Cyber Threats and Infrastructure ProtectionRoma – 05 Aprile 2016

ptsecurity.com

Paolo Emiliani,Technical Account Manager

Positive Technologies

ptsecurity.com

2

2012

2013

2014

2015

Employees Customers

250 500

300 600

400750

500+

1,000+Positive Dynamic

#1 Fastest GrowingSecurity & Vulnerability Management Firmaccording to

Trusted by more than 1,000 companies across 30 countries

Positive Technologies

ptsecurity.com

3

250+

30+14+

100+0-day vulnerability discoveries

20+security level assessments

400+

Years Experience of Research & Expertise

0-day vulnerabilities in ICS/SCADA

0-day vulnerabilities in Mobile Telco

Web Application security assessments

Every Year

Visionary of 2015 WAF Magic Quadrant

MaxPatrolPT ISIM

PT Application Firewall

Products Leader

PT Application Inspector

Positive Hack Days welcome note – www.phdays.com

ptsecurity.com

4― Security experts, authorities and hackers

share experience and collaborate

― For the sake of getting security right

― No Vendors – Just Security Pros

― 48 hours of dynamic seminars, educational workshops and competitive contests

― Special labs to hack and research 0-days in ICS/SCADA and Mobile Telco

― (2015) 3,500+ Participants - Germany, India, Japan, Korea, Netherlands, Russia, Spain, Argentine, France, USA

― (2016) New approach to CTF is coming: Opposition!

This is our world today. Incredible and wonderful!

ptsecurity.com

5

Industrial Projection

ptsecurity.com

This is how ICS/OT people see it

6

Hacker Projection

ptsecurity.com

This is how Hacker looks at is

7

Positive Technologies Projection

ptsecurity.com

Finally, how Positive Technologieslooks at it

8

OT - real-life convergence

Modern OT:• ICS/SCADA

• Telecom

• Transportation

• IoT

ptsecurity.com

Business process is not limited by ICS/SCADA. Around you can see lot of accompanying technology which help to operate business process and brings new threats!

Critical infrastructure is a part of society. And now, it is fully convergence

9

Taking the Challenge

BEFORE Threat Model for separate ICS

→→→→ Challenging

ptsecurity.com

NOW Threat Model for ALL industries!

→→→→ Is it possible?

10

Security Threats landscape Today’s reality on Critical Infrastructures & Enterprises

ptsecurity.com

Vulnerability & Attack s tatistics on Enterprises

ptsecurity.com

Succesful rate� In 90% of pentest, attacker were able to get access to internal network from Internet� In case of successful infiltration in 55% attacker were able to get admin privileges and get in full control of

compromised IT-infrastructure� In 80% no high qualification of attacker or zero-day vulnerabilities were required to achieve success

Vulnerability Window� Over 80% of vulnerabilities exploitable from Internet are well-known, reported/submitted in Vulnerability

Bases more then 1 year ago� Over 40% of services been vulnerable during a year

Exploitable?� 50% chance of exploit being published in 1 month after vulnerability is announced� 99% chance of exploit going public in 1 year

Based on“Positive Research: Enterprise information s ystems vulnerability statistics 2015”

How Enterprises face these risks, today? Scenarios

ptsecurity.com

Enterprise Scenario’sEnterprise Scenario’sEnterprise Scenario’sEnterprise Scenario’s

Most of the companies audited try to implement solutions on ICS/IT security in the following conditions:

― Only 45% have full information’s on suffering threats, just vulnerabilities

― no specific vision on the impact on the business level (vulnerabilities addressed toward vectors & threats modeling)

― more care about 0 day or other exotic problems

― no specific information on security bypass (ICS/OT)

― in most of the cases good understanding about architecture & deployment problems

― lot of Firewall or different IDS/IPS systems

― no specific relationship with vendors about vulnerability fixing cycle

― fragmented perception of defense model and incident management

20

How Enterprises face these risks, today? Maturness

ptsecurity.com

Enterprises Security maturenessEnterprises Security maturenessEnterprises Security maturenessEnterprises Security matureness

