If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how...
Transcript of If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how...
If I Were MITRE ATT&CK Developer:
Challenges to Consider when Developing
ICS ATT&CK – Attacker perspective
Marina Krotofil
MITRE ATT&CK
If you know how attackers work, you can figure out how to stop them
Attack lifecycle is a common method to describe a process of conducting cyber attacks
Multiple models exist
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations
Enterprise MITRE ATT&CK
https://www.youtube.com/watch?v=QU1ZR0c5x6A
TACTICS
TECH
NIQ
UES
O. Alexander. Modeling Adversarial Behavior against ICS. S4, 2019
Pilot ICS MITRE ATT&CK
This work is based on own
thoughts and considerations.
No warranties ;-)
Disclaimer
Motivation
https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion.pdf
Here is a PLANT. What is your PLAN?
htt
p:/
/ww
w.a
mer
pip
e.co
m/s
ites
/def
ault
/file
s/re
fin
ery-
pip
e.jp
g
https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion.pdf
http://www.orkspace.net/secdocs/Conferences/BlackHat/Federal/2008/SCADA%20Security.pdf
Here is a PLANT. What is your PLAN?
Access Discovery Control Damage Cleanup
Obtaining
Feedback
Preventing
Response
Access Discovery Control
Cyber-physical attack life cycle
Control
J. Larsen. Hacking Critical Infrastructure Like You’re Not a N00b. RDA, 2016
DamageDiscovery
Prevent responce
Obtainfeedback
DiscoveryCleanup/
Roll backControl Damage
Prevent
response
Obtain
feedback
Timing & State Diagram (TSD)
We’re winning!!
J. Larsen. Hacking Critical Infrastructure Like You’re Not a N00b. RDA, 2016
Timing & State Diagram (TSD)
Which should come first?
htt
p:/
/ww
w.e
oh
t.in
fo/p
age/
Ch
icke
n+a
nd
+egg
+pro
ble
m
ICS ATT&CK or Attacker-in-the-Wild?
https://img.memecdn.com/Waiting-for-the-perfect-man_o_31089.jpg
Patience is not always a virtue
If management insists…..
New researchers and research groups are monitored as unclassified Threat Actors first
After producing significant amount of coherent offensive research can be graduated into APT
• APT Jason Larsen – JL (the most advanced out there!)
• APT Alexander Bolshev – AB (always does weird things)
• APT Marina Krotofil – MK
Seems to work between many other APTs (so confusing!)
Worked with APTs Larsen & Bolshev. Are Larsen & Bolshevworking together?
APT Jason
Larsen
Call us APT!
Process Control and Physical Damage
Acknowledgement: Sridhar Adepu and Prof. Aditya Mathur, SUTD,
Singapore for kindly conducting this experiment on request
https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/
Use Case: Killing UF filter in water utility
Physical Impact
Modify Tag
Module FirmwareModify
Reporting Setting
Masquerading
Which technique?
Physical Impact
Block Command Message
Block Reporting Message
DoS Service
Exploitation for Denial of Service
Masquerading
Modify Command Message
Modify Control Logic
Modify Parameter
Modify Reporting Settings
Modify Tag
Module Firmware
Spoof Command Message
Spoof Reporting Message
Ph
ysic
alla
yer
Co
ntr
ol
laye
rC
ybe
rla
yer
Cyb
er-p
hysical syste
m
Layers of cyber-physical system
Ph
ysic
alla
yer
Co
ntr
ol
laye
rC
ybe
rla
yer
Layers of cyber-physical system
Attack planning starts here
https://www.gruenbeck.de/fileadmin/user_upload/produkte/membransysteme/pdf_en/ba-561940-inter_084_geno-ultrafil_450-900.pdf
net.grundfos.com/Appl/ccmsservices/public/literature/filedata/Grundfosliterature-5606062.pdf
Damaging UF filter
Classes of Physical
Damage
• Inertial Attacks
• Exclusion Attacks
• Resonance Attacks
• Wear Attacks
• Surge Attacks
• Latent Abilities
J. Larsen. Breakage. Black Hat Federal, 2006
Classes of
Physical Damage
Breakage techniques 1
Physical Impact
Physical Impact
Block Command Message
Block Reporting Message
DoS Service
Exploitation for Denial of Service
Masquerading
Modify Command Message
Modify Control Logic
Modify Parameter
Modify Reporting Settings
Modify Tag
Module Firmware
Spoof Command Message
Spoof Reporting Message
Water
filtering
UF filtering: HMI Screen
Backwash
UF filtering: PI&D diagram
Backwash
Water
filtering
UF backwash: HMI and PI&D diagram
There are tree conditions which can trigger backwash process, each guided by a state machine in a PLC:
• Preset timer (every 30 minutes)
• UF filter differential pressure (DP) ≥ 40 kPa
• Plant shutdown
How do we pull this off?
