From Air Gap to Air Control

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

From Air Gap to Air ControlMarc Blackmer and John Ode

EnergySec: August 2014


//----- (10002271) --------------------------------------------------------int __cdecl sub_10002271(int a1, int a2, int a3){

int result; // eax@1

*(_DWORD *)(a1 + 80) = *(_DWORD *)(a2 + 40) + *(_DWORD *)(a2 + 52);*(_DWORD *)(a1 + 84) = 0;*(_DWORD *)(a1 + 88) = *(_DWORD *)(a2 + 96);*(_DWORD *)(a1 + 92) = *(_DWORD *)(a2 + 100);*(_DWORD *)(a1 + 96) = *(_WORD *)(a2 + 92);*(_WORD *)(a1 + 100) = *(_WORD *)(a2 + 74);*(_WORD *)(a1 + 102) = *(_WORD *)(a2 + 72);*(_DWORD *)(a1 + 104) = 0;*(_WORD *)(a1 + 108) = *(_WORD *)(a2 + 22);*(_WORD *)(a1 + 110) = *(_WORD *)(a2 + 94);*(_WORD *)(a1 + 112) = *(_WORD *)(a2 + 4);*(_BYTE *)(a1 + 114) = 1;*(_BYTE *)(a1 + 115) = 4;*(_DWORD *)(a1 + 116) = *(_DWORD *)(a2 + 112);*(_DWORD *)(a1 + 120) = a3;result = a1 + 80;*(_DWORD *)(a1 + 124) = 0;return result;

}


Thoughts To Brighten your Day……and what to do about them

• Everyone gets breached

• You have to be right 100% of the time; they only need to be successful once

• Isolating IT, OT, and physical security into separate pillars introduces gaps that can be exploited

• Identify and prioritize the crown jewels

• Hedge your bets -> defense in depth

• I didn’t actually say “convergence”

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14Cisco Confidential 14© 2013 Cisco and/or its affiliates. All rights reserved.

The Near-Miss


• Planes/tower not following procedures?

• Potential for runway collision

• Aborted landing

• No collision

• No fatalities or injuries

• On-time arrival

Case Study: On a Recent Flight

The Negatives The Positives

Success or Failure?


The Psychology of the Near-Miss1

Georgetown University McDonough School of Business research

• Outcome = definition of success

• Near-miss considered a success if outcome is positive

• Near-miss = near-failure

1 Ben Paynter, “The Fire Next Time,” Wired, August 2012


Case Study: Eliminating Near-MissesUS Federal Aviation Administration

• Reporting and analysis of all near-missesTower reports

Crew reports

Flight and terrain data

• Modification of:Flight patterns

Airport approaches


Case Study ResultMassive reduction in airline-related deaths

83%


Risk


• Exploration

• Medical breakthroughs

• Technology advances

• Entrepreneurism

• False sense of security

• Complacency

• Point-in-time view of security

Risk in context

The Positives The Negatives


Case Study: RiskLightning Storm vs. Data Center

• No servers or critical systems were connected to uninterruptible power supplies (UPS)

• Company hadn’t experienced an outage in over 13 years

• Severe electrical storm


Case Study ResultAll systems down

100%


Datakinesis:

“An action taken in cyber space that produces a

result in the physical world”


• Los Angeles, USATraffic operations center breached

Light delays at 4 key intersections

Snarled traffic for days

No physical injuries

• Natanz, IranUndetected malware on control network

Malware falsified centrifuge data readings

Nuclear enrichment centrifuges suffered mass breakdowns

No physical injuries

Case Studies: Datakinesis


• Lodz, PolandTeenager with modified TV remote

Changed tram track switches at will

4 commuter trams derailed

12 commuters injured



• UtahNew government intelligence agency data center

10 unexplained, major electrical malfunctions in 13 months

Construction set back by at least 1 year

Cause undetermined



• Human error

• Reduced budgets

• Operational inefficiencies

• Talent acquisition and retention

Most Pervasive Threats


Bunk/De-bunk


“I spent $[x]M on security last year, and you’re telling me I’m not secure?!”


“We’re all set; we just bought a [y] security widget.”


“We just passed [z] audit. We’re secure.”


“We’ve never been breached, so…”


“If we’re so insecure, why hasn’t anything happened yet?”


In Spite of Layers of Defense

Malware is getting through control based

defenses

MalwarePrevention

is NOT100%

Breach

Existing tools arelabor intensive and require

expertise

Attack Continuum

BEFOREDiscoverEnforce Harden

AFTERScope

ContainRemediate

Detect Block Defend

DURING

Point in Time Continuous


Point-in-Time Vs Continuous

Temporal

• Blind beyond point-in-time• Focused on detection and finding static

artifacts• Misses malware ecosystem

Lacks Visibility

• Event enumeration without context• Misses scope and root causes• Blind to attack chain behavior

Limited Control

• Requires intelligence update• Not targeted• Limited integration

Continuous Analysis

Extended and continuous analysis and correlation of telemetry data

Retrospective Security

Real-time attack chain detection, analysis and visualization

Real-time Containment

Quickly target, contain, and remediate the specific malware and root causes

Point-in-Time Continuous


Continuous changes the conversation

Continuous feed of event AND telemetrydata

Data is always up to date when you need it

Analysis happens in cloud to reduceimpacts

Analysis can happen indefinitely – Retrospection

More than event enumeration/correlation: telemetry data is continuously woven together over time

Collective Intelligence shared immediately

Can be deployed pervasively

Collective Security Intelligence


0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 1101000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry Stream

Continuous feed

Web

WWW

Endpoints NetworkEmail

Continuous analysis

Devices

IPS

Analysis happens along the attack continuum

Retrospection TrajectoryBehavioralIndications

of Compromise

Advanced levels of detection, tracking and response

Threat Hunting

Retrospective Detection


Enables unique innovation

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00


File Fingerprint


Process Information

Telemetry Stream

Continuous feed

Web

WWW



of Compromise

Threat hunting

File Retrospection

Process Retrospection

Connection Retrospection

Attack Chain Weaving

Continuous

Blind

Point-in-Time


Tom Stitt

Let's change Attack Chain Weaving to Retrospective Detection. Attack Chain Weaving is too esoteric for the BDMFor the symbol maybe a modified version of retrospection.- Keep the backward arrow but instead of the clock arms, use the malware bug symbol with a slash through it.


That continues to analyze what happens along the attack continuum

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00


File Fingerprint


Process Information

Telemetry Stream

Continuous feed

Web

WWW



of Compromise

Threat hunting


Prevalence

Static IoC’s

Behavioral IoC’s

Continuous

Static IoC’s

Point-in-Time


Tom Stitt



That continues to analyze what happens along the attack continuum

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00


File Fingerprint


Process Information

Telemetry Stream

Continuous feed

Web

WWW



of Compromise

Threat hunting

File Trajectory - Scope

Device Trajectory – Root Cause

File Analysis – Detail Analysis

Elastic Search

Continuous

Event Enumeration

Static IoC’s

Point-in-Time


Tom Stitt



Know where to start

Who

What

Where

When

How

Focus on these users first

These applications are affected

The breach impacted these areas

This is the scope of exposure over time

Here is the origin and progression of the threat


Key Takeaways

The problem is likely worse than you think it is

Many threats getting through, creating beach heads

Think “infections”, not “detections”

Think continuous vs point-in-time


Thank YouLearn more at www.sourcefire.com

From Air Gap to Air Control

Technology

Transcript of From Air Gap to Air Control