From Air Gap to Air Control
-
Upload
energysec -
Category
Technology
-
view
273 -
download
0
Transcript of From Air Gap to Air Control
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
From Air Gap to Air ControlMarc Blackmer and John Ode
EnergySec: August 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
//----- (10002271) --------------------------------------------------------int __cdecl sub_10002271(int a1, int a2, int a3){
int result; // eax@1
*(_DWORD *)(a1 + 80) = *(_DWORD *)(a2 + 40) + *(_DWORD *)(a2 + 52);*(_DWORD *)(a1 + 84) = 0;*(_DWORD *)(a1 + 88) = *(_DWORD *)(a2 + 96);*(_DWORD *)(a1 + 92) = *(_DWORD *)(a2 + 100);*(_DWORD *)(a1 + 96) = *(_WORD *)(a2 + 92);*(_WORD *)(a1 + 100) = *(_WORD *)(a2 + 74);*(_WORD *)(a1 + 102) = *(_WORD *)(a2 + 72);*(_DWORD *)(a1 + 104) = 0;*(_WORD *)(a1 + 108) = *(_WORD *)(a2 + 22);*(_WORD *)(a1 + 110) = *(_WORD *)(a2 + 94);*(_WORD *)(a1 + 112) = *(_WORD *)(a2 + 4);*(_BYTE *)(a1 + 114) = 1;*(_BYTE *)(a1 + 115) = 4;*(_DWORD *)(a1 + 116) = *(_DWORD *)(a2 + 112);*(_DWORD *)(a1 + 120) = a3;result = a1 + 80;*(_DWORD *)(a1 + 124) = 0;return result;
}
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Thoughts To Brighten your Day……and what to do about them
• Everyone gets breached
• You have to be right 100% of the time; they only need to be successful once
• Isolating IT, OT, and physical security into separate pillars introduces gaps that can be exploited
• Identify and prioritize the crown jewels
• Hedge your bets -> defense in depth
• I didn’t actually say “convergence”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14Cisco Confidential 14© 2013 Cisco and/or its affiliates. All rights reserved.
The Near-Miss
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Planes/tower not following procedures?
• Potential for runway collision
• Aborted landing
• No collision
• No fatalities or injuries
• On-time arrival
Case Study: On a Recent Flight
The Negatives The Positives
Success or Failure?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
The Psychology of the Near-Miss1
Georgetown University McDonough School of Business research
• Outcome = definition of success
• Near-miss considered a success if outcome is positive
• Near-miss = near-failure
1 Ben Paynter, “The Fire Next Time,” Wired, August 2012
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Case Study: Eliminating Near-MissesUS Federal Aviation Administration
• Reporting and analysis of all near-missesTower reports
Crew reports
Flight and terrain data
• Modification of:Flight patterns
Airport approaches
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Case Study ResultMassive reduction in airline-related deaths
83%
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19Cisco Confidential 19© 2013 Cisco and/or its affiliates. All rights reserved.
Risk
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Exploration
• Medical breakthroughs
• Technology advances
• Entrepreneurism
• False sense of security
• Complacency
• Point-in-time view of security
Risk in context
The Positives The Negatives
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Case Study: RiskLightning Storm vs. Data Center
• No servers or critical systems were connected to uninterruptible power supplies (UPS)
• Company hadn’t experienced an outage in over 13 years
• Severe electrical storm
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Case Study ResultAll systems down
100%
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Cisco Confidential 23© 2013 Cisco and/or its affiliates. All rights reserved.
Datakinesis:
“An action taken in cyber space that produces a
result in the physical world”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Los Angeles, USATraffic operations center breached
Light delays at 4 key intersections
Snarled traffic for days
No physical injuries
• Natanz, IranUndetected malware on control network
Malware falsified centrifuge data readings
Nuclear enrichment centrifuges suffered mass breakdowns
No physical injuries
Case Studies: Datakinesis
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Lodz, PolandTeenager with modified TV remote
Changed tram track switches at will
4 commuter trams derailed
12 commuters injured
Case Studies: Datakinesis
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• UtahNew government intelligence agency data center
10 unexplained, major electrical malfunctions in 13 months
Construction set back by at least 1 year
Cause undetermined
Case Studies: Datakinesis
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Human error
• Reduced budgets
• Operational inefficiencies
• Talent acquisition and retention
Most Pervasive Threats
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28Cisco Confidential 28© 2013 Cisco and/or its affiliates. All rights reserved.
Bunk/De-bunk
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
“I spent $[x]M on security last year, and you’re telling me I’m not secure?!”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
“We’re all set; we just bought a [y] security widget.”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
“We just passed [z] audit. We’re secure.”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
“We’ve never been breached, so…”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
“If we’re so insecure, why hasn’t anything happened yet?”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
In Spite of Layers of Defense
Malware is getting through control based
defenses
MalwarePrevention
is NOT100%
Breach
Existing tools arelabor intensive and require
expertise
Attack Continuum
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Detect Block Defend
DURING
Point in Time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Point-in-Time Vs Continuous
Temporal
• Blind beyond point-in-time• Focused on detection and finding static
artifacts• Misses malware ecosystem
Lacks Visibility
• Event enumeration without context• Misses scope and root causes• Blind to attack chain behavior
Limited Control
• Requires intelligence update• Not targeted• Limited integration
Continuous Analysis
Extended and continuous analysis and correlation of telemetry data
Retrospective Security
Real-time attack chain detection, analysis and visualization
Real-time Containment
Quickly target, contain, and remediate the specific malware and root causes
Point-in-Time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Continuous changes the conversation
Continuous feed of event AND telemetrydata
Data is always up to date when you need it
Analysis happens in cloud to reduceimpacts
Analysis can happen indefinitely – Retrospection
More than event enumeration/correlation: telemetry data is continuously woven together over time
Collective Intelligence shared immediately
Can be deployed pervasively
Collective Security Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 1101000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Continuous analysis
Devices
IPS
Analysis happens along the attack continuum
Retrospection TrajectoryBehavioralIndications
of Compromise
Advanced levels of detection, tracking and response
Threat Hunting
Retrospective Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Enables unique innovation
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint
File and Network I/O
Process Information
Telemetry Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Retrospection TrajectoryBehavioralIndications
of Compromise
Threat hunting
File Retrospection
Process Retrospection
Connection Retrospection
Attack Chain Weaving
Continuous
Blind
Point-in-Time
Retrospective Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
That continues to analyze what happens along the attack continuum
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint
File and Network I/O
Process Information
Telemetry Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Retrospection TrajectoryBehavioralIndications
of Compromise
Threat hunting
Retrospective Detection
Prevalence
Static IoC’s
Behavioral IoC’s
Continuous
Static IoC’s
Point-in-Time
Retrospective Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
That continues to analyze what happens along the attack continuum
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint
File and Network I/O
Process Information
Telemetry Stream
Continuous feed
Web
WWW
Endpoints NetworkEmail
Retrospection TrajectoryBehavioralIndications
of Compromise
Threat hunting
File Trajectory - Scope
Device Trajectory – Root Cause
File Analysis – Detail Analysis
Elastic Search
Continuous
Event Enumeration
Static IoC’s
Point-in-Time
Retrospective Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Know where to start
Who
What
Where
When
How
Focus on these users first
These applications are affected
The breach impacted these areas
This is the scope of exposure over time
Here is the origin and progression of the threat
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Key Takeaways
The problem is likely worse than you think it is
Many threats getting through, creating beach heads
Think “infections”, not “detections”
Think continuous vs point-in-time