a follower - be a leader!
• You need to augment commercial IOC with your own dynamic analysis and correlation of the data collected from all your “sensors” within the organization
• Think of your “sensors” as a maze. Adversaries will likely make a mistake somewhere and that’s your best opportunity to stop them
• Work on instrumenting sensors and aggregating all data
• Leverage “big data” pattern / correlation tools, automation
• Invest in your security analyst and processes adversaries are humans too
Intelligence Driven Defense® Defined
At the core of cybersecurity maturity is intelligence – not just consuming intelligence – but understanding, collabora1ng, and genera1ng your own intel.
SITUATIONAL AWARENESS • System and network visibility • Effec@ve monitoring • Threat profiling • Enterprise defense
methodology
5 COMPONENTS
CAPABILITY • Integrated defense model • Thought leadership • Cyber Kill Chain® alignment • Collabora@ve leadership
INTELLIGENCE • Consump@on and produc@on • Synthesis and fusion • Correla@on • Collabora@on
ACCOUNTABILITY • Ac@onable metrics • Measuring success • Proac@ve remedia@on • Ownership and transparency
EMPOWERMENT • Execu@ve support • Code of ethics • Security culture • Authority to defend and
protect
INTELLIGENCE DRIVEN
DEFENSE READY
Derive new intelligence
Implement miMgaMons based on intelligence
Determine best course of acMon
Isolate advanced threat acMvity from
normal traffic
Monitor cyber acMvity
A threat-‐focused security program requires ongoing commitment to Intelligence Driven Defense® principles.
Intelligence Driven Defense® Lifecycle
Its more than a lifecycle for defense, it’s a culture shiO!
© 2015 Lockheed Martin Corporation. All rights reserved.
Develop a Knowledgebase of Vulnerabilities and Mitigations
Track all activity across your enterprise – tools you can use
Track Campaigns and Mitigation Success Rate
Deploy a purpose built platform to collect security and configuration data from OT
Collect Security and configuration data from OT assets with a single
view, vendor agnostic platform.
!" OT Infrastructure Tackle increasing security, compliance, and change management challenges
despite resource constraints.
!" Applications Simple rapid deployment across ICS assets including PLC, RTU, IED, HMI, and many
more devices.
!" Enable Visibility for OT
Automation Systems Manager ASM
Unified Defence across the Entire Enterprise
Your “higher up’s” IT/OT Convergence vision
© 2015 Lockheed MarMn CorporaMon. All rights reserved.
Takeaway : Intelligence Driven Defense® matters for OT
ü ICS is vulnerable and is being target
ü IOC will be limited and hard to come by due to lack of information sharing
ü Invest in transforming your people from “whack a moles” to data analysts
ü Obtain Visibility ü Apply Intelligence ü Effect Change
Invest in technologies and proven processes to enable your people accomplish their mission
Q & A
hlp://cyber.lockheedmarMn.com Twiler: @i_defender
Blog/ongoing discussion: hlp://cyber.lockheedmarMn.com/blog
Thank you for alending Walter Sikora
[email protected] +1.508.718.6700 Twiler: @nerccip
SAN ICS– CYBER SECURITY SUMMIT 2016 ORLANDO FL
For more information visit:
www.lockheedmartin.com
@LockheedMartin
25 | Commercial Cyber Services
VBA Downloaders
Commercial Cyber Services
hlps://nakedsecurity.sophos.com/2014/09/17/vba-‐injectors/
26 | Commercial Cyber Services
The innocuous spreadsheet
Commercial Cyber Services
27 | Commercial Cyber Services
Cyber Intelligence Integra6on
Advanced Threat Monitoring
Suite of Capabilities • Detection and alerts on covert malicious command &
control channels • DetecMon of advanced file exploits • On-‐going, focused network visibility • Custom exploit signatures • Notification of adversarial tactics, techniques, and
procedures observed at internet points of presence
APT Sensors integrate into exisMng corporate security environment to deliver wide visibility of IT assets and criMcal network infrastructure providing security at the Delivery, ExploitaMon, InstallaMon, and Command and Control steps of the Cyber Kill Chain®.
