Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown...
Transcript of Steven Dyer - AMEAAttacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown...
Steven Dyer NSA IAM, NSA IEM, CISSP, CCSP, CCDP
Chief Technology Officer
Central Service Association
Cyber Incident Response and Analysis
Blue Team Security Audits
• 205 Utilities
• 41 Banks
• 13 Secure Buildings
• 3 Energy Generation Locations
Security Agenda
• Latest Events…
• Who are the Real Players
• How Hackers Do It…
• Training
• Breaking In
• Log IT
Group Exercise…
Who is your assigned
Cyber Security person?
???????????????????
"Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking . . . Social Engineering is the single greatest security risk in the decade ahead."
“91% of successful data breaches started with a spear-phishing email” - security software firm Trend Micro (2013)
(2014)
HACKING 101 Demo
Spear-Phishing
Homeland Security Information
March 2015 Logs
March 2015 Logs
Utilities struggle to manage the security challenge…
Today, security is a
board-level agenda
item…
Primary Challenges
Nature & Motivation of Attacks(Fame fortune, market adversary)1
Research Infiltration Discovery Capture Exfiltration
A new market adversary
The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems
that appear to be directly linked to the Internet and vulnerable to attack…… CNN Money Article 2013
Password Cracking
Self-Replicating Code
1980 1985
Password Guessing
1990 1995
Exploiting Known Vulnerabilities
Disabling Audits Back Doors
Sweepers and Sniffers
Stealth Diagnostics
Packet Forgingand Spoofing
Hijacking Sessions
Low
High
Web BrowserPop-Ups
2000 Present
VBA, ActiveXFlash Tricks
SPAMTools
DoS, Buffer Overflow,Service Overwhelm
ZombieBots
OS SpecificAttack Tools
RDPExploits
Technical Knowledge Required
HACKING 201 Demo
Stuxnet
CURRENT CYBERESPIONAGE CAMPAIGN TARGETS
INDUSTRIAL CONTROL SYSTEMS
(DRAGONFLY / ENERGETIC BEAR - HAVEX)
On June 23, 2014, Finnish security
research firm F-Secure reported on a
cyber campaign targeting SCADA and
the suppliers of equipment to these
sectors, including many in critical
infrastructure.
HAVEX Info• According to a Symantec report on June
30 2014, Havex is what is known as a
“remote access Trojan,” or RAT, malware
that secretly enters a computer to give
hackers control of the machine. Symantec
and F-Secure say the malware ordinarily is
used only for spying, but can be modified
to sabotage a machine.
Top 10% of Hackers Never Caught
SCADA
• Professional Hacker Would Not Directly Attack Networks or SCADA/DCS Systems in the U.S.
• Creates a Trojan (RootKit) That Will Allow Remote Control
• Plants Trojan in Zombie Host in the South Pacific
• Trojan “listens” for a specific string of characters in a chat room hosted in Europe (maybe even in another language)
• When Zombie finds a match on the set of characters, it then Automatically Begins Attacking Pre-Determined Sites and Systems
1. Hacker Determines that direct attack may be too risky
UNIVERSITY
2. Plant Trojanin Zombie Host
3. Trojan is programmed to listen to Chat Room in Europe for a specific message string.
CHATROOM
4. Hacker posts message on Chat Room
5. Trojan attacksTarget Networks
Attacks from Last Traceable Point of Origin
10-30%
3-4%
1%
0.6%
0.3%
32.5% Unknown origin
USA• Hosted 50% of all phishing
sites in 1Q 2014• Hosted 45% of all phishing-based
keyloggers or Trojan downloadersChina• 55,000 malware/intrusion incidents on DoD systems in
2010; large but unspecified number blamed on China• Highest level of malware infections
Russia• Produces 77% of all spam• Source of many successful botnets;
Rustock, Grum, Cutwail , and more
*Trustwave Breach Report 2014
Group Exercise…
• Training on up-to-date
ways to protect your
SCADA system
• Needs to be updated
every two years
Utility SCADA Training
Research Improved security awareness and counter intelligence
Infiltration Systems to proactively monitor, improve, and protect
Discovery Ability to track and remediate
Capture Controls to protect target assets internally and
externally
Exfiltration Damage remediation and counter intelligence
The Attack The Countermeasure
Research
• Google / Internet Mining • What Compliance Is Required• Social Engineering• Digging Through Trash
• Talk To Your Vendors
Infiltration
• Physical Infiltration• Vendor Test• Hot Vendor Test• Customer Test• Walk In Off The Street Test• Warehouse Walkabout• Substation Bolt-Cutters
Infiltration
• Pen Test• External Pen Test• Internal Pen Test • Secure Room Pen Test
• Email – Spear Phishing• Plant Thumb Drives
Group Exercise…
• Put $5,000 in your
budget for a dedicated
log server and cheap
storage…
Log Everything That Can Be Logged
• Syslog Server Firewall SCADA Systems Control Systems Anything
• Log Analyzer Sawmill Splunk
What are we missing???
– Lack of a formal documented program and
procedures
– Need for an established cybersecurity team
– Need for incident response and disaster
recovery policies and/or directives
Insufficient control of remote logging and
access.
– Weak enforcement of remote login policies
– Weak port security
– Network architecture not well understood and
internal networks not segmented
– Flat networks--devices not properly
configured
• Media protection and control.
– Weak control of incoming and
outgoing media – use of USB drives
– Lack of encryption implementation
• Audit/logging events.
– Insufficient methods for monitoring
and control network events
– Lack of understanding of disaster
recovery techniques
Group Exercise…
• Who do you contact
when something
happens???
Steven Dyer Chief Technology Officer
Central Service AssociationCell: 662-491-2661 [email protected]