There are tree conditions which can trigger backwash process, each guided by a state machine:
• Preset timer (every 30 minutes)
• UF filter differential pressure (DP) ≥ 40 kPa
• Plant shutdown
How do we pull this off?
There are tree conditions which can trigger backwash process, each guided by a state machine:
• Preset timer (every 30 minutes)
• UF filter differential pressure (DP) ≥ 40 kPa
• Plant shutdown
How do we pull this off?
L
Tank T301
UF
Stage 3 ON
LIT301
UF is activeValve
MV303
PumpP602
Stage 4
Stage 6 MV303OPEN
P602ON
Attckr
Let’s see what max pressure we can
achieve
PLC3
PLC6
Execution of cyber-attack
Average UF filter DP is ≈ 12-13 kPa
Max DP is 98 kPa (~ 1 bar)
Surge attack on UF filter
Stale Data attack (MK)
Multi-Adaptive Control attack (JL)
Skip Frequency attack (RW)
???
• https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEF%20CON%2023%20-%20Marina-Krotofil-Jason-Larsen-Rocking-the-Pocketbook-Hacking-Chemical-Plants-UPDATED.pdf
0 1000 2000 3000 4000 5000 6000 70008.9
9
9.1
9.2
9.3
9.4
9.5
• https://slate.com/technology/2016/01/vulnerability-lets-hackers-burn-industrial-motors.html
• https://conference.hitb.org/hitbsecconf2015ams/materials/D2T1%20-%20Marina%20Krotofil%20and%20Jason%20Larsen%20-%20Hacking%20Chemical%20Processes.pdf
Control techniques 2
Attack Execution & Detection Avoidance
Operator evasion
Operator evasion
Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact
External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message
Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message
Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service
System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service
Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading
Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message
Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic
Modify Reporting Message Remote System Discovery Scripting Modify Parameter
Modify Reporting Settings Role Identification Modify Reporting Settings
Modify Tag Serial Connection Enumeration Modify Tag
Rootkit Module Firmware
Spoof Reporting Message Spoof Command Message
Spoof Reporting Message
0 10 20 30 40 50 60 703550
3600
3650
3700
3750D Feed
Hours
kg
/h
0 10 20 30 40 50 60 7062.6
62.8
63
63.2
63.4
63.6D feed
Hours
%
Actuators
Control
system
SensorsSET POINT
HMI
Process
Optimization
Applications
Hierarchical control loop structure
• Operator evasion
• Control system evasion
• Advanced control evasion
Response
Prevention
• Alarm avoidance
• PV modification
• Stealthy attacks
Evading all control layers 3
Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact
External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message
Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message
Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service
System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service
Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading
Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message
Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic
Modify Reporting Message Remote System Discovery Scripting Modify Parameter
Modify Reporting Settings Role Identification Modify Reporting Settings
Modify Tag Serial Connection Enumeration Modify Tag
Rootkit Module Firmware
Spoof Reporting Message Spoof Command Message
Spoof Reporting Message
• C2 server
• Human operator• Human
• Implant
Command &
Control
Command and Control
Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact
External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message
Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message
Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service
System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service
Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading
Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message
Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic
Modify Reporting Message Remote System Discovery Scripting Modify Parameter
