SlideShare a Scribd company logo

Exp w22 exp-w22

S
SelectedPresentations

The document discusses several emerging cyber threats including the increasing militarization of cyber space by governments, the rise of offensive forensics techniques and purposeful misattribution of attacks, and computer attacks that can result in kinetic impacts in the real world by targeting industrial control and critical infrastructure systems. It also describes the CyberCity project, which is a miniature simulated city that security experts can use to visualize how cyber attacks can achieve kinetic effects. The document uses a case study to illustrate how an actual power grid attack may have progressed by exploiting vulnerabilities across different systems and networks.

1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Session ID: Session Classification: Ed SkoudisAlan Paller EXP-W22 Advanced Counter Hack Challenges SANS Internet Storm CenterSANS And SANS Technology Institute And SANS Technology Institute And SANS Technology Institute The Five Most Dangerous New Attack Techniques and What's Coming Next Johannes Ullrich
Ed Skoudis Author of CounterHackReloadedand Malware books Creator of NetWars and CyberCity
► Stuxnet ► Flame ► Gauss ► Olympic Games operation(s) ► Shamoon 2012 Headlines
►Increasing militarization of cyber space The rise of offensive forensics and purposeful misattribution Computer attacks resulting in kinetic impact SkoudisTop NewThreats / Attacks
► Humans wage war in the domains we occupy ► Land, Sea, Air, and Space ► Cyber space, which actually now overlays and controls action in all of the other domains ► Military objectives are achievable via cyber means, often at lower cost and lower ***potential*** physical risk than traditional military strikes ► Governments around the world increasing their budgets for cyber operations, and we’ve glimpsed some of the results ► But, consider Sherman’s warnings ► “War is hell.” ► “Every attempt to make war easy and safe will result in humiliation and disaster.” Cyber Space as aWar-Fighting Domain
► Prediction: Every military mission will have a cyber component in the near future (or now) ► At least defensive ► Aug 24, 2012 Washington Post contains quote from Marine Lt. General Richard P. Mills: ► “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact.” ► “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.” A Prediction & Interesting Quotation
SkoudisTop NewThreats / Attacks Increasing militarization of cyber space ►The rise of offensive forensics and purposeful misattribution Computer attacks resulting in kinetic impact
► Digital forensics has traditionally been a defensive  and reactive art ► But, we are starting to see the rise of offensive  forensics (not merely anti‐forensics) ► Anti‐forensics makes forensics analysis hard – destroying  or manipulating evidence… offensive forensics is different ► Offensive forensics applies forensics techniques to find  info assets and extract them (with some anti‐forensics  mixed in) ► Large‐scale exfiltration may get you noticed, so there is  real value in quietly finding the asset you need The Rise of Offensive Forensics
► Given that attribution of one malware asset could lead to  attribution of other missions and the revelation of a given  actor (cascading attribution)… ► The art of misattribution rises in importance  ► How can you make malware assets that look like someone  else created them? ► Put language and other references for another culture ► Add deliberate but unimportant errors in your work ► Shamoon malware that targeted Saudi Aramco had several flaws: Date  check, malfunctioning dropper, etc.  ‐‐ Therefore, it couldn’t have been a  nation state ► The more blatant it is, the more questions and confusion it  will raise Mis‐Attribution
SkoudisTop NewThreats / Attacks Increasing militarization of cyber space The rise of offensive forensics and purposeful misattribution ►Computer attacks resulting in kinetic impact
► Historically, a lot of computer security work focused on protecting sensitive information ► PII, PHI, bank records, trade secrets, etc. ► Even in a national security context, most discussions focused on protecting classified information against espionage and isolating networks ► But, increasingly, attackers are targeting computers and networks that control real-world equipment and devices ► Industrial Control Systems and SCADA equipment ► Other control systems – traffic systems, transportation systems, etc. ► Some activity is mere mischief ► Other attacks are a concerning sign of things to come ► Buffer overflows, shared passwords, and not-really-air-gapped networks abound Cyber Action for Kinetic Impact
► Nov 2011: Water systems hacked in Illinois, pump disabled by repeatedly turning it off and on ► Dec 2011: TSA reports hacks against commuter trains in Pacific Northwest resulted in delays ► 2012: Hacks against smart meters used for millions of dollars of fraud ► 2012: Presentations at DefCon and elsewhere on hacking into commuter train system comms gear ► Infiltration of electric utility systems has been observed for many years ► In protecting critical information assets, our track record as an industry is a concern ► We live in an age of Wikileaks… we are rapidly moving to an age of cyber attack to cause kinetic impact Some Noteworthy Events
