2014 Honeywell Users Group Europe, Middle East and Africa

Eric D Knapp, Honeywell

Security Intelligence and Analytics in Industrial Systems

Honeywell Proprietary

2 2014

About the Presenter

Eric D. Knapp • Global Director of Cyber Security Solutions and

Technology for Honeywell Process Solutions

• Over 20 years of experience in Information Technology; Over 10 years in Industrial Cyber Security

• Specializing in cyber security for ICS, security analytics, and advanced cyber security controls

• North American Technical Advisor to the Industrial Cyber Security Center

• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid

Eric.Knapp@Honeywell.com

@ericdknapp

Honeywell Proprietary

3 2014

Agenda

• What is “Security Intelligence and Analytics”? • Evolution of Cyber Threat • What to look for • Where to Look • Understanding the Data • Drawing Conclusions • What an Attack Might Look Like • Perspective • Same Attack, Different Lens

Honeywell Proprietary

4 2014

What the Heck Am I Talking About?

Security Analytics. (An-uh-lit-iks). 1) the process of analyzing large volumes of security data, originating

from distributed sources throughout a network communication system, with the intention to identify unknown cyber security risks and threats.

2) a common process used in obtaining Situational Awareness, enabling cyber security threats to be identified, evaluated and mitigated.

3) something that SIEM and Log Management vendors used to do before they came up with the term “Big Data.”

Honeywell Proprietary

5 2014

Evolution of the Cyber Threat

1971… Malware was simple. Malware was Loud.

Honeywell Proprietary

6 2014

Evolution of the Cyber Threat

Today malware is commercial grade software Targeted Adaptable Complex Conditional Learning Persistent Evasive

Honeywell Proprietary

7 2014

What to Look For

“The world is full of obvious things which

nobody by any chance ever observes”

~Sherlock Holmes

Honeywell Proprietary

8 2014

What to Look For

Honeywell Proprietary

9 2014

What Creates The Data We Need?

Diagram courtesy of Elsevier Publishing, ©2014 Langill/Knapp

(All

of T

his)

Honeywell Proprietary

10 2014

Example 1: Remote Access

What to Look For: • Anomalous inbound

connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound

connections (possible C2) • Account Anomalies / New

User Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled

Possible Vectors: • Software vendor

support portal (inbound malware or penetration)

• Social engineering

(compromised accounts)

What to Look For: • Firewall alerts / blocked

connection attempts

What to Look For: • Unexpected

traffic/connections from or to the RA DMZ

What to Look For: • Unexpected outbound

connections (possible C2)

What to Look For: • Performance and/or Risk

Indicators

Honeywell Proprietary

11 2014

Example 2: Inbound From L4

What to Look For: • Anomalous inbound

connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound

connections (possible C2)

Possible Vectors: • Inbound targetted attack

(inbound malware or penetration)

What to Look For: • Unexpected connections

from or to the L3.5 DMZ

What to Look For: • Unexpected outbound

connections (possible C2)

What to Look For: • Performance and/or Risk

Indicators

What to Look For: • Firewall alerts / blocked

connection attempts

What to Look For: • Firewall alerts / blocked

connection attempts

What to Look For: • Account Anomalies / New User

Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled

Honeywell Proprietary

12 2014

Clues of Complex Threats

• Indicators in registry • Presence of certain files

– .pnf and .cfg

• C2 calls / updates • Mutations:

– Unexpected writes – File changes

• And on… and on… and on…

Honeywell Proprietary

13 2014

Understand the Data

“You gotta convince me that you know what this

is all about, that you aren't just fiddling around hoping it'll all... come out

right in the end”

~Sam Spade

Honeywell Proprietary

14 2014

Understand the Data

Source: Knapp, “Industrial Network Security” © Elsevier, Inc. All Rights Reserved. Republished with permission.

Honeywell Proprietary

15 2014

Drawing Conclusions

“It is the brain, the little gray cells on

which one must rely!”

~ Hercule Poirot

Honeywell Proprietary

16 2014

① An inbound attack from the Internet compromises a business PC (L4) using a common exploit.

② The attacker penetrates the L3.5 firewall to gain access to the DMZ

③ That PC then attempts to identify and then pivot to L3 systems using known SCADA exploits

④ A Compromised L3 server then tunnels a command shell back through the Business PC … all the way back to malicious offshore server

⑤ The L3 server is then used to alter the control environment, flip bits, write new code, etc.

What an attack might look like 1

2

3 4

5

Honeywell Proprietary

17 2014

① A business PC was unpatched or somehow exploited … we can assume that L4 is “contested ground”

② Weak Firewall Policies allow the attacker penetrates the L3.5 firewall to gain access to the DMZ

③ The compromise of L3.5 increases the risk to any connected systems at L3 and below. An L3 system that is also vulnerable the attacker to detect that vulnerability and exploit the system. This adds additional risk.

④ Exfiltration of data from L3 further increases the risk to everything L1 to L3.

⑤ Anomalous behavior, at this point, should be taken very seriously due to the increased Risk Exposure of the total system.

What an attack might look like 1

2

3 4

5

Same Attack. Same Data. Different Lens.

Honeywell Proprietary

18 2014

What it really looks like

An IPS Event Log indicating Metasploit PexCall:

0,0,1003977,941621258,69.20.3.102,64.12.174.249,1847,80,895863428312,16009005201,6,0,0,2,"05/11/2011 12:24:35.000","05/11/2011 12:24:35.000",543636, "09/06/2011 17:00:58.000”, 841296, 5, 0, 25, 0, 0, 1423146292302823429, 1423146279415840768, "-", "-", "-", "-", "-” ,"-", "-”

Honeywell Proprietary

19 2014

We Need Tools to Translate

“Any fool can

know. The point is to understand.”

~ Albert Einstein

Honeywell Proprietary

20 2014

Perspective: Looking Through Lenses

Is there a Risk to Operations? Is there a Risk to the Business? Is there a Larger Threat or Campaign? Is there more to be found?

Honeywell Proprietary

21 2014

Intelligence = Data + Context + Perspective

Single Data Point

Industrial Analytics

Enterprise Analytics Compliance Analytics

Business Analytics

Honeywell Proprietary

22 2014

Problems with Commercial InfoSec Tools

Requires knowledge of latest threats (what is a pexcall?)

Requires understanding of the network (who is 12.30.40.2?)

Requires time to investigate, follow leads, examine events… (who has time?)

Lacks the context of what this might mean to operations (what is the impact?)

Honeywell Proprietary

23 2014

Intelligence = Data + Context + Perspective

Enterprise Analytics = Many complex steps

Honeywell Proprietary

24 2014

Intelligence = Data + Context + Perspective

Industrial Analytics… Something easier please?

Enterprise Analytics = Many complex steps

Honeywell Proprietary

25 2014

Let’s look at security in the context of Risk

① Lets look at the same data…

② Think of it in terms of Risk (a function of Vulnerability, Threat and Consequence)…

③ And make it easy to see without being a detective

Honeywell Proprietary

26 2014

Honeywell Proprietary

27 2014

Drawing Conclusions

“Just one more thing…”

~ Columbo

Honeywell Proprietary

28 2014

Risk Manager preview is available in the Integrated Safety and Security area of the

Knowledge Center

Please consider taking a short survey to help us make Risk Manager better

Thank You Eric D Knapp e: Eric.Knapp@Honeywell.com t: @ericdknapp