Steven Dyer NSA IAM, NSA IEM, CISSP, CCSP, CCDP

Chief Technology Officer

Central Service Association

Cyber Incident Response and Analysis

Blue Team Security Audits

• 205 Utilities

• 41 Banks

• 13 Secure Buildings

• 3 Energy Generation Locations

Security Agenda

• Latest Events…

• Who are the Real Players

• How Hackers Do It…

• Training

• Breaking In

• Log IT

Group Exercise…

Who is your assigned

Cyber Security person?

???????????????????

"Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking . . . Social Engineering is the single greatest security risk in the decade ahead."

“91% of successful data breaches started with a spear-phishing email” - security software firm Trend Micro (2013)

(2014)

HACKING 101 Demo

Spear-Phishing

Homeland Security Information

March 2015 Logs

March 2015 Logs

Utilities struggle to manage the security challenge…

Today, security is a

board-level agenda

item…

Primary Challenges

Nature & Motivation of Attacks(Fame fortune, market adversary)1

Research Infiltration Discovery Capture Exfiltration

A new market adversary

The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems

that appear to be directly linked to the Internet and vulnerable to attack…… CNN Money Article 2013

Password Cracking

Self-Replicating Code

1980 1985

Password Guessing

1990 1995

Exploiting Known Vulnerabilities

Disabling Audits Back Doors

Sweepers and Sniffers

Stealth Diagnostics

Packet Forgingand Spoofing

Hijacking Sessions

Low

High

Web BrowserPop-Ups

2000 Present

VBA, ActiveXFlash Tricks

SPAMTools

DoS, Buffer Overflow,Service Overwhelm

ZombieBots

OS SpecificAttack Tools

RDPExploits

Technical Knowledge Required

HACKING 201 Demo

Stuxnet

CURRENT CYBERESPIONAGE CAMPAIGN TARGETS

INDUSTRIAL CONTROL SYSTEMS

(DRAGONFLY / ENERGETIC BEAR - HAVEX)

On June 23, 2014, Finnish security

research firm F-Secure reported on a

cyber campaign targeting SCADA and

the suppliers of equipment to these

sectors, including many in critical

infrastructure.

HAVEX Info• According to a Symantec report on June

30 2014, Havex is what is known as a

“remote access Trojan,” or RAT, malware

that secretly enters a computer to give

hackers control of the machine. Symantec

and F-Secure say the malware ordinarily is

used only for spying, but can be modified

to sabotage a machine.

Top 10% of Hackers Never Caught

SCADA

• Professional Hacker Would Not Directly Attack Networks or SCADA/DCS Systems in the U.S.

• Creates a Trojan (RootKit) That Will Allow Remote Control

• Plants Trojan in Zombie Host in the South Pacific

• Trojan “listens” for a specific string of characters in a chat room hosted in Europe (maybe even in another language)

• When Zombie finds a match on the set of characters, it then Automatically Begins Attacking Pre-Determined Sites and Systems

1. Hacker Determines that direct attack may be too risky

UNIVERSITY

2. Plant Trojanin Zombie Host

3. Trojan is programmed to listen to Chat Room in Europe for a specific message string.

CHATROOM

4. Hacker posts message on Chat Room

5. Trojan attacksTarget Networks

Attacks from Last Traceable Point of Origin

10-30%

3-4%

1%

0.6%

0.3%

32.5% Unknown origin

USA• Hosted 50% of all phishing

sites in 1Q 2014• Hosted 45% of all phishing-based

keyloggers or Trojan downloadersChina• 55,000 malware/intrusion incidents on DoD systems in

2010; large but unspecified number blamed on China• Highest level of malware infections

Russia• Produces 77% of all spam• Source of many successful botnets;

Rustock, Grum, Cutwail , and more

*Trustwave Breach Report 2014

Group Exercise…

• Training on up-to-date

ways to protect your

SCADA system

• Needs to be updated

every two years

Utility SCADA Training

Research Improved security awareness and counter intelligence

Infiltration Systems to proactively monitor, improve, and protect

Discovery Ability to track and remediate

Capture Controls to protect target assets internally and

externally

Exfiltration Damage remediation and counter intelligence

The Attack The Countermeasure

Research

• Google / Internet Mining • What Compliance Is Required• Social Engineering• Digging Through Trash

• Talk To Your Vendors

Infiltration

• Physical Infiltration• Vendor Test• Hot Vendor Test• Customer Test• Walk In Off The Street Test• Warehouse Walkabout• Substation Bolt-Cutters

Infiltration

• Pen Test• External Pen Test• Internal Pen Test • Secure Room Pen Test

• Email – Spear Phishing• Plant Thumb Drives

Group Exercise…

• Put $5,000 in your

budget for a dedicated

log server and cheap

storage…

Log Everything That Can Be Logged

• Syslog Server Firewall SCADA Systems Control Systems Anything

• Log Analyzer Sawmill Splunk

What are we missing???

– Lack of a formal documented program and

procedures

– Need for an established cybersecurity team

– Need for incident response and disaster

recovery policies and/or directives

Insufficient control of remote logging and

access.

– Weak enforcement of remote login policies

– Weak port security

– Network architecture not well understood and

internal networks not segmented

– Flat networks--devices not properly

configured

• Media protection and control.

– Weak control of incoming and

outgoing media – use of USB drives

– Lack of encryption implementation

• Audit/logging events.

– Insufficient methods for monitoring

and control network events

– Lack of understanding of disaster

recovery techniques

Group Exercise…

• Who do you contact

when something

happens???

Steven Dyer Chief Technology Officer

Central Service AssociationCell: 662-491-2661 sdyer@csa1.com