If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how...

If I Were MITRE ATT&CK Developer:

Challenges to Consider when Developing

ICS ATT&CK – Attacker perspective

Marina Krotofil

MITRE ATT&CK

If you know how attackers work, you can figure out how to stop them

Attack lifecycle is a common method to describe a process of conducting cyber attacks

Multiple models exist

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations

Enterprise MITRE ATT&CK

https://www.youtube.com/watch?v=QU1ZR0c5x6A

TACTICS

TECH

NIQ

UES

O. Alexander. Modeling Adversarial Behavior against ICS. S4, 2019

Pilot ICS MITRE ATT&CK

This work is based on own

thoughts and considerations.

No warranties ;-)

Disclaimer

Motivation

https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion.pdf

Here is a PLANT. What is your PLAN?

htt

p:/

/ww

w.a

mer

pip

e.co

m/s

ites

/def

ault

/file

s/re

fin

ery-

pip

e.jp

g

https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion.pdf

http://www.orkspace.net/secdocs/Conferences/BlackHat/Federal/2008/SCADA%20Security.pdf

Here is a PLANT. What is your PLAN?

Access Discovery Control Damage Cleanup

Obtaining

Feedback

Preventing

Response

Access Discovery Control

Cyber-physical attack life cycle

Control

J. Larsen. Hacking Critical Infrastructure Like You’re Not a N00b. RDA, 2016

DamageDiscovery

Prevent responce

Obtainfeedback

DiscoveryCleanup/

Roll backControl Damage

Prevent

response

Obtain

feedback

Timing & State Diagram (TSD)

We’re winning!!

J. Larsen. Hacking Critical Infrastructure Like You’re Not a N00b. RDA, 2016

Timing & State Diagram (TSD)

Which should come first?

htt

p:/

/ww

w.e

oh

t.in

fo/p

age/

Ch

icke

n+a

nd

+egg

+pro

ble

m

ICS ATT&CK or Attacker-in-the-Wild?

https://img.memecdn.com/Waiting-for-the-perfect-man_o_31089.jpg

Patience is not always a virtue

If management insists…..

New researchers and research groups are monitored as unclassified Threat Actors first

After producing significant amount of coherent offensive research can be graduated into APT

• APT Jason Larsen – JL (the most advanced out there!)

• APT Alexander Bolshev – AB (always does weird things)

• APT Marina Krotofil – MK

Seems to work between many other APTs (so confusing!)

Worked with APTs Larsen & Bolshev. Are Larsen & Bolshevworking together?

APT Jason

Larsen

Call us APT!

Process Control and Physical Damage

Acknowledgement: Sridhar Adepu and Prof. Aditya Mathur, SUTD,

Singapore for kindly conducting this experiment on request

https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/

Use Case: Killing UF filter in water utility

Physical Impact

Modify Tag

Module FirmwareModify

Reporting Setting

Masquerading

Which technique?

Physical Impact

Block Command Message

Block Reporting Message

DoS Service

Exploitation for Denial of Service

Masquerading

Modify Command Message

Modify Control Logic

Modify Parameter

Modify Reporting Settings

Modify Tag

Module Firmware

Spoof Command Message

Spoof Reporting Message

Ph

ysic

alla

yer

Co

ntr

ol

laye

rC

ybe

rla

yer

Cyb

er-p

hysical syste

m

Layers of cyber-physical system

Ph

ysic

alla

yer

Co

ntr

ol

laye

rC

ybe

rla

yer

Layers of cyber-physical system

Attack planning starts here

https://www.gruenbeck.de/fileadmin/user_upload/produkte/membransysteme/pdf_en/ba-561940-inter_084_geno-ultrafil_450-900.pdf

net.grundfos.com/Appl/ccmsservices/public/literature/filedata/Grundfosliterature-5606062.pdf

Damaging UF filter

Classes of Physical

Damage

• Inertial Attacks

• Exclusion Attacks

• Resonance Attacks

• Wear Attacks

• Surge Attacks

• Latent Abilities

J. Larsen. Breakage. Black Hat Federal, 2006

Classes of

Physical Damage

Breakage techniques 1

Physical Impact

Physical Impact

Block Command Message

Block Reporting Message

DoS Service

Exploitation for Denial of Service

Masquerading

Modify Command Message

Modify Control Logic

Modify Parameter

Modify Reporting Settings

Modify Tag

Module Firmware

Spoof Command Message


Water

filtering

UF filtering: HMI Screen

Backwash

UF filtering: PI&D diagram

Backwash

Water

filtering

UF backwash: HMI and PI&D diagram

There are tree conditions which can trigger backwash process, each guided by a state machine in a PLC:

• Preset timer (every 30 minutes)

• UF filter differential pressure (DP) ≥ 40 kPa

• Plant shutdown

How do we pull this off?

There are tree conditions which can trigger backwash process, each guided by a state machine:

• Preset timer (every 30 minutes)

• UF filter differential pressure (DP) ≥ 40 kPa

• Plant shutdown

How do we pull this off?

