EDITOR’S NOTE: This is the first in a series of condensed white papers from security provider Dragos that discusses issues focused on industrial control system (ICS) security. Click here to view the complete white paper.
By Ben Miller
This past year has shown industrial attacks are being commoditized through new malware with real-world impacts to reliability and safety.
The industrial control system (ICS) community needs to mature from a reactive to a proactive position with mature detection capabilities and established hunting programs.
The ICS threat landscape is largely unknown due to limitations in collection and analysis of ICS-specific adversary activity. However, research throughout 2017 drastically increased the community’s understanding industrial networks are being widely targeted.
Prior to 2017, only a few adversary campaigns had been known to specifically target ICS and there were only three publicly known malware families that had functionality tailored toward ICS: STUXNET, HAVEX, and BLACKENERGY 2. Of those malware families, only one had caused disruption in industrial networks. By the close of 2017, six adversary campaigns were well documented to target industrial networks, and two new families of malware were identified both causing disruption in ICS networks: CRASHOVERRIDE and TRISIS.
Hunting for new threats while preparing to respond to them once discovered is vital to industrial network security especially given that lack of historical knowledge on ICS threats.
Top infection vectors discovered include:
• Interconnectivity with IT systems can provide adversaries access to the ICS environment. Many of these connections are not owned or managed by IT. Instead, third-party partners and vendors deploy and manage their own solutions for connecting to their devices.
• Trojanized software, including legitimate installers travel via removable storage and legitimate network file transfers such as SMB, FTP, HTTP etc. as well as those downloaded from websites.
• Facilities can be directly linked to each other allowing for self-propagating malware to quickly spread or an adversary to gain uncontested access across a fleet of facilities.
• Phishing continues to be a most common infection vector to an enterprise network. From there, attackers have demonstrated the ability to move into the industrial environment as highlighted by the Ukraine 2015 electric distribution attacks.
Visibility is Vital
Visibility is required to properly scope, prioritize, and validate security controls. Without proper visibility, it is more difficult to identify what needs protecting and what controls would return the best investment. The timeline to triage, scope, and respond to any incident is directly correlated to the visibility available during the time of analysis. Retention of this data may be driven by federal requirements depending on the type of networks monitored. Each organization should also identify its own requirements for network monitoring, data types gathered, and retention.
Gaining visibility in an industrial environment can be challenging. Teams often don’t know where to start and default to generating an asset inventory. It’s absolutely important to know what assets are in your environment (and how they behave), but that’s just the first step. What has proven successful is the generation of a Collection Management Framework (CMF).
The Collection Management Framework is essentially an analysis of what questions need answering and what data sources one has available to answer those questions. These data sources range from internal sources (authentication logs) to vendors (advisories and notifications).
The minimum questions the CMF will answer are:
1. What blind spots exist in my environment that limit my situational awareness?
2. Do I have strong coverage to detect and respond to phases of the ICS Kill Cyber Chain?
3. How far back into the past can I investigate?
The community mindset of securing ICS has historically focused on protection. Protection is not enough; attackers have demonstrated an ability to navigate beyond any set of particular static defenses into an industrial environment. Once that is obtained the attacker has uncontested access to launch an ICS attack of their choice. Defenders are required to consider security controls that can fail and alerts may be overlooked. This dedication to active defense reverses the odds from the attacker to the defender. A strong defense requires an active understanding of both the environment and threat.
That is why we created a methodology for implementing a hunting program. This effort can comprise dedicated full-time employees or be project-based and routine. Aside from the local resources available to each organization, the following methodology should be followed to ensure the hunting efforts are targeted and within scope.
Hunt is On
Hunting is proactively seeking threats in an environment and recognizing defenses are fallible — simply waiting for an alert, alarm, or notification is not enough. It is inherently reliant on a human; adding the cognitive layer to the already existing security controls and security automation.
The value of the hunt is in the journey and communicating what often is seen as the intangibles of the hunt. While the hunt may have zero threat findings it will nearly always discover misconfigurations, unexpected configurations, and gaps in knowledge. Each of these should be fed back into the overall security program to improve the security posture.
Secondly, the skillset used and developed in hunting is also used in intrusion analysis and forensics. This strengthens the staff to respond and understand an attack when it does matter. Finally, the goal of a hunt is to automate some or all aspects of the hunt. Over time this automation will grow to strengthen defenses and free up time for staff to focus on other areas.
Generating a hypothesis is a cornerstone of threat hunting. Fundamentally, it is a statement that can be tested. Hypotheses apply structure to serve as ‘true north’ for the analyst to stay focused on the key deliverable. It also serves as a straightforward way to communicate what the hunt is focused on as a good hypothesis is immediately obvious. Hypotheses should generally follow the SMART principles: Specific, Measurable, Actionable, Realistic and Time-bounded.
A vague hypothesis such as “An APT is using zero days against my network” is theoretically provable but realistically not. Instead, a hypothesis of “An Adversary has remote access into the energy management system (EMS) network.” Without proper structure and planning, the hunt may be a failure because the data simply doesn’t exist to adequately hunt. This is also demoralizing and can deter the willingness of the hunter or management to continue.
Hunting is often described as generating an objective hypothesis — “An adversary has access to an HMI and is exfiltrating screenshots.” Little else exists to guide an individual or team to have a successful hunt. This lack of information and tools creates an effect where only sophisticated teams of defenders can approach hunting.
Defending New Age Threats
As our engagements have increased and our intelligence team has created coverage around industrial environments it has become shockingly clear that adversaries see opportunity in targeting, accessing and potentially attacking industrial environments. The challenge in going forward is not in finding misconfigurations, anomalies, and Trojanized software but in rapidly creating a strong defense against human threats.
In many respects, these industrial environments are or can be architected to have strong defenses but that alone isn’t enough to stop an attack. Humans who actively defend ICS networks through proactive and dynamic measures, such as hunting and developing behavioral analytics, are needed. Fortunately, the community is motivated and pursuing positive change.
This year is the year the community will be challenged in how they respond to intrusions in industrial environments with the lack of visibility needed to understand the environment in enough detail to detect and stop an attack. Each organization should focus on the basic parsing of ingress/egress traffic as a means of identifying threats, as well as establishing an initial asset identification. As the community gains this maturity, proactive methods of seeking out the adversary and iteratively improving defenses will follow suit.
Ben Miller is director of threat operations center at Dragos.