► Goal: Help cyber warriors, their leadership, military planners, and defenders understand that cyber action can have kinetic effect, and that they can master this technology ► NetWars CyberCity was built to achieve this goal ► A miniature city, 6’ X 8’, with a variety of kinetic assets ► SCADA-controlled power grid, traffic system, water reservoir, train system, rocket launcher, etc. ► ISP, hospital, bank, coffee shop, etc. ► Cyber warriors (.mil, .gov, .com) are challenged to complete missions ► Real-time streaming video to visualize kinetic impacts Preparing Cyber Warriors
CyberCity Commercial & Military Quadrants
CyberCity Industrial Quadrant
► Currently focused on distribution ► We will model generation in the near future ► Each quadrant of CyberCity has its own PLC (Programmable Logic Controller) ► Allen-Bradley, GE, Siemens, and possibly others ► Controlling residential and industrial lighting, street lighting, and railway switch junctions ► Wonderware HMI running on Win7 and WinXP for management ► Various Operator Interface Terminals (OITs) ► Protocols: Modbus/TCP, DNP3, Profinet, Ethernet/IP ► We carry wireless across highly attenuated wires and within small-scale Faraday cages ► For power grid components and coffee shop free Wifi CyberCity’s Power Grid
► Several people have helped inspire and provided input to the CyberCity project: ► Skip Runyan, US Air Force ► Mike Assante, NBISE (current) & NERC (formerly) ► Terry McCorkle, Technical Director at Cylance ► Billy Rios, Technical Director at Cylance ► Rita A. Wells, Idaho National Laboratory ► Eric Bassel, SANS Institute Thought Leaders
Case Study:Visualizing Real-World Attacks Let’s walk through a real- world case study of an actual power grid attack.
Case Study: Power Grid Attack CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L HMI Master  DB SlaveSlave DB PLC User Workstation Trusted Web Server
Case Study: Power Grid Attack Steps 1-3 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L 1 2 Master  DB PLC Infected PDF Upload SlaveSlave DB Spear Phish Fetch Page 3 HMI User Workstation Trusted Web Server
Case Study: Power Grid Attack Steps 4-6 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF 4 Reverse Shell Attack DB6 Ride Across Replication 5 HMI User Workstation Trusted Web Server
Case Study: Power Grid Attack Steps 7 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF 7 Attack HMI HMI User Workstation Trusted Web Server
Case Study: Power Grid Attack Step 8-9 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF Power could be disabled 8 Manipulate PLC 9 User Workstation Trusted Web Server
An Interlude: Alan Paller Director of Research at the SANS Institute
► Four Controls stop targeted attacks ► CEOs really like people who can prove what needs to be done first to solve recognized, important problems. ► No cyber problem is better recognized by senior executives than targeted attacks ► There is hard evidence from multiple sources that 4 controls stop these attacks. ► A 10 organization pilot is proving how effective with benchmarking ► Get ahead of this opportunity for a career changer ► Email apaller@sans.org“Top 4”for (1) controls, (2) how to implement them, (3) dashboard powerpoint, and (4) free testing tool sources. Surprising data affects cyber careers
Johannes Ullrich – Director of the SANS Internet Storm Center
► News items tend to focus on high profile attacks ► Easy to forget that everybody is under attack, not just national/large assets ► Even if you are not direct under attack, you may be a tool in the plot to attack larger targets ► Attacks don’t always require huge resources ISC – How bad is it for the rest of us?
Large DDoS Attacks • Pretty much every large bank was a target in  the last 12 months. Most several times.
How (and why) do they work ► Reflective DNS attacks still major “weapon” ► Tactics have adapted to counter measures ► Attacks are more intelligent and deadly
How Things Changes ► Defense • Block DNS responses from  servers that don’t need to  see them • Only answer queries for  which server is authoritative  for • Limit access to recursive  name servers to internal  users • Attacker uses queries for  which server is authoritative • Attacker compromises  servers with substantial  bandwidth • Use of “ANY” queries • Use of EDN0 • Offense
Result ► Attacks reach 40+ gigabits/second ► Attacker only needs a 2,000+ servers ► Targets have to invest substantial resources to defend Source: Ponemon Inst.
Password Breach / Hashing is Dead • Old times: hash and salt your passwords, and you are good • These days: – Use the right hash (hash? Bcrypt? SHAx? …) – Use salt correctly.. And your passwords are still brute-forcable Your password is as secure as the  least secure site you use it with!
Attackers have power! 25 GPUs “affordable” Dedicated hash Cracker 63 G/s SHA1 180 G/s MD5 348 G/s NTLM 95% of leaked  LinkedIn Hashes Cracked. http://securityledger.com/new‐25‐gpu‐ monster‐devours‐passwords‐in‐seconds/
Current Hardware vs Old Thinking http://securitynirvana.blogspot.com/2012/06/final‐word‐on‐linkedin‐leak.html
Solutions? ► User education: Use a different password, that you can’t remember for every single site/software/company you interact with ► Oh… and please don’t write it down! ► Developer education: Hashes are supposed to be efficient (SHAx). Password hashing is supposed to be slow Of course: Avoid losing your password hashes!
What’s next? ► Passwords are dead ► Pass phrases are about to die ► Developers can’t be trusted to keep our passwords secure! ► Two factor authentication is expensive ► But everybody has a smartphone!
Token Stealing Android Malware ► Zitmo/Eurograbber: brought to you by the same people that gave you Zeus. ► Defeats SMS based tokens ► Available even for Blackberry Trusteer.com
Your questions and your ideas for the most dangerous new attacks???

