Cyber Security Intelligence and Analytics in Industrial · PDF file ·...
Transcript of Cyber Security Intelligence and Analytics in Industrial · PDF file ·...
![Page 1: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/1.jpg)
2014 Honeywell Users Group Europe, Middle East and Africa
Eric D Knapp, Honeywell
Security Intelligence and Analytics in Industrial Systems
![Page 2: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/2.jpg)
Honeywell Proprietary
2 2014
About the Presenter
Eric D. Knapp • Global Director of Cyber Security Solutions and
Technology for Honeywell Process Solutions
• Over 20 years of experience in Information Technology; Over 10 years in Industrial Cyber Security
• Specializing in cyber security for ICS, security analytics, and advanced cyber security controls
• North American Technical Advisor to the Industrial Cyber Security Center
• Author of Industrial Network Security and Applied Cyber Security and the Smart Grid
@ericdknapp
![Page 3: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/3.jpg)
Honeywell Proprietary
3 2014
Agenda
• What is “Security Intelligence and Analytics”? • Evolution of Cyber Threat • What to look for • Where to Look • Understanding the Data • Drawing Conclusions • What an Attack Might Look Like • Perspective • Same Attack, Different Lens
![Page 4: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/4.jpg)
Honeywell Proprietary
4 2014
What the Heck Am I Talking About?
Security Analytics. (An-uh-lit-iks). 1) the process of analyzing large volumes of security data, originating
from distributed sources throughout a network communication system, with the intention to identify unknown cyber security risks and threats.
2) a common process used in obtaining Situational Awareness, enabling cyber security threats to be identified, evaluated and mitigated.
3) something that SIEM and Log Management vendors used to do before they came up with the term “Big Data.”
![Page 5: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/5.jpg)
Honeywell Proprietary
5 2014
Evolution of the Cyber Threat
1971… Malware was simple. Malware was Loud.
![Page 6: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/6.jpg)
Honeywell Proprietary
6 2014
Evolution of the Cyber Threat
Today malware is commercial grade software Targeted Adaptable Complex Conditional Learning Persistent Evasive
![Page 7: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/7.jpg)
Honeywell Proprietary
7 2014
What to Look For
“The world is full of obvious things which
nobody by any chance ever observes”
~Sherlock Holmes
![Page 8: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/8.jpg)
Honeywell Proprietary
8 2014
What to Look For
![Page 9: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/9.jpg)
Honeywell Proprietary
9 2014
What Creates The Data We Need?
Diagram courtesy of Elsevier Publishing, ©2014 Langill/Knapp
(All
of T
his)
![Page 10: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/10.jpg)
Honeywell Proprietary
10 2014
Example 1: Remote Access
What to Look For: • Anomalous inbound
connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound
connections (possible C2) • Account Anomalies / New
User Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled
Possible Vectors: • Software vendor
support portal (inbound malware or penetration)
• Social engineering
(compromised accounts)
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Unexpected
traffic/connections from or to the RA DMZ
What to Look For: • Unexpected outbound
connections (possible C2)
What to Look For: • Performance and/or Risk
Indicators
![Page 11: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/11.jpg)
Honeywell Proprietary
11 2014
Example 2: Inbound From L4
What to Look For: • Anomalous inbound
connections • Unsolicited file transfers • Scans / enumeration • Unexpected outbound
connections (possible C2)
Possible Vectors: • Inbound targetted attack
(inbound malware or penetration)
What to Look For: • Unexpected connections
from or to the L3.5 DMZ
What to Look For: • Unexpected outbound
connections (possible C2)
What to Look For: • Performance and/or Risk
Indicators
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Firewall alerts / blocked
connection attempts
What to Look For: • Account Anomalies / New User
Creation / Priv Escalation • File / Configuration Changes • Services enabled/disabled
![Page 12: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/12.jpg)
Honeywell Proprietary
12 2014
Clues of Complex Threats
• Indicators in registry • Presence of certain files
– .pnf and .cfg
• C2 calls / updates • Mutations:
– Unexpected writes – File changes
• And on… and on… and on…
![Page 13: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/13.jpg)
Honeywell Proprietary
13 2014
Understand the Data
“You gotta convince me that you know what this
is all about, that you aren't just fiddling around hoping it'll all... come out
right in the end”
~Sam Spade
![Page 14: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/14.jpg)
Honeywell Proprietary
14 2014
Understand the Data
Source: Knapp, “Industrial Network Security” © Elsevier, Inc. All Rights Reserved. Republished with permission.