Provides on-going, focused, APT detections by skilled Cyber Intelligence Analysts
Protected EnMty CSP DHS GFI Provider
SensiMve & Classified Threat Indicators DHS Developed Indicators
OpMonal StaMsMcal InformaMon Sharing
• CSPs receive Government furnished threat indicators from DHS – DHS aggregates threat indicator data from across intel community
• CSPs are responsible for handling, using and maintaining all sensitive and classified information in accordance with defined security requirements
• CSP delivers services to validated critical infrastructure entities through commercial relationships
System located within SCIF and air gapped from classified networks
Enhanced Cyber Services
Noon to 2pm
ATM & ECS Integra6on
Enhanced Security Services “Bolts On” to Exis8ng ATM Service Capabili8es
LM Advanced Threat Monitoring
Intelligence
Enhanced Cyber Services
Visibility Operations Tradecraft
E-M
ail L
inks
E-M
ail B
ody
Scan
E-M
ail A
ttach
men
ts
DN
S Tr
ansa
ctio
ns
HTT
P Tr
affic
Insp
ectio
n
SSL
Traf
fic In
spec
tion
RD
P Tr
affic
Insp
ectio
n
FTP
Traf
fic In
spec
tion
Cov
ert C
2 C
hann
els
LM In
telli
genc
e
DH
S In
telli
genc
e
APT
Atta
cker
TTP
’s
Com
mer
cial
SIC
Ana
lysi
s In
fras
truc
ture
ECS
Bus
ines
s Pl
an
ECS
Tech
nolo
gy P
lan
Cyb
er K
ill C
hain
®
Inte
llige
nce
Driv
en D
efen
se®
Miti
gatio
n G
uida
nce
ATM has established infrastructure, supporting environments and multiple customer qualifications Business/Technology Plans established with defined processes on data handling and customer alerting
DHS Intelligence bolsters established and industry recognized LM commercial Cyber Intelligence LM ATM provides full visibility network security unlike any other ECS Commercial Service Provider
Service Capability =
Analysis on Demand (AOD)
Analysis on Demand (AOD) is a unique service that enables clients to security transmit threat related data to Lockheed Martin for analysis. Our world class Security Intelligence Center analysts provide a detailed report outlining their findings and recommendations for mitigation.
Providing Advanced Analy8cs for Advanced Threats
Analysis on Demand • Analysis developed uMlizing the Cyber Kill Chain® Framework
• Access to Lockheed MarMn Analysts Subject Maler ExperMse
• AddiMonal Threat Insight and Enterprise MiMgaMon Guidance
• Extensive Porwolio of Analysis on Demand Services & Support
Malicious E-mails
System Logs & Data
Malware Analysis
Attack Attribution
Detailed Analysis Report
Secure 2-Factor Portal
Client Data Lockheed Martin Security Intelligence Center
DNS Blocking
Suite of Capabilities • IdenMfies and stops DNS requests for APT ‘badness’
• UMlizes LM security intelligence to enhance visibility into APT acMvity
• Seamlessly integrates with exisMng infrastructure
• Operates without noMceable impact to end user
DNS Command and Control Blocking Managed Service provides security against they of intellectual property by direcMng Domain Name System requests to secure Lockheed MarMn DNS Servers providing security at the Command and Control step of the Cyber Kill Chain®.
Provides active blocking of command and control channels to prevent “hands on the keyboard” by adversaries
Palisade™
Suite of Capabilities • Advanced Threat Detection • Knowledge Management • Data Centralization and Retention • Advanced Network Visibility • Cross Domain Correlation • Workflow Enhancement
PalisadeTM integrates into present security infrastructure to deliver enterprise wide visibility, awareness and alerting capability. Security operations analysts receive actionable security intelligence while your operation gains vital protection and remains resilient.