More Related Content

PDF
AVG Q3 2012 Threat Report
AVG Technologies AU
 
PDF
Defcon 18-geers-baltic-cyber-shield
Mark Johnson
 
PDF
CTI Report
Alex Deac
 
PDF
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
PDF
Insecure magazine - 52
Felipe Prado
 
PDF
The Network Enabled Emergency Operations Center (EOC)
Cisco Crisis Response
 
PDF
Icit analysis-signature-based-malware-detection-is-dead
Rocco Magnotta
 
PDF
Подходы к безопасности программного обеспечения.
SelectedPresentations
 
AVG Q3 2012 Threat Report
AVG Technologies AU
 
Defcon 18-geers-baltic-cyber-shield
Mark Johnson
 
CTI Report
Alex Deac
 
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Insecure magazine - 52
Felipe Prado
 
The Network Enabled Emergency Operations Center (EOC)
Cisco Crisis Response
 
Icit analysis-signature-based-malware-detection-is-dead
Rocco Magnotta
 
Подходы к безопасности программного обеспечения.
SelectedPresentations
 

Viewers also liked (16)

PDF
Grc f41
SelectedPresentations
 
PDF
Spo1 w21
SelectedPresentations
 
PDF
О новом виде мошенничества в банковской сфере
SelectedPresentations
 
PDF
Grc f42
SelectedPresentations
 
PDF
Аналитика социальных медиа в обеспечении информационной безопасности
SelectedPresentations
 
PDF
Exp w21
SelectedPresentations
 
PDF
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
PDF
Spo2 t17
SelectedPresentations
 
PDF
Spo2 w25
SelectedPresentations
 
PDF
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
PDF
Sect r35 b
SelectedPresentations
 
PDF
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
PDF
Целевые атаки – так ли они разнообразны, как мы привыкли считать?
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
PDF
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
PDF
Exp r35
SelectedPresentations
 
Grc f41
SelectedPresentations
 
Spo1 w21
SelectedPresentations
 
О новом виде мошенничества в банковской сфере
SelectedPresentations
 
Grc f42
SelectedPresentations
 
Аналитика социальных медиа в обеспечении информационной безопасности
SelectedPresentations
 
Exp w21
SelectedPresentations
 
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
Spo2 t17
SelectedPresentations
 
Spo2 w25
SelectedPresentations
 
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
Sect r35 b
SelectedPresentations
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
Целевые атаки – так ли они разнообразны, как мы привыкли считать?
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
Exp r35
SelectedPresentations
 
Ad

Similar to Exp w22 exp-w22 (20)

PDF
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
PDF
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
PDF
Conférence ENGIE ACSS 2018
African Cyber Security Summit
 
