CCD coursesetalle/CCD/CCD20_Etalle05_CCD... · 2020. 12. 3. · 2016: bombs are exploding After...

CCD course

Sandro’s #5: IoT and Detection

Background material: slides

/ name of department PAGE 103-12-2020

2014: bombs are ticking


2016: bombs are exploding

After revealing the identity of two guys behind a DDoS service, he site Krebs on Security was subject to the most massive DDoS attack ever witnessed to that moment. Clocked at a staggering 620 gigabit per second, it was carried out by botnets consisting mainly of IoT devices, mostly security cameras and DVRs used in home or office settings

Just a Week Later


an even more massive DDoS attack that caused hours of unreachability for many popular websites including Twitter, Amazon, Reddit, Netflix.

The reason: IoT devices


Mirai brute-forces these device’s telnet service. Standard (and probably easy to guess) passwords are the key to accessing them.

But it is not only about DoS…


Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update. Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," …. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped

Liabilities


Somewhere you do not want to be….


One thing why things will get worse

• The unstoppable (and – let’s be frank – right) move to IP-based IoT

How can we stop/detect Cyber-Threats?

• Type one: advanced attack (here are the phases)- Phishing? Watering hole? − Difficult to block/detect

- Communication with the C&C? − Detectable only if the workstation in question does not usually connect to the internet

- Detection of anomalies on Internal Network behavior?: should be detectable− Ukraine: upload of malicious firmware to the serial-to-ethernet devices− Havex: detection of OPC scan− Stuxnet: propagation in backoffice and reprogramming of PLC

• Type two: Careless and disgruntled employee. Vendors and outsourcer.- For these threats there is no common pattern, and it is impossible to block all

“unwanted” activities without

• Is it possible to block these activities without putting at risk business continuity? NO. Prevention is not viable; detection/monitoring is

PAGE 10

The dream

• Have “something” that blocks attacks or at least detects when we are being attacked- viruscanner- intrusion detection systems- firewalls- ….

• They exist, but they are imperfect,- False Negatives (opposite of “detection rate”- False Positive rate


How can you detect an attack.

• REJECTION-BASED - (Negative model sometimes called

“blacklisting”)- You are able to recognize an attack when

you see- e.g. Anti-viruses, Blacklisting, signature-

based systems, etc…

• ACCEPTANCE-BASED - (Positive model)- You are able to recognize what is the

normal behavior of the system.- what is not normal, is an attack, or in any

case it is worth looking at- e.g. firewalls, whitelisting systems,

• There is no third way, though combinations are possible

3 shades of acceptance-based systems

malicious

goodwell-known

anomaly detection

generic whitelisting(e.g. WA firewalls)

very specific whitelisting(deep protocol)

Note:- the size of circles is

arbitrary- these are just examples

3 shades of Rejection-Based systems

malicious

goodwell-known

genericexperimental stuff

less specificrules, emulation

very specificsignatures

Note:- the size of circles is

arbitrary- these are just examples

REJECTION-BASED SYSTEMS


Different facets of Blacklisting

• Blacklisting means you recognize an attack.

• You can do it in two ways:- the hard way: signatures: when you you know part of the payload of a known

attack. Used for instances in virus-scanners- the softer way: systems based on heuristics

− e.g. when you see a NOP sled in the code− when you detect the string “UNION” in a webapplication form

• Notice that signature give almost no False Positives, while Heuristics may have some FPs


Blacklisting & Signatures: Pro & Cons

• CONS: we have a false negatives problem.- You have to know the attack!- No signatures possible for 0-day vulnerabilities- For non-mainstream systems (e.g. SCADA) it is impossible to have a good set of

signatures (that is, a set of signatures that gives you a good coverage)- It takes a long time to devise and deploy a signature (weeks or months)- Signatures are relatively easy to evade (think of polymorphic viruses)- Heuristics are relatively easy to evade too.

• PRO- very low false positives - so you can use them as blocking systems – Intrusion Prevention. VERY

IMPORTANT- when they detect something, they tell you what it is!- you don’t have to reconfigure them when you reconfigurethe system


About the effectiveness of blacklisting

• Thehackernews.com


Management of blacklisting

• Requires a whole process• Detection e.g. via honeypot• Examination of the malware• Creation of signature• Check for false positives/negatives• Distribution


The Alternatives to Blacklisting

• There are two main ways of recognizing “good behavior”- Whitelisting

− Firewalls− …

- Anomaly Detection− can be based on “flows” (quantitative analysis)− or on analysis of the “payload” (qualitative analysis, e.g. with neural networks)

• The main differences- configuration:

− whitelisting: manual (usually)− anomaly detection: automatic

- detection− whitelisting: yes/no (boolean)− anomaly detection: usually based on setting a threshold


Different Facets of Whitelisting

• Whitelisting can take very different shapes• In particular, whitelisting can happen with different accuracy level- Firewalls (look at IP/MAC/Ports)- Web-application Firewalls (look at - in ICS systems you have gateways that whitelist down to the specific elements

of the L7 (application), for instance you can whitelist specific function codes (and block everything else). See e.g.

- http://www.secmatters.com (our spin-off, now www.forescout.com)- http://www.tofinosecurity.com/

• More accuracy means that - you’ll be able to detect/block more attacks- you’ll spend more time configuring the system- or re-configuring it when needed.


http://www.secmatters.com

http://www.forescout.com/

http://www.tofinosecurity.com/

Examples of different level of accuracy


Protocol I • Specs compliant ?

Protocol II • Many malicious tokens ?

Parameter • Parameter seen before?

Value • Value type correct?

Range • Value within range?

Aspects Questions

Data • Known patterns ?

