Know Your Enemy: Active Defense & Penetration Testing for UtilitiesCybersecurity Summit

November 13, 2018 | Austin, Texas

Brent Heyen & Mark Johnson-BarbierSenior Principle Analysts, Cybersecurity ArchitectureSalt River ProjectBrent.Heyen@srpnet.com Mark.Johnson-Barbier@srpnet.com

Dan GunterPrincipal Threat AnalystDragos, Inc.d t @d

3

Agenda

• What is Active Defense?• Who is your Enemy?• What is Threat Intelligence?• Applying Knowledge of your Enemy

oOur Story as a Maturity Model: Low, Medium, HighoHelpful ideas for ALL organizations

4

What is Active Defense?• Sliding Scale of Cybersecurity

• Active Defense: process of analysts monitoring for, responding to, and learning form adversaries internal to the network

5

Who is your Enemy?• Enemy, Adversary, Threat

InsidersCompetitorsCrime groupsHacktivistsNation StatesAPTsTerroristsScript-Kiddies

6

How the Enemy Operates

7

What is Threat Intelligence?“evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace” - Gartner

8h //d / d i h l

Threat Intelligence

9

Applying Adversary Knowledge

10

Our Story Begins…

$Positive Outcomes

11

Maturity Level: Low

12

Controls To Focus On

Legal Controls

Technical Controls

Procedural Controls

Risk-based framework: What reduces most risk?

Maturity Level: Low

13

• Risk Formula:

RISK = LIKELIHOOD X IMPACT

Maturity Level: Low

14

• Risk Formula:

RISK = LIKELIHOOD X IMPACT

THREAT X VULNERABILTYCONSEQUENCE

Maturity Level: Low

15

• Risk Formula:

RISK =

THREAT X VULNERABILITY X CONSEQUENCE

• Vulnerability-Centric Approach• Automate • Do we ever get to 0?

Maturity Level: Low

16

• Risk Formula:

RISK =

THREAT X VULNERABILITY X CONSEQUENCE

• Consequence-Centric Approach• Often already considered in ICS: Safety Culture

Maturity Level: Low

17

• Risk Formula:

RISK =

THREAT X VULNERABILITY X CONSEQUENCE

• Threat-Centric Approach• Don’t Give Up on

Prevention!

Maturity Level: Low

18

What We Can Detect

Security Tool

Alerts

IOCs

Limited Logs & Visibility

Maturity Level: Low

Run All the IOCs(Manually & Point In Time)

Respond to Security Alerts

Collection Management Framework

19

o Keys to Success Develop asset visibility Understand your defensive posture

Maturity Level: Low

20

o Visibility What is current environment understanding?

―Devices―Protocols

Can "normal" be defined?―Behaviors

Maturity Level: Low

21

oWhat is my current defensive posture?

Maturity Level: Low

22

Maturity Level: Low

Source Location DurationHMI Windows Event Logs Operator Workstation 60 daysDomain Controller Event Logs All Domain Controllers 48 hoursRaw Packet Capture L3/L4 Boundary 72 hoursBro Connection Logs From Raw PCAP 72 hours

Collection Management Framework

oWhat is my current defensive posture?

23

o Success Conditions Asset visibility:

―Can identify protocols and devices―Up to date network map―Can define basics of "normal" behavior

Defensive posture:― Vetted & rehearsed IR plan― Prevent, detect, respond strategy

Maturity Level: Low

24

Our Story Continued…

Ukraine 2015

25

Maturity Level: Medium

Attack Analysis of Ukraine 2015

26

Maturity Level: Medium• The Value of Threat Intelligence & Threat Hunting

Centralized running of specific IOCs

based on context

Fix and mature Collection

Management Framework

Identify blind spots

Threat Hunting dashboards

Begin to focus more heavily on ICS visibility and

hunting

27

Maturity Level: Medium

• Keys to success:oEvaluate effectiveness of defense programoBuilding solid internal & external relationships

28

Maturity Level: Medium• Evaluate effectiveness of defense program

oTechnical aspects: Do defensive efforts counter attacker capabilities? Do defensive efforts counter known vulnerabilities? How do I consume threat intelligence?

oNon-technical aspects: Does my team and enterprise know what to do? Is my defensive plan synced with operational realities? Have I tested my plan beyond the security team?

29

Maturity Level: Medium• Building solid internal & external relationships

o Internally: Find your (current) allies Find your (future) allies

oExternally: Collaborate with other asset owners ISAC, InfraGard Not all vendors are dirty

• Find who you trust• Collaboration is two way street

30

Maturity Level: Medium

https://dragos.com/neighborhood-keeper.html

31

Maturity Level: Medium• Success conditions:

oEvaluate effectiveness of defense program: Areas of improvement identified Investments prioritized Plan thoroughly tested

oBuilding solid internal & external relationships Internal workflows streamlined Reducing internal fires Two way external relationships

32

Our Story Continued…

33

Maturity Level: High (Future)• Better OT Visibility with Passive Monitoring

North/South (Ingress/Egress)East/West (Lateral Movement)

Data Sources:• SPAN ports (current phase)

• Netflow (future as needed)

• Endpoint logs (future as possible)

• Firewall logs (future phase)

• PI data (future phase)

34

Maturity Level: High (Future)• Visualization and Anomaly Detection

35

Maturity Level: High (Future)• Repeatable and scalable processes

o Content Packs – Playbooks, Analytics and Query-Focused Datasets

Threat Hunting

36

Maturity Level: High (future)• Begin with the end in mind: Threat focus

37

Maturity Level: High (future)• Begin with the end in mind: Threat focus

38

Maturity Level: High (Future)• Keys to Success:

oIntegrate threat intel & consequence approachoGo deep

39

Maturity Level: High (Future)• Integrate threat intel & consequence approach

oThreat intel How well understood is attacker? What quality of data am I getting from intel sources?

oConsequence approach: Don't wait for signs of attacker research & development What are most critical parts of progress? What is my visibility around process consequence?