PDF
Cyber security colombo meetup
Eguardian Global Services
 
PDF
Stu t19 a
SelectedPresentations
 
PPTX
Hack the Hackers 2012: Client Side Hacking – Targeting the User
New Horizons Bulgaria
 
PDF
SCADA White Paper March2012
James Collinge, CISSP
 
PDF
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
 
PDF
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
PPTX
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
Alexandre Darcherif
 
PPT
Craig wilson
IPPAI
 
PPTX
Honeypots in Cyberwar
Mehdi Poustchi Amin
 
PPTX
2012 02 14 Afcom Presentation
Eric Gallant
 
PDF
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
PPTX
Cyber Threats
Prof John Walker FRSA Purveyor Dark Intelligence
 
PPTX
Cyber Operations in Smart Megacities: TechNet Augusta 2015
AFCEA International
 
PPTX
Web security – application security roads to software security nirvana iisf...
Eoin Keary
 
PDF
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
PPTX
Web security – everything we know is wrong cloud version
Eoin Keary
 
PPTX
Infrastructure Attacks - The Next generation, ESET LLC
Infosec Europe
 
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Conférence ENGIE ACSS 2018
African Cyber Security Summit
 
Cyber security colombo meetup
Eguardian Global Services
 
Stu t19 a
SelectedPresentations
 
Hack the Hackers 2012: Client Side Hacking – Targeting the User
New Horizons Bulgaria
 
SCADA White Paper March2012
James Collinge, CISSP
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
Alexandre Darcherif
 
Craig wilson
IPPAI
 
Honeypots in Cyberwar
Mehdi Poustchi Amin
 
2012 02 14 Afcom Presentation
Eric Gallant
 
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
Cyber Threats
Prof John Walker FRSA Purveyor Dark Intelligence
 
Cyber Operations in Smart Megacities: TechNet Augusta 2015
AFCEA International
 
Web security – application security roads to software security nirvana iisf...
Eoin Keary
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
Web security – everything we know is wrong cloud version
Eoin Keary
 
Infrastructure Attacks - The Next generation, ESET LLC
Infosec Europe
 
Ad

More from SelectedPresentations (20)

PDF
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
PDF
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
PDF
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
PDF
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
PDF
Управление безопасностью мобильных устройств
SelectedPresentations
 
PDF
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
PDF
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
PDF
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
PDF
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
PDF
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
PDF
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
PDF
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 
PDF
Exp t18
SelectedPresentations
 
PDF
Exp t19 exp-t19
SelectedPresentations
 
PDF
Exp w23
SelectedPresentations
 
PDF
Exp w25
SelectedPresentations
 
PDF
Grc f43
SelectedPresentations
 
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
Управление безопасностью мобильных устройств
SelectedPresentations
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 
Exp t18
SelectedPresentations
 
