Cyber Threats and Infrastructure Protection · (ICS/OT) ―in most of the cases good understanding...
Transcript of Cyber Threats and Infrastructure Protection · (ICS/OT) ―in most of the cases good understanding...
Cyber Threats and Infrastructure ProtectionRoma – 05 Aprile 2016
ptsecurity.com
Paolo Emiliani,Technical Account Manager
Positive Technologies
ptsecurity.com
2
2012
2013
2014
2015
Employees Customers
250 500
300 600
400750
500+
1,000+Positive Dynamic
#1 Fastest GrowingSecurity & Vulnerability Management Firmaccording to
Trusted by more than 1,000 companies across 30 countries
Positive Technologies
ptsecurity.com
3
250+
30+14+
100+0-day vulnerability discoveries
20+security level assessments
400+
Years Experience of Research & Expertise
0-day vulnerabilities in ICS/SCADA
0-day vulnerabilities in Mobile Telco
Web Application security assessments
Every Year
Visionary of 2015 WAF Magic Quadrant
MaxPatrolPT ISIM
PT Application Firewall
Products Leader
PT Application Inspector
Positive Hack Days welcome note – www.phdays.com
ptsecurity.com
4― Security experts, authorities and hackers
share experience and collaborate
― For the sake of getting security right
― No Vendors – Just Security Pros
― 48 hours of dynamic seminars, educational workshops and competitive contests
― Special labs to hack and research 0-days in ICS/SCADA and Mobile Telco
― (2015) 3,500+ Participants - Germany, India, Japan, Korea, Netherlands, Russia, Spain, Argentine, France, USA
― (2016) New approach to CTF is coming: Opposition!
This is our world today. Incredible and wonderful!
ptsecurity.com
5
Industrial Projection
ptsecurity.com
This is how ICS/OT people see it
6
Hacker Projection
ptsecurity.com
This is how Hacker looks at is
7
Positive Technologies Projection
ptsecurity.com
Finally, how Positive Technologieslooks at it
8
OT - real-life convergence
Modern OT:• ICS/SCADA
• Telecom
• Transportation
• IoT
ptsecurity.com
Business process is not limited by ICS/SCADA. Around you can see lot of accompanying technology which help to operate business process and brings new threats!
Critical infrastructure is a part of society. And now, it is fully convergence
9
Taking the Challenge
BEFORE Threat Model for separate ICS
→→→→ Challenging
ptsecurity.com
NOW Threat Model for ALL industries!
→→→→ Is it possible?
10
Security Threats landscape Today’s reality on Critical Infrastructures & Enterprises
ptsecurity.com
Vulnerability & Attack s tatistics on Enterprises
ptsecurity.com
Succesful rate� In 90% of pentest, attacker were able to get access to internal network from Internet� In case of successful infiltration in 55% attacker were able to get admin privileges and get in full control of
compromised IT-infrastructure� In 80% no high qualification of attacker or zero-day vulnerabilities were required to achieve success
Vulnerability Window� Over 80% of vulnerabilities exploitable from Internet are well-known, reported/submitted in Vulnerability
Bases more then 1 year ago� Over 40% of services been vulnerable during a year
Exploitable?� 50% chance of exploit being published in 1 month after vulnerability is announced� 99% chance of exploit going public in 1 year
Based on“Positive Research: Enterprise information s ystems vulnerability statistics 2015”
How Enterprises face these risks, today? Scenarios
ptsecurity.com
Enterprise Scenario’sEnterprise Scenario’sEnterprise Scenario’sEnterprise Scenario’s
Most of the companies audited try to implement solutions on ICS/IT security in the following conditions:
― Only 45% have full information’s on suffering threats, just vulnerabilities
― no specific vision on the impact on the business level (vulnerabilities addressed toward vectors & threats modeling)
― more care about 0 day or other exotic problems
― no specific information on security bypass (ICS/OT)
― in most of the cases good understanding about architecture & deployment problems
― lot of Firewall or different IDS/IPS systems
― no specific relationship with vendors about vulnerability fixing cycle
― fragmented perception of defense model and incident management
20
How Enterprises face these risks, today? Maturness
ptsecurity.com
Enterprises Security maturenessEnterprises Security maturenessEnterprises Security maturenessEnterprises Security matureness
Most of the companies audited are in the following conditions:
― no specific ICS lab to reproduce threats and vectors
― not yet deployed their own security framework, in the best cases are based on what global communities or regulatory have released as generic rule
― Continue to invest in Protection (Firewall) thinking this will at least “patch” some of their problems, less in root identification of problems (research, audits)
― As action of security reviews actions/cycle:
• Quite rarely they have implemented the SDL on their “in production” applications
• Do not have a cycle configuration review of servers, main network devices, main crucial objects
• Have almost ever implemented a continue, strategic threats modelling scenario
― As action of security control :
• Have in many important cases deployed SOC services, with difficulties in problem identification / addressing derive by a fragmented analysis
• Have not always specific added value services such as Forensic, network traffic review, Application t& protocols traffic analysis
21
Our response: How to protect from existing threats ?