From network to application level

Maintaining Whitelisting Systems

• System change …• Whitelisting systems have to change with them• People tend to forget to what the configuration was• So it is easier to add new whitelists to the old ones• It is a true pain in the neck


Whitelisting: pro & con’s

• PRO- you don’t have to know the attack to block it- low false positives if correctly configured – can be used for blocking purposes

• CON’s- relatively easy to circumvent unless they are very accurate (but in this case they

may cause more false positives…)- expensive to set up and maintain: the higher the accuracy, the higher the cost- when you reconfigure the system (or add a service), you need to reconfigure

the whitelisting system (expensive)- they give you very little information about the attack, if they detect one

− the only thing they can say is− “something is trying to connect to this port”− application XYZ is trying to connect to the internet− …


Anomaly Detection

• Typically, it is a bit like whitelisting, but with a lot of false positives J

• they tell you something is going wrong, which is better than nothing.

• There are two Flavors of it:• quantitative (flow based) anomaly detection- it tells you when e.g. there are too many communications

• qualitative (payload based)- it tells you when a single


Quantitative Anomaly Detection

• Idea: when there are too many “things happening”, there is something fishy going on. - e,g, malware

• Does not tell you what is going on, but it is a start

• Important for situational awareness• Expect false positives.


Qualitative anomaly detection

• Purpose: detect when a single information unit (e.g. packet) is anomalous

• Typical techniques: self-organizing maps, n-gram analysis, neural networks (We’ll talk about a different technique afterwards)

• General techniques don’t work for security: too many false positives. See also http://eprints.eemcs.utwente.nl/22269/

• they don’t tell you why something is anomalous. - image from: http://www.bu.edu/iss/research-projects/anomaly-detection/


Anomaly Detection: pro & con’s

• PRO- little/no setup costs, - may allow you to see a 0-day attack- quantitative: gives some situational awareness, interesting information- qualitative: when it works it is ideal. Too bad it doesn’t (usually).

• CON’s- its applicability depends heavily on the particular instance of the target system - buckets of false positive- they give you even less information than whitelisting does about the attack, if

they detect one


One thing about acceptance-based

• Environment matters!• If a system normally has an

“unpredictable” behavior, - anomaly detection won’t work- whitelisting will be a pain in the neck

• What is effective on system A, may not be effective on system B, even if they are “similar” (e.g. they are two banks)

• But there is good hope for SCADA systems, for instance.

Where can you detect things?

• On the host: - sequences of system calls, pieces of code (blacklisted), processes (whitelisted),

use of resources from processes (whitelisted),

• Looking at the network - Incoming traffic to boundary (e.g. to the webapplication)

− important, but it can be bypassed

- Outgoing traffic− to catch the connection with c&c systems (if you know where they are, blacklisting) − blacklisting does not work well (communication is encrypted)− whitelisting doesn’t work either (the outgoing traffic of our systems is “too messy” by

default). - Traffic in-between.


Common IT services/protocolsWeb: HTTP/HTTPSAuthentication and identity: LDAPDBs: TCP/IP on specifics portsFile sharing: SFTP, SSHSecure connection: SSL/TLSName service: DNS, LLMNR, SMBTime synchronization: NTPConfiguration/Patch service: SSH, TELNETNetwork monitoring: SNMP…

Common OT protocolsDNP3, IEC 101/104,ICCPIEC 61850 (MMS, GOOSE, SV)MODBUS, MODBUS/TCPOPC DA/AEEtherNet/IP,Proprietary protocols,…

Operational Technology (OT)

Information Technology (IT)

www.tue.nl 31

IT/OT protocols in ICS networks

IT vs. ICS networks

www.tue.nl 32

IT network ICS network

Thousands of hosts, hundreds of applications

Devices’ behavior might be difficult to predict

Behavior patterns change frequently

Limited number of hosts

Same operations repeated over and over

Changes are less frequent

ICS network priorities§ Different systems, different protocols, different threats

§ à Different priorities: CIA vs. AIC

www.tue.nl 33

IT CIA Triangle

Confidentiality

Integrity Availability Confidentiality

IntegrityAvailability

ICS AIC Triangle

The Cyberattacker’s view: ICS are different

§ Assuming you have an appropriate network segmentation• (If your critical PLC is on SHODAN, you have a bigger problem. )

§ [GOOD] Expensive (but not difficult) for the attacker to get inside§ [GOOD] Difficult for the attacker to replicate the attack as-is. (where

is the ransomware?)§ [VERY BAD] The Defender usually has no idea what happens inside

www.tue.nl 34

See Also: Michael J. Assante and Robert M. Lee, The Industrial Control System Cyber Kill Chain, Report, SANS Institute, 2015

A tiny taxonomy of cyberattackers§ Interesting types

1. Criminals (Cost < Benefit)2. Hacktivists (Cost < fixed limit)3. Nation states (no constraints)4. Occasional (typically: insiders)

§ Not everything hackable will be hacked, see e.g. Where Do All The Attacks Go?, by Florencio and Herley

§ Interesting for ICS is #2,3,4 (for the moment)§ When criminals will have found a way to a good ROI in

attacking ICS, things will change completely.• IMHO: this is not going to happen very soon. • ”Ransomware for ICS” is possible but not as lucrative (yet?)

www.tue.nl 35

QUESTIONS?


CCD coursesetalle/CCD/CCD20_Etalle05_CCD... · 2020. 12. 3. · 2016: bombs are exploding After...

Documents

Transcript of CCD coursesetalle/CCD/CCD20_Etalle05_CCD... · 2020. 12. 3. · 2016: bombs are exploding After...