You don’t have to look very far to see the level of sophistication of targeted cyber attacks against industrial control systems across multiple critical infrastructure sectors continues to increase.
The question remains are manufacturing automation professionals ready for the intense onslaught getting ready to sneak in through the back door?
Along those lines, ICS-CERT developed basic recommendations for operators of critical infrastructure to mitigate the impact of cyber attacks and enhance their network security posture. Click here for the full version of the recommendations.
These recommendations apply to organizations whose networks have been compromised by a cyber attack as well as to those desiring to improve their network security preparedness to respond to a cyber incident. It is relevant to enterprise and control system networks, where interconnectivity could allow adversaries to move laterally within and between networks.
The issue with cyber security is a simple and prescriptive remedy does not apply to every single organization. However, basic principles and recommendations exist that are essential to maintaining a sound network security posture and will provide the necessary capabilities to respond to an incident.
One of the first thoughts for an organization that suspects a compromise is they should consider how to preserve forensic data and stop movement of the intruder through the network.
While the tendency might be to first find and eliminate the intruder, unless there are adequate steps taken to preserve data and prevent lateral movement, the recovery processes will not likely be successful. While disconnecting compromised workstations from the network is important, unless the data essential to identifying the intruder are preserved, future detection will be more challenging. That is why preserving forensic data is crucial.
The need for intrusion detection is very important. The ability to detect and identify the source and analyze the extent of a compromise is crucial to rapid incident response, minimizing loss, mitigating exploited weaknesses, and restoring services. Early detection of an incident can limit or even prevent possible damage to control systems and reduces the level of effort required to contain, eradicate, and restore affected systems. Auditing and logging, with host-level Domain Name Service (DNS) resolution capabilities, are essential for improving detection and determining the depth and breadth of any compromise.
Preserving forensic data is an essential aspect of any incident response plan.
The forensic data acquired during the overall incident response process are critical to containing the current intrusion and improving security to defend against the next attack.
Defenders should note of the following recommendations for retention of essential forensic data:
- Keep detailed notes of all observations, including dates/times, mitigation steps taken/not taken, device logging enabled/disabled, and machine names for suspected compromised equipment. More information is generally better than less information.
- When possible, capture live system data (i.e., current network connections and open processes) prior to disconnecting a compromised machine from the network.
- Capture a forensic image of the system memory prior to powering down the system. When powering down a system, physically pull the plug from the wall rather than gracefully shutting down. Forensic data can be destroyed if the operating system (OS) executes a normal shut down process.
- After shutting down, capture forensic images of the host hard drives.
- Avoid running any antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines.
- Avoid making any changes to the OS or hardware, including updates and patches, as they might overwrite important information relevant to the analysis. Organizations should consult with trained forensic investigators for advice and assistance prior to implementing any recovery or forensic efforts.
As far as credential management goes, protecting logons for network hosts is an important consideration when defending a network against lateral movement by an intruder. Common tactics employed by attackers to compromise these credentials are brute force cracking of the password hash and a technique referred to as “pass-the-hash.”
Brute force cracking requires the attacker to “guess” the original password by systematically hashing and comparing the result of possible passwords. When a match is found, then they identified a usable password. This process expedites through the use of “rainbow tables,” or large tables of precomputed hashes. The pass-the-hash technique involves using cached password hashes extracted from a victim machine’s memory or local disk to gain access to additional machines in the domain. The following list describes mitigation techniques that serve to reduce the possible vectors that attackers can use to compromise these credentials and/or reduce the locations the stolen credential can spread through the network. Administrators should evaluate each of these techniques and possible side-effects of implementing them before making any changes to systems.
Proper Permission Management
- Careful consideration should be given to the decision of granting users administrative rights to their own machines. When executing processes, such as Web browsing or reading email as an administrator, the machine is at greater risk of compromise and losing control of its cached credentials.
- Domain Administrators’ accounts should not log in to any system other than domain controllers.
- Restrict the use of the SeDebugPrivilege privilege to those users that actually need it. This privilege can be used to perform DLL injection, a technique used by the majority of the pass-the-hash tools and other malware.
Network/System Design and Policies
- Take the principle of Internet, DMZ, and intranet zones and apply it throughout the network to isolate different trust sectors. There is usually little reason for one workstation to talk to another workstation, or for it to talk to all the servers. Using infrastructure devices and software to create security zones that group users needing to communicate with each other, helps to slow or prevent lateral movement.