40

Maturity Level: High (Future)• Go deep

Tradeoff of network vs host data―Network data:

» Easier to collect and analyze» Easier for attacker to hide in

―Host data» Harder to collect and analyze at scale» Harder for attacker to cover tracks» Memory vs hard disk

41

Maturity Level: High (Future)• Go deep

Sophisticated attackers will study your defenses

42

Maturity Level: High (Future)• Success conditions:

oIntegrate threat intel & consequence approach Measure defenses against attacker TTP from threat intel Use assessment & threat hunt results proactively

oGo deep Understand host & network forensic capabilities Understand limits of existing DPI Ensure DPI of industrial & high risk protocols

43

Conclusion?• Know Yourselfo Be honest about your maturity

• Know Your Enemyo What is being seeno What is possible

44

Image ReferencesSlide 4: Image Source - https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240

Slide 5: Image Source - https://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/10/adversaries2-500x329.jpg

Image Source - https://blog.rapid7.com/content/images/post-images/63249/Screen%20Shot%202017-05-15%20at%207.35.41%20PM.png

Slide 6: Image Source - https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

Slide 7: Image Source - https://www.recordedfuture.com/assets/threat-intelligence-data-1.png

Slide 8: Image Source – https://dragos.com/adversaries.html

Slide 9: Image Source - https://memegenerator.net%2Finstance%2F20650993%2Fconfused-jackie-chan-what-does-this-mean-why-does-it-matter&psig=AOvVaw0Z619hHAc3AlaDxJdNhbxm&ust=1540315855082734

Slide 10: Image Source - http://what-when-how.com/wp-content/uploads/2012/03/tmp1954_thumb_thumb.jpg

Image Source - https://www.youtube.com/watch?v=eFmDp0gcl98

Image Source - https://www.50-best.com/images/will_ferrell_memes/overwhelmed.jpg

Image Source - https://bergento.no/wp-content/uploads/2016/02/board_icon.png

Slide 11: Image Source - https://i.imgflip.com/2jb5ji.jpg

Image Source - https://bushcraftusa.com/forum/data/attachments/23/23969-85e0c9e13ca3b49146e7c651a092a838.jpg

Slide 12: Image Source -https://www.nist.gov/sites/default/files/styles/480_x_480_limit/public/images/2018/04/16/framework-01.png?itok=sTmLOvAW

Image Source - https://www.acsc.gov.au/images/acsc_logo.png?

Image Source - https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf?

Image Source - https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1

Slide 15: Image Source - https://imgflip.com/s/meme/Third-World-Skeptical-Kid.jpg

Slide 17: Image Source - https://i.imgflip.com/1sybsj.jpg

Slide 18: Image Source - https://media.threatpost.com/wp-content/uploads/sites/103/2016/04/07000023/shutterstock_382920931.jpg

Image Source - https://www.fortinet.com/content/dam/fortinet/images/icons/benefits/icon-benefits-multiple-platform-support.svg

Image Source - https://alertcyber.com/wp-content/uploads/2015/12/Advanced_Icon.png

Slide 21: Image Source - https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240

Slide 24: Image Source - https://www.eenews.net/image_assets/2016/07/image_asset_12194.jpg

Slide 25: Image Source - https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf?

Image Source - https://i1.wp.com/advancedpersistentsecurity.net/wp-content/uploads/2017/01/Triangle.png?ssl=1

Slide 26: Image Source - https://www.fortinet.com/content/dam/fortinet/images/icons/benefits/icon-benefits-multiple-platform-support.svg

Image Source - https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index/_jcr_content/Grid/category_atl/layout-category-atl/blade/bladeContents/spotlight/image.img.png/1531981328095.png

Image Source - https://media.threatpost.com/wp-content/uploads/sites/103/2016/04/07000023/shutterstock_382920931.jpg

Image Source - https://www.siemworks.com/images/Solutions/icons/dashboard-icon.png

Image Source - https://www.nozominetworks.com/wp-content/uploads/2017/12/icons-industrial.jpg

Slide 30: Image Source - https://dragos.com/neighborhood-keeper.html

Slide 32: Image Source - https://coachgeline.files.wordpress.com/2015/10/worksmarter.jpg

Slide 33: Image Source - https://www.controlglobal.com/assets/Uploads/_resampled/ResizedImage661719-cover-fig1-FIN.png

Slide 35: Image Source – The Matrix

Image Source – https://dragos.com

Slide 41: Image Source - https://memegenerator.net/instance/81107451/desk-flip-rage-guy-spend-weekend-imaging-and-analyzing-hard-drive-malware-was-memory-resident