ptsecurity.com
Industrial EnvironmentsIndustrial EnvironmentsIndustrial EnvironmentsIndustrial Environments
Build security lab or controlled / non intrusive Penetration test
Real SCADA system simulation of business processes
Real plant vulnerabilities / vectors & threats modeling
Safety and functional security bypass test
0Day research
Architecture & deployment review
Defense model Review (mitigate ICS threats)
Infrastructure AuditInfrastructure AuditInfrastructure AuditInfrastructure Audit
Configuration Analysis
Compliance hardening
Threat modeling, business impact
Added value services (Forensic, ABC)
Defense model review
Penetration Testing – web and IT infrastructure
Full Technical Security Coverage (vertical expertise per industry):
Mobile
Telecom, SS7
Banking
Product & SolutionsProduct & SolutionsProduct & SolutionsProduct & Solutions
Threat & Incident management
Malware & APT discovery
Network Intrusion detection & alerting
Network traffic Management & forensic
Application Security
Vulnerability & compliance Management
22
Our response: Expert Security Center
ptsecurity.com
23―Advanced Border Control
―Scan and manage vulnerabilities with expert verification
―Penetration Testing, web and IT infrastructure
― Full Technical Security Coverage with Industries specific expertise:
• Mobile
• Telecom, SS7
• Banking: CBS/ATM/banking systems
• ICS/SCADA
―Web-security monitoring
• Web-security incident analysis
―Security Incident Team
• Incident Response
• Incident Analysis
• Incident Investigation
―Security retrospective analysys - anomaly analysis and incident discovery
Threat & incident management for ICS/OT
ptsecurity.com
Monitoring and Incident Discovery+ Fully passive mode+ Network protocols analysis
• Industrial protocols: Modbus, S7, DNP3, IEC, IEC 61850/60870, OPC…•Proprietary protocols •Telnet, FTP, HTTP, SNMP…•System protocols: CIFS/SMB, SQL Net…
+ Business logic attacks+ Accurate Alerting+ Asset management
•Real-time asset detection & continuous asset modelling
Threat Modeling on Industrial Infrastructure + Based on project and network traffic
•OS and SW•Network devices•SCADA, PLC, Historian…
aka PT Industrial Security Incident Manager™(PT ISIM)
24
Threat & incident management for TELCO’s
ptsecurity.com
25
Monitoring and Incident DiscoveryBased on SS7/SIGTRAN network traffic
Collect all traffic
Store all signaling messages
Correlate signaling messages to construct call flaws
Detect abnormal activity
Get detailed info and see statistics
Our references: Research analytics results
ptsecurity.com
26
http://www.ptsecurity.com/library/articles/
http://www.ptsecurity.com/research/threatscape/
http://blog.ptsecurity.com/
http://www.ptsecurity.com/library/whitepapers/
Paolo Emiliani – Head of Southern Europe project delivery - [email protected]
ptsecurity.com
Thank you!