Modify Reporting Settings Role Identification Modify Reporting Settings
Modify Tag Serial Connection Enumeration Modify Tag
Rootkit Module Firmware
Spoof Reporting Message Spoof Command Message
Spoof Reporting Message
• C2 server
• Human operator• Human
• Implant
Command &
Control
Command and Control
Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact
External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message
Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message
Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service
System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service
Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading
Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message
Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic
Modify Reporting Message Remote System Discovery Scripting Modify Parameter
Modify Reporting Settings Role Identification Modify Reporting Settings
Modify Tag Serial Connection Enumeration Modify Tag
Rootkit Module Firmware
Spoof Reporting Message Spoof Command Message
Spoof Reporting Message
• Field instrumentation
• (Other) implants
Command &
Control
Feedback
• C2 server
• Human operator• Human
• Implant
Command and Control
Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact
External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message
Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message
Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service
System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service
Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading
Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message
Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic
Modify Reporting Message Remote System Discovery Scripting Modify Parameter
Modify Reporting Settings Role Identification Modify Reporting Settings
Modify Tag Serial Connection Enumeration Modify Tag
Rootkit Module Firmware
Spoof Reporting Message Spoof Command Message
Spoof Reporting Message
• Field instrumentation
• (Other) implants
Command &
Control
Feedback
Execution Feedback
Sensors
Sensor proxies (JL)
Proxy measurements (MK)
Detection of process state (MK)
Reading state machine
Building process model (JL)
Estimations
Calculations (MK)
Feedback techniques 4
Vacuum breaker
Pressure
Temperature
Sensors
Sensor proxies (JL)
Proxy measurements (MK)
Detection of process state (MK)
Reading state machine
Building process model (JL)
Estimations
Calculations (MK)
Feedback techniques 4
0 5 10 15 20 24158.5
159
159.5
160
160.5Reactor Exit Temperature
Hours
C
Reactor exit temperature is a proxy measurement for production rate of useful product
0 500 1000 15000.7
0.75
0.8
0.85
0.9VAC Concentration
Minutes
Km
ol/m
in
Sensors
Sensor proxies (JL)
Proxy measurements (MK)
Detection of process state (MK)
Reading state machine
Building process model (JL)
Estimations
Calculations (MK)
Non-Parametric Cumulative Sum (NCUSUM)
Observation of state A in component B needs to trigger payloads X, Y, Z
Feedback techniques 4
Conclusions
Physical damage techniques are not limited to
breakage
There are also degradation techniques
Damage and control techniques are detectable
Via process-, control, cyber-engineering methods
Coverage needed for embedded and IIoT ATTs
PCs, networking & mobile infrastructures are
covered (?) by Enterprise & Mobile ATT&CKs
Other points to consider
htt
ps:
//se
linc.
com
/up
load
ed
Imag
es/
We
b/V
ideo
s/P
layl
ists
/Pla
ylis
t_R
TAC
_12
80
x72
0.p
ng?
n=6
35
84
75
81
26
00
0
htt
ps:
//w
ww
.pro
soft
-te
chn
olo
gy.c
om
/var
/pla
in_s
ite/
sto
rage
/im
ages
/in
sigh
ts/w
hit
e-p
aper
s/p
rofi
tin
g-fr
om
-th
e-iio
t/2
41
21
8-2
-en
g-U
S/W
37
-20
17
-Pro
fiti
ng-
fro
m-t
he
-IIo
T_b
log
_po
st_f
eatu
re.p
ng
htt
ps:
//cd
n.m
os.
cms.
futu
recd
n.n
et/n
dP
pG
eT
bo
jbvv
U2
TFP
r89
d-3
20
-80
.jpg
X Y Z
PRE-ATT&CK 42
https://attack.mitre.org/resources/pre-introduction
https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf
PRE-ATT&CK
Access
42
Marina Krotofil@[email protected]
Q & A