![Page 15: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/15.jpg)
Honeywell Proprietary
15 2014
Drawing Conclusions
“It is the brain, the little gray cells on
which one must rely!”
~ Hercule Poirot
![Page 16: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/16.jpg)
Honeywell Proprietary
16 2014
① An inbound attack from the Internet compromises a business PC (L4) using a common exploit.
② The attacker penetrates the L3.5 firewall to gain access to the DMZ
③ That PC then attempts to identify and then pivot to L3 systems using known SCADA exploits
④ A Compromised L3 server then tunnels a command shell back through the Business PC … all the way back to malicious offshore server
⑤ The L3 server is then used to alter the control environment, flip bits, write new code, etc.
What an attack might look like 1
2
3 4
5
![Page 17: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/17.jpg)
Honeywell Proprietary
17 2014
① A business PC was unpatched or somehow exploited … we can assume that L4 is “contested ground”
② Weak Firewall Policies allow the attacker penetrates the L3.5 firewall to gain access to the DMZ
③ The compromise of L3.5 increases the risk to any connected systems at L3 and below. An L3 system that is also vulnerable the attacker to detect that vulnerability and exploit the system. This adds additional risk.
④ Exfiltration of data from L3 further increases the risk to everything L1 to L3.
⑤ Anomalous behavior, at this point, should be taken very seriously due to the increased Risk Exposure of the total system.
What an attack might look like 1
2
3 4
5
Same Attack. Same Data. Different Lens.
![Page 18: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/18.jpg)
Honeywell Proprietary
18 2014
What it really looks like
An IPS Event Log indicating Metasploit PexCall:
0,0,1003977,941621258,69.20.3.102,64.12.174.249,1847,80,895863428312,16009005201,6,0,0,2,"05/11/2011 12:24:35.000","05/11/2011 12:24:35.000",543636, "09/06/2011 17:00:58.000”, 841296, 5, 0, 25, 0, 0, 1423146292302823429, 1423146279415840768, "-", "-", "-", "-", "-” ,"-", "-”
![Page 19: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/19.jpg)
Honeywell Proprietary
19 2014
We Need Tools to Translate
“Any fool can
know. The point is to understand.”
~ Albert Einstein
![Page 20: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/20.jpg)
Honeywell Proprietary
20 2014
Perspective: Looking Through Lenses
Is there a Risk to Operations? Is there a Risk to the Business? Is there a Larger Threat or Campaign? Is there more to be found?
![Page 21: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/21.jpg)
Honeywell Proprietary
21 2014
Intelligence = Data + Context + Perspective
Single Data Point
Industrial Analytics
Enterprise Analytics Compliance Analytics
Business Analytics
![Page 22: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/22.jpg)
Honeywell Proprietary
22 2014
Problems with Commercial InfoSec Tools
Requires knowledge of latest threats (what is a pexcall?)
Requires understanding of the network (who is 12.30.40.2?)
Requires time to investigate, follow leads, examine events… (who has time?)
Lacks the context of what this might mean to operations (what is the impact?)
![Page 23: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/23.jpg)
Honeywell Proprietary
23 2014
Intelligence = Data + Context + Perspective
Enterprise Analytics = Many complex steps
![Page 24: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/24.jpg)
Honeywell Proprietary
24 2014
Intelligence = Data + Context + Perspective
Industrial Analytics… Something easier please?
Enterprise Analytics = Many complex steps
![Page 25: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/25.jpg)
Honeywell Proprietary
25 2014
Let’s look at security in the context of Risk
① Lets look at the same data…
② Think of it in terms of Risk (a function of Vulnerability, Threat and Consequence)…
③ And make it easy to see without being a detective
![Page 26: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/26.jpg)
Honeywell Proprietary
26 2014
![Page 27: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/27.jpg)
Honeywell Proprietary
27 2014
Drawing Conclusions
“Just one more thing…”
~ Columbo
![Page 28: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/28.jpg)
Honeywell Proprietary
28 2014
Risk Manager preview is available in the Integrated Safety and Security area of the
Knowledge Center
Please consider taking a short survey to help us make Risk Manager better
![Page 29: Cyber Security Intelligence and Analytics in Industrial · PDF file · 2014-11-20Security Intelligence and Analytics in Industrial Systems . Honeywell Proprietary 2 ... • What is](https://reader031.fdocuments.net/reader031/viewer/2022022004/5aaede087f8b9a6b308c9b2a/html5/thumbnails/29.jpg)
Thank You Eric D Knapp e: [email protected] t: @ericdknapp