Attacks on Critical Infrastructure: Insights from the “Big Board”
1 like362 views
The document discusses critical infrastructure vulnerabilities in the U.S. and presents insights on various cyber threats including the GlassRat and Terracotta malware, which have targeted these infrastructures. It emphasizes the importance of employing analytics and machine learning techniques for detecting anomalies and enhancing cyber security measures. The session encourages evaluating current responses to cyber threats and identifying areas where security analytics could improve detection and response capabilities.
Attacks on Critical Infrastructure: Insights from the “Big Board”
- 1. SESSION ID: #RSAC Bob Griffin Attacks on Critical Infrastructure: Insights from the “Big Board” TECH-W03 Chief Security Architect RSA, the Security Division of EMC @RobtWesGriffin Daniel Cohen Head of RSA FraudAction RSA, The Security Division of EMC @iFraudFighter
- 2. #RSAC Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. USA Department of Homeland Security What is a critical infrastructure from attacker point of view? An opportunity! Internet DMZ SCADA OPC SCADA HMI SCADA Network Corporate Network
- 3. #RSAC More Insights from the Dark Web: Terracotta and GlassRat Bob Griffin
- 7. #RSAC GlassRat 7 Detected February 2015 but had been in the wild since 2012 Linked to other campaigns such as Mirage (2012) Targets Chinese nationals in commercial enterprises world-wide https://blogs.rsa.com/resource/peering-into-glassrat/
- 8. #RSAC GlassRat Dropper (Installer) 8 Double clicking on the flash.exe files causes the dropper to launch. 1. Dropper (flash.exe) writes the GlassRAT DLL to the ProgramData folder 2. 2. Dropper runs the DLL file using the built-in Windows utility rundll32.exe 3. 3. GlassRAT DLL file modifies the run key for logon persistence with user-level permissions with the following registry key. HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun Update 4. 4. the dropper deletes itself with and embedded command: “cmd.exe /c erase /F "%s",”
- 10. #RSAC The Common Theme: Analytics & Cyber Security Bob Griffin and Daniel Cohen
- 11. #RSAC Analytics at the RSA AFCC 11 http://australia.emc.com/video-collateral/demos/microsites/mediaplayer- video/glimpse-rsa-anti-fraud-command-center.htm
- 14. #RSAC The recent DragonFly campaign showed how the attackers could use malware to take control of SCADA systems Attacks on the Smart Grid ICS Software House website DragonFly Attackers 1- Compromise 2- Upload malicious Software update 3- Install malicious update C2 Server 5- Send Commands4- Havex trojan Connect 14
- 16. #RSAC Analysis using Static Rules Validator This component searches for systems’ asserts violations Rules List contains the assertions to verify Adapter translate the rules in common language Parser get the rules and search for negative or positive outliers Static Rules Validator Rules list ParserAdapter 16
- 17. #RSAC Outliers against a predefined bound E.g. Voltages should not fluctuate very much Examine voltages and frequency only Static Rules: Variable outlier 17
- 18. #RSAC Calculate physical relationships between variables 18 separate equations Measurement is asynchronous Use difference between RHS and LHS (error) Determine probability of error from historical data Flag when below some threshold Static Rules: Rule Outlier cos−1 𝑉 𝐴 2 +𝑉 𝐵 2 −𝑉 𝐴𝐵 2 2𝑉 𝐴 𝑉 𝐵 + cos−1 𝑉 𝐵 2 +𝑉𝐶 2 −𝑉 𝐵𝐶 2 2𝑉 𝐵 𝑉𝐶 + cos−1 𝑉𝐶 2 +𝑉 𝐴 2 −𝑉𝐶𝐴 2 2𝑉𝐶 𝑉 𝐴 = 360° 18
- 19. #RSAC Symmetrized KL distance on rule errors Symmetrisation due to Kullback & Leibler 𝐷 𝐾𝐿 = 𝑑 𝐾𝐿(𝑗, 𝑖) − 𝑑 𝐾𝐿(𝑖, 𝑗) Historical data (baseline) vs Current measurement Anomaly when value above some threshold Static Rules: Kullback Leibler 19
- 20. #RSAC Static Rules: Dead Sensor Clustering Cluster sensors that stop recording in time User configurable time window Anomalous when cluster size > threshold Sensors Time 20
- 21. #RSAC Static Rules: Dead Sensor Clustering Anomalous Cluster Sensors Time Benign Cluster 21
- 22. #RSAC Analysis using Dynamic Detection This component uses machine learning techniques to evaluate the entire system state Rules Extractor get data from last readings Historical KB compare the new feature with system history Evaluator use tolerance to reduce FP and noise Auto-Detector Rules Extractor EvaluatorHistorical KB 22
- 23. #RSAC Abundance of normal data. Little to no outlier data Train a one-class SVM using only normal data Group similar sensors and train a model for each sensor using only Early studies show good performance but modelling needs more work Dynamic Detection: ML Outliers 23
- 24. #RSAC Some Screenshots of SPARKS’ Dashboard 24
- 25. #RSAC Applying this Session Evaluate your current approach to responding to cyber threats