“We’ve worked with Lockheed Mar8n’s cyber security team to ensure the security of our Smart Grid roll out,” said Pablo Vegas, CIO, American Electric Power. “By sharing their knowledge in this area, they have helped us take our security to the next level.”
Palisade™ Options • Palisade™ Standard • Palisade™ Integrated • Palisade™ Correlated
(C) Lockheed Mar6n Corpora6on 2013
Threat & Information Sharing
Technical Highlights • Securely parMMoned group structure • IntuiMve intelligence management • Case and Campaign alignment to APT
• Indicator and MiMgaMon idenMficaMon • Threaded discussions and alachments
• Customizable secure noMficaMon system
Threat & InformaMon Sharing provides a secure environment to share cyber intelligence. This technology is coupled with facilitated engagements where security experts host webinars and live training sessions. The focus of the Threat & InformaMon Sharing service is centered on operaMonal tacMcs and lessons learned.
Improves cyber security posture and increases tactical collaboration with trusted peer organizations.
The I CampaignTM
Suite of Tools and Techniques • Campaign Strategy • Baseline/Campaign Effectiveness Testing • Periodic Testing with Just-in-Time Training • Interactive Games • Cyber Spotlight Videos • Webinars & Podcasts • Development of The I CampaignTM portal • Print and Digital Media • Visibly-Identifiable External Email consulting • Advocate Program
A security awareness campaign that baselines risky behavior, educates employees on individual responsibility, and measure improvements throughout.
Drove 35-50% reduction in risky behavior and a ten-fold increase in reporting. Directly responsible for averting an attack on 1200 employees.
LM Wisdom® Open Source (OS)
Capabili6es • Integrated web, news, and social media analy6cs pla\orm • Provides collec6on, processing, persistence, and analysis of high volume/velocity/variety of primarily textual data
• Leads to improved situa6onal awareness and predic6ve analy6cs
Improves Analyst time by 10x over standard web search techniques
LM Wisdom® Insider Threat Identification (ITI)
• Lead genera6on showing individuals of most concern
• Evalua6on of employee aQributes, behaviors and acNons based on:
– Data fusion from large disparate enterprise systems
– Counterintelligence analyst-‐defined models
• Drill-‐down for further inves6ga6on
• Discover new info through automated link analysis
Advanced Algorithms Analyst Defined Models Big Data S/W Stack
• Network traffic logs • Data access logs • File download logs • Ingress/Egress • Etc.
• HR Records • Travel Records • Phone Records • Compliance • Etc..
Cyber Security Services
Cyber security experts that deliver unmatched expertise in implementing full lifecycle cyber security solutions for the most critical enterprise systems.
Technical Capabilities • Over 3500 cyber professionals • Recognized industry cerMficaMons • LM Cyber University • Cyber career path framework
Incident Response
Service Highlights • Expert analysts • LM Cyber Intelligence • Cross Domain Correlation • Malware analysis • Mitigations for future prevention • System Implementations
LM’s incident response support will assist in stabilizing the situation, analyze the provided data to characterize and reconstruct the incident, and provide recommendations for mitigation, remediation, and prevention.
Leverages LM’s Cyber Kill Chain® to recreate all steps of the aOack in order to iden8fy necessary countermeasures to be implemented to prevent future aOacks
EXCITE® Training
Experiential Cyber Immersion Training and Exercises (EXCITE®) accelerates the competency level of cyber intelligence analysts by offering courses that provide personnel with an understanding of security intelligence concepts, mindset, tools, and technologies.
Technical Capabilities • Exercises based on real-‐world threats to build familiarity with alacks and miMgaMons
• Technology and company process agnosMc concepts such as Cyber Kill Chain®, defensible architectures, incident response, and forensics analysis
• CollaboraMve teamwork within a challenging and fast-‐paced environment
Accelerates the development of cyber intelligence analysts with industry-leading concepts and practices