Most of the companies audited are in the following conditions:

― no specific ICS lab to reproduce threats and vectors

― not yet deployed their own security framework, in the best cases are based on what global communities or regulatory have released as generic rule

― Continue to invest in Protection (Firewall) thinking this will at least “patch” some of their problems, less in root identification of problems (research, audits)

― As action of security reviews actions/cycle:

• Quite rarely they have implemented the SDL on their “in production” applications

• Do not have a cycle configuration review of servers, main network devices, main crucial objects

• Have almost ever implemented a continue, strategic threats modelling scenario

― As action of security control :

• Have in many important cases deployed SOC services, with difficulties in problem identification / addressing derive by a fragmented analysis

• Have not always specific added value services such as Forensic, network traffic review, Application t& protocols traffic analysis

21

Our response: How to protect from existing threats ?

ptsecurity.com

Industrial EnvironmentsIndustrial EnvironmentsIndustrial EnvironmentsIndustrial Environments

Build security lab or controlled / non intrusive Penetration test

Real SCADA system simulation of business processes

Real plant vulnerabilities / vectors & threats modeling

Safety and functional security bypass test

0Day research

Architecture & deployment review

Defense model Review (mitigate ICS threats)

Infrastructure AuditInfrastructure AuditInfrastructure AuditInfrastructure Audit

Configuration Analysis

Compliance hardening

Threat modeling, business impact

Added value services (Forensic, ABC)

Defense model review

Penetration Testing – web and IT infrastructure

Full Technical Security Coverage (vertical expertise per industry):

Mobile

Telecom, SS7

Banking

Product & SolutionsProduct & SolutionsProduct & SolutionsProduct & Solutions

Threat & Incident management

Malware & APT discovery

Network Intrusion detection & alerting

Network traffic Management & forensic

Application Security

Vulnerability & compliance Management

22

Our response: Expert Security Center

ptsecurity.com

23―Advanced Border Control

―Scan and manage vulnerabilities with expert verification

―Penetration Testing, web and IT infrastructure

― Full Technical Security Coverage with Industries specific expertise:

• Mobile

• Telecom, SS7

• Banking: CBS/ATM/banking systems

• ICS/SCADA

―Web-security monitoring

• Web-security incident analysis

―Security Incident Team

• Incident Response

• Incident Analysis

• Incident Investigation

―Security retrospective analysys - anomaly analysis and incident discovery

Threat & incident management for ICS/OT

ptsecurity.com

Monitoring and Incident Discovery+ Fully passive mode+ Network protocols analysis

• Industrial protocols: Modbus, S7, DNP3, IEC, IEC 61850/60870, OPC…•Proprietary protocols •Telnet, FTP, HTTP, SNMP…•System protocols: CIFS/SMB, SQL Net…

+ Business logic attacks+ Accurate Alerting+ Asset management

•Real-time asset detection & continuous asset modelling

Threat Modeling on Industrial Infrastructure + Based on project and network traffic

•OS and SW•Network devices•SCADA, PLC, Historian…

aka PT Industrial Security Incident Manager™(PT ISIM)

24

Threat & incident management for TELCO’s

ptsecurity.com

25

Monitoring and Incident DiscoveryBased on SS7/SIGTRAN network traffic

Collect all traffic

Store all signaling messages

Correlate signaling messages to construct call flaws

Detect abnormal activity

Get detailed info and see statistics

Our references: Research analytics results

ptsecurity.com

26

http://www.ptsecurity.com/library/articles/

http://www.ptsecurity.com/research/threatscape/

http://blog.ptsecurity.com/

http://www.ptsecurity.com/library/whitepapers/

Paolo Emiliani – Head of Southern Europe project delivery - paolo.emiliani@ptsecurity.com

ptsecurity.com

Thank you!