L

Tank T301

UF

Stage 3 ON

LIT301

UF is activeValve

MV303

PumpP602

Stage 4

Stage 6 MV303OPEN

P602ON

Attckr

Let’s see what max pressure we can

achieve

PLC3

PLC6

Execution of cyber-attack

Average UF filter DP is ≈ 12-13 kPa

Max DP is 98 kPa (~ 1 bar)

Surge attack on UF filter

Stale Data attack (MK)

Multi-Adaptive Control attack (JL)

Skip Frequency attack (RW)

???

• https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEF%20CON%2023%20-%20Marina-Krotofil-Jason-Larsen-Rocking-the-Pocketbook-Hacking-Chemical-Plants-UPDATED.pdf

0 1000 2000 3000 4000 5000 6000 70008.9

9

9.1

9.2

9.3

9.4

9.5

• https://slate.com/technology/2016/01/vulnerability-lets-hackers-burn-industrial-motors.html

• https://conference.hitb.org/hitbsecconf2015ams/materials/D2T1%20-%20Marina%20Krotofil%20and%20Jason%20Larsen%20-%20Hacking%20Chemical%20Processes.pdf

Control techniques 2

Attack Execution & Detection Avoidance

Operator evasion

Operator evasion

Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact

External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message

Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message

Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service

System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service

Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading

Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message

Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic

Modify Reporting Message Remote System Discovery Scripting Modify Parameter

Modify Reporting Settings Role Identification Modify Reporting Settings

Modify Tag Serial Connection Enumeration Modify Tag

Rootkit Module Firmware

Spoof Reporting Message Spoof Command Message


0 10 20 30 40 50 60 703550

3600

3650

3700

3750D Feed

Hours

kg

/h

0 10 20 30 40 50 60 7062.6

62.8

63

63.2

63.4

63.6D feed

Hours

%

Actuators

Control

system

SensorsSET POINT

HMI

Process

Optimization

Applications

Hierarchical control loop structure

• Operator evasion

• Control system evasion

• Advanced control evasion

Response

Prevention

• Alarm avoidance

• PV modification

• Stealthy attacks

Evading all control layers 3















• C2 server

• Human operator• Human

• Implant

Command &

Control

Command and Control















• C2 server


• Implant

Command &

Control

Command and Control















• Field instrumentation

• (Other) implants

Command &

Control

Feedback

• C2 server


• Implant

Command and Control















• Field instrumentation

• (Other) implants

Command &

Control

Feedback

Execution Feedback

Sensors

Sensor proxies (JL)

Proxy measurements (MK)

Detection of process state (MK)

Reading state machine

Building process model (JL)

Estimations

Calculations (MK)

Feedback techniques 4

Vacuum breaker

Pressure

Temperature

Sensors

Sensor proxies (JL)





Estimations

Calculations (MK)


0 5 10 15 20 24158.5

159

159.5

160

160.5Reactor Exit Temperature

Hours

C

Reactor exit temperature is a proxy measurement for production rate of useful product

0 500 1000 15000.7

0.75

0.8

0.85

0.9VAC Concentration

Minutes

Km

ol/m

in

Sensors

Sensor proxies (JL)





Estimations

Calculations (MK)

Non-Parametric Cumulative Sum (NCUSUM)

Observation of state A in component B needs to trigger payloads X, Y, Z


Conclusions

Physical damage techniques are not limited to

breakage

There are also degradation techniques

Damage and control techniques are detectable

Via process-, control, cyber-engineering methods

Coverage needed for embedded and IIoT ATTs

PCs, networking & mobile infrastructures are

covered (?) by Enterprise & Mobile ATT&CKs

Other points to consider

htt

ps:

//se

linc.

com

/up

load

ed

Imag

es/

We

b/V

ideo

s/P

layl

ists

/Pla

ylis

t_R

TAC

_12

80

x72

0.p

ng?

n=6

35

84

75

81

26

00

0

htt

ps:

//w

ww

.pro

soft

-te

chn

olo

gy.c

om

/var

/pla

in_s

ite/

sto

rage

/im

ages

/in

sigh

ts/w

hit

e-p

aper

s/p

rofi

tin

g-fr

om

-th

e-iio

t/2

41

21

8-2

-en

g-U

S/W

37

-20

17

-Pro

fiti

ng-

fro

m-t

he

-IIo

T_b

log

_po

st_f

eatu

re.p

ng

htt

ps:

//cd

n.m

os.

cms.

futu

recd

n.n

et/n

dP

pG

eT

bo

jbvv

U2

TFP

r89

d-3

20

-80

.jpg

X Y Z

PRE-ATT&CK 42

https://attack.mitre.org/resources/pre-introduction

https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf

PRE-ATT&CK

Access

42

Marina Krotofil@[email protected]

Q & A

If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how...

Documents

Transcript of If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how...