Exp t19 exp-t19
SelectedPresentations
 
Exp w23
SelectedPresentations
 
Exp w25
SelectedPresentations
 
Grc f43
SelectedPresentations
 

Exp w22 exp-w22

  • 1. Session ID: Session Classification: Ed SkoudisAlan Paller EXP-W22 Advanced Counter Hack Challenges SANS Internet Storm CenterSANS And SANS Technology Institute And SANS Technology Institute And SANS Technology Institute The Five Most Dangerous New Attack Techniques and What's Coming Next Johannes Ullrich
  • 2. Ed Skoudis Author of CounterHackReloadedand Malware books Creator of NetWars and CyberCity
  • 3. ► Stuxnet ► Flame ► Gauss ► Olympic Games operation(s) ► Shamoon 2012 Headlines
  • 4. ►Increasing militarization of cyber space The rise of offensive forensics and purposeful misattribution Computer attacks resulting in kinetic impact SkoudisTop NewThreats / Attacks
  • 5. ► Humans wage war in the domains we occupy ► Land, Sea, Air, and Space ► Cyber space, which actually now overlays and controls action in all of the other domains ► Military objectives are achievable via cyber means, often at lower cost and lower ***potential*** physical risk than traditional military strikes ► Governments around the world increasing their budgets for cyber operations, and we’ve glimpsed some of the results ► But, consider Sherman’s warnings ► “War is hell.” ► “Every attempt to make war easy and safe will result in humiliation and disaster.” Cyber Space as aWar-Fighting Domain
  • 6. ► Prediction: Every military mission will have a cyber component in the near future (or now) ► At least defensive ► Aug 24, 2012 Washington Post contains quote from Marine Lt. General Richard P. Mills: ► “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact.” ► “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.” A Prediction & Interesting Quotation
  • 7. SkoudisTop NewThreats / Attacks Increasing militarization of cyber space ►The rise of offensive forensics and purposeful misattribution Computer attacks resulting in kinetic impact
  • 8. ► Digital forensics has traditionally been a defensive  and reactive art ► But, we are starting to see the rise of offensive  forensics (not merely anti‐forensics) ► Anti‐forensics makes forensics analysis hard – destroying  or manipulating evidence… offensive forensics is different ► Offensive forensics applies forensics techniques to find  info assets and extract them (with some anti‐forensics  mixed in) ► Large‐scale exfiltration may get you noticed, so there is  real value in quietly finding the asset you need The Rise of Offensive Forensics
  • 9. ► Given that attribution of one malware asset could lead to  attribution of other missions and the revelation of a given  actor (cascading attribution)… ► The art of misattribution rises in importance  ► How can you make malware assets that look like someone  else created them? ► Put language and other references for another culture ► Add deliberate but unimportant errors in your work ► Shamoon malware that targeted Saudi Aramco had several flaws: Date  check, malfunctioning dropper, etc.  ‐‐ Therefore, it couldn’t have been a  nation state ► The more blatant it is, the more questions and confusion it  will raise Mis‐Attribution
  • 10. SkoudisTop NewThreats / Attacks Increasing militarization of cyber space The rise of offensive forensics and purposeful misattribution ►Computer attacks resulting in kinetic impact
  • 11. ► Historically, a lot of computer security work focused on protecting sensitive information ► PII, PHI, bank records, trade secrets, etc. ► Even in a national security context, most discussions focused on protecting classified information against espionage and isolating networks ► But, increasingly, attackers are targeting computers and networks that control real-world equipment and devices ► Industrial Control Systems and SCADA equipment ► Other control systems – traffic systems, transportation systems, etc. ► Some activity is mere mischief ► Other attacks are a concerning sign of things to come ► Buffer overflows, shared passwords, and not-really-air-gapped networks abound Cyber Action for Kinetic Impact
  • 12. ► Nov 2011: Water systems hacked in Illinois, pump disabled by repeatedly turning it off and on ► Dec 2011: TSA reports hacks against commuter trains in Pacific Northwest resulted in delays ► 2012: Hacks against smart meters used for millions of dollars of fraud ► 2012: Presentations at DefCon and elsewhere on hacking into commuter train system comms gear ► Infiltration of electric utility systems has been observed for many years ► In protecting critical information assets, our track record as an industry is a concern ► We live in an age of Wikileaks… we are rapidly moving to an age of cyber attack to cause kinetic impact Some Noteworthy Events
  • 13. ► Goal: Help cyber warriors, their leadership, military planners, and defenders understand that cyber action can have kinetic effect, and that they can master this technology ► NetWars CyberCity was built to achieve this goal ► A miniature city, 6’ X 8’, with a variety of kinetic assets ► SCADA-controlled power grid, traffic system, water reservoir, train system, rocket launcher, etc. ► ISP, hospital, bank, coffee shop, etc. ► Cyber warriors (.mil, .gov, .com) are challenged to complete missions ► Real-time streaming video to visualize kinetic impacts Preparing Cyber Warriors