- Change the number of cached credentials stored by Windows to “0” for everything but mobile devices (e.g., laptops). This reduces the number of credentials at risk of being stolen and cracked, but may prevent domain logins in the event that a domain controller is not available.
- If using a common baseline image to load company workstations, caution should be exercised if active local user accounts are present on the machine. Because all images will share the same password, this is especially damaging if the local administrator accounts have not been disabled.
- Require all machines be rebooted immediately after being used by a privileged user. This clears the user’s credentials from memory, a common place that pass-the-hash tools target.
- ICS-CERT also recommends organizations move away from using LAN Manager (LM) hashes where possible. LM hashes are inherently weak and can be broken relatively quickly, allowing an adversary to use the actual password instead of relying on a pass-the-hash attack.
- Organizations should consider moving to a multi-factor authentication system (e.g., SmartCards) or at least ensure users choose complex passwords that change regularly.
Increase logging capabilities. System and network device logs provide valuable records of activities that have occurred. Logs may contain indicators of compromise, command and control (C2) communications, exfiltrated data, remote access logins, and more. You should consider the following types of logging:
• Packet captures,
• Flow data from routers and switches, and
• Host and application logs.
When implementing increased auditing and logging capabilities, organizations should consider enabling host level DNS resolution. Because most malware uses domain name-based C2 servers (versus hard coded IP based C2), it is essential for network defenders to have full awareness of DNS requests throughout the enterprise. ICS-CERT recommends organizations deploy host level granularity in DNS logging to give network administrators the ability to identify which internal host (by hostname or IP address) originated a specific DNS request and to identify hosts connected to malicious domains. This is one of the best indicators of compromise.
To ensure all DNS resolutions are captured and logged, network administrators should ensure all DNS requests go through company DNS servers. In addition, the company servers should only service DNS requests from authorized company hosts.
Logging these data also provides a historical view of when and how the malware has moved through the network after the initial infection. This information helps to determine the full breadth and depth of the compromise.
Retention of logs is essential since sophisticated threat actors tend to maintain a presence for long periods of time and will often lay dormant for many months. If possible, log retention for a year or two would be ideal and will provide the ability to go back and possibly find the time of initial infection and indictors of a compromise.
In most configurations, host-level DNS logging is disabled by default and must be specifically enabled on authorized DNS resolvers. ICS-CERT recommends organizations evaluate their DNS solution and enable this logging feature.
MD5 hashes are digital fingerprints used to identify files. Changing just one byte in a file will result in a different hash. If an MD5 hash is known to belong to a malicious file, any file with a matching hash should be considered malicious, regardless of the filename.
The ability to perform an enterprise wide host level search for MD5 hashes is a powerful organizational tool for incident response. MD5 hashes are among the key indicators used to identify the presence of an intruder.
Network segmentation involves separating one large network into smaller functional networks using firewalls, switches, and other similar devices. Effective network segmentation restricts communication between networks and reduces the extent to which an adversary can move across the network.
Organizations should decide which departments, applications, services, and assets should reside on each network segment. Implementation of network segmentation can be a long-term project and should include careful planning, implementation, and regular maintenance.
Firewalls and data diodes are good options for segmenting networks. A data diode allows only one-way communication between network segments and can ensure network data only flows out of the control systems network. Firewalls allow two-way communication between networks and risks of exposure if the firewall is not well configured.
The network should also include one or more demilitarized zone (DMZ) segments grouped by function such that the attack surface at each segment is minimized. DMZs should include the organization’s external services exposed to the Internet or any critical systems accessed from multiple internal network segments. Firewalls should control communication between DMZs and internal/external hosts.
Role-based user access control grants or denies access to resources based on job function. Active Directory (AD) implements role-based user access control through group policies. Groups provide logical network segmentation and prevent users from accessing machines that are not necessary for job performance.
Organizations should define the roles and permissions needed for each group to perform its duties. Implementing strict role-based access control allows better auditing and reduces risk by minimizing the privileges associated with each group. In addition, this logical network segmentation makes it harder for an adversary to move laterally through the network after the initial intrusion.
Application whitelisting permits the execution of allowed software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware.
One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden is significantly reduced in control systems environments, because the set of applications that run in those systems is essentially static. ICS-CERT recommends deploying application whitelisting on the control systems and business networks wherever applicable. In particular, application whitelisting could be appropriate for business servers such as mail servers and domain controllers.