By Gregory Hale
Manufacturers today can go about securing their enterprise by either learning from the multiple incidents that have occurred in the industry over the past four years or continuing to run around jumping from one incident to another and just keeping pace.
One approach means the manufacturer is building up a sense of a security program and becoming more resilient, and the other is, well, fighting a losing battle. Your choice.
“We are seeing more aggressive attacks, with greater adversary risk,” said Joe Slowik, adversary hunter at Dragos during his talk last week at the SANS Summit 2019 in Orlando, FL. “We are seeing a split between how these attacks are happening over time. Custom malware pre 2016 exploit the use for movement and access manual operations for ICS impact. However, today we are seeing commodity techniques used until the ICS attack.”
Up until four years ago, ICS cyber attacks were once more myth than reality where industry pundits would study the same incidents year after year to the point where it would lull end users to sleep, leaving them to think no attacker will ever hit us.
Since 2016, however, the pace of ICS-focused events has increased. Major attacks range from the 2015 BlackEnergy3 grid attack in the Ukraine to 2016 CRASHOVERRIDE grid attack on the Ukraine, to the U.S./UK/German grid intrusions to the Triton/Trisis event, Slowik said.
There are two primary trends, he said, one is a shift away from custom malware in initial intrusion and entrenchment scenarios to increased dependence on system commands, scripts and commodities. The other trend is increasing software and capability development moving technical proficiency away from on-keyboard operators and embedding ICS expertise in malware.
The result has been an increase in efficiency in ICS-targeting operations as initial attack phases begin to resemble traditional offensive operations, Slowik said.
As a part of the ICS cyber kill chain, Slowik said attackers in stage one look to conduct reconnaissance, then weaponization/targeting, delivery, exploit, install/modify, command and control, then act.
In Slowik’s mind an attack means deny, degrade and destroy.
“We have lots of things called ICS attacks, but they are not ICS attacks. There are incidents, but they are not attacks. Many attempts are out there, but few examples of deny, degrade and destroy.”
From a defender’s standpoint, Slowik said, it is difficult because there were not very many examples to learn from until December 2015.
The 2015 Ukraine BlackEnergy3 attack affected the grid and left citizens without power for hours.
“There were some really cool things that happened and some that are not very complex,” he said.
First the attackers went phishing to gain access to the IT network, BlackEnergy3 deployed to gather information and maintain access, then they were able to pivot to the ICS environment via stolen credentials, and then there was a manual interaction with the HMIs to produce ICS impact and a KillDisk was deployed to prolong the effect.
“There was a unique piece of malware involved but it was not ICS specific,” Slowick said. “Blackenergy3 was built to harvest credentials to enable follow on actions and then pivot to the ICS environment.
“Overall this was a fairly immature attack because it did not scale, but easy to build defenses around,” he said.
The next year saw a similar event, where the Ukraine grid was a learning center for attackers. This time, CRASHOVERRIDE was the name of the malware and it was the first time where custom malware ended up implemented in the final stages.
“CRASHOVERRIDE did not crop up out of nowhere,” Slowik said. “Some of the enabling factors were harvesting credentials over a long period, able to do reconnaissance and survey the environment.
What security experts learned is the attackers knew there were weak authentication mechanisms, re-used credentials and older operating systems on critical devices.
Then one year later there was the Triton/Trisis attack which allowed the attackers to gain access to and take control of the ICS and safety system of a gas refinery in Saudi Arabia.
“The attackers gained access to the ICS network, and once a foothold was achieved started to harvest credentials, utilize remote access, continue pivoting through network, and deliver the Triton/Trisis malware.
On top of those attacks, there has been the continuing effort to break into and disrupt utilities in the U.S., UK and Germany, Slowik said.
“UK/U.S. utility intrusions are ongoing all the way up to the present,” Slowik said. “There are select utility targets, identifying contractors, vendors and other third parties, compromising third parties, utilizing trusted relationship to enable access to utility targets.”
Avoiding Custom Tools
In short, Slowik said some of the trends are attackers continue to avoiding custom tools and tradecraft until they get to the ICS environment. Triton/Trisis, he said, was a perfect example of that. Right now attackers are using off-the-shelf attacks, but they get more specific and custom when they are gearing up for ICS specific attacks, he said.
“An effective defense requires known subtleties of operational networks (and their purpose),” Slowik said.
In the next big attack I expect to see little or no custom malware in initial intrusion,” Slowik said. “There will be a transition from access to effects team when the ICS is breached. There will be custom software deployed codifying ICS knowledge in software and there will be an increased reliance on IT concepts and equipment that magnifies ICS impact.”