  • 14. CyberCity Commercial & Military Quadrants
  • 16. ► Currently focused on distribution ► We will model generation in the near future ► Each quadrant of CyberCity has its own PLC (Programmable Logic Controller) ► Allen-Bradley, GE, Siemens, and possibly others ► Controlling residential and industrial lighting, street lighting, and railway switch junctions ► Wonderware HMI running on Win7 and WinXP for management ► Various Operator Interface Terminals (OITs) ► Protocols: Modbus/TCP, DNP3, Profinet, Ethernet/IP ► We carry wireless across highly attenuated wires and within small-scale Faraday cages ► For power grid components and coffee shop free Wifi CyberCity’s Power Grid
  • 17. ► Several people have helped inspire and provided input to the CyberCity project: ► Skip Runyan, US Air Force ► Mike Assante, NBISE (current) & NERC (formerly) ► Terry McCorkle, Technical Director at Cylance ► Billy Rios, Technical Director at Cylance ► Rita A. Wells, Idaho National Laboratory ► Eric Bassel, SANS Institute Thought Leaders
  • 18. Case Study:Visualizing Real-World Attacks Let’s walk through a real- world case study of an actual power grid attack.
  • 19. Case Study: Power Grid Attack CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L HMI Master  DB SlaveSlave DB PLC User Workstation Trusted Web Server
  • 20. Case Study: Power Grid Attack Steps 1-3 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L 1 2 Master  DB PLC Infected PDF Upload SlaveSlave DB Spear Phish Fetch Page 3 HMI User Workstation Trusted Web Server
  • 21. Case Study: Power Grid Attack Steps 4-6 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF 4 Reverse Shell Attack DB6 Ride Across Replication 5 HMI User Workstation Trusted Web Server
  • 22. Case Study: Power Grid Attack Steps 7 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF 7 Attack HMI HMI User Workstation Trusted Web Server
  • 23. Case Study: Power Grid Attack Step 8-9 CyberCity ISP Network (the Internet) Utility Business Network Free Coffee Shop WiFi Utility ICS Network F I R E W A L L F I R E W A L L Master  DB SlaveSlave DB PLC Infected PDF Power could be disabled 8 Manipulate PLC 9 User Workstation Trusted Web Server
  • 24. An Interlude: Alan Paller Director of Research at the SANS Institute
  • 25. ► Four Controls stop targeted attacks ► CEOs really like people who can prove what needs to be done first to solve recognized, important problems. ► No cyber problem is better recognized by senior executives than targeted attacks ► There is hard evidence from multiple sources that 4 controls stop these attacks. ► A 10 organization pilot is proving how effective with benchmarking ► Get ahead of this opportunity for a career changer ► Email apaller@sans.org“Top 4”for (1) controls, (2) how to implement them, (3) dashboard powerpoint, and (4) free testing tool sources. Surprising data affects cyber careers
  • 26. Johannes Ullrich – Director of the SANS Internet Storm Center
  • 27. ► News items tend to focus on high profile attacks ► Easy to forget that everybody is under attack, not just national/large assets ► Even if you are not direct under attack, you may be a tool in the plot to attack larger targets ► Attacks don’t always require huge resources ISC – How bad is it for the rest of us?
  • 29. How (and why) do they work ► Reflective DNS attacks still major “weapon” ► Tactics have adapted to counter measures ► Attacks are more intelligent and deadly
  • 30. How Things Changes ► Defense • Block DNS responses from  servers that don’t need to  see them • Only answer queries for  which server is authoritative  for • Limit access to recursive  name servers to internal  users • Attacker uses queries for  which server is authoritative • Attacker compromises  servers with substantial  bandwidth • Use of “ANY” queries • Use of EDN0 • Offense
  • 31. Result ► Attacks reach 40+ gigabits/second ► Attacker only needs a 2,000+ servers ► Targets have to invest substantial resources to defend Source: Ponemon Inst.
  • 32. Password Breach / Hashing is Dead • Old times: hash and salt your passwords, and you are good • These days: – Use the right hash (hash? Bcrypt? SHAx? …) – Use salt correctly.. And your passwords are still brute-forcable Your password is as secure as the  least secure site you use it with!
  • 33. Attackers have power! 25 GPUs “affordable” Dedicated hash Cracker 63 G/s SHA1 180 G/s MD5 348 G/s NTLM 95% of leaked  LinkedIn Hashes Cracked. http://securityledger.com/new‐25‐gpu‐ monster‐devours‐passwords‐in‐seconds/
  • 35. Solutions? ► User education: Use a different password, that you can’t remember for every single site/software/company you interact with ► Oh… and please don’t write it down! ► Developer education: Hashes are supposed to be efficient (SHAx). Password hashing is supposed to be slow Of course: Avoid losing your password hashes!
  • 36. What’s next? ► Passwords are dead ► Pass phrases are about to die ► Developers can’t be trusted to keep our passwords secure! ► Two factor authentication is expensive ► But everybody has a smartphone!
  • 37. Token Stealing Android Malware ► Zitmo/Eurograbber: brought to you by the same people that gave you Zeus. ► Defeats SMS based tokens ► Available even for Blackberry Trusteer.com
  • 38. Your questions and your ideas for the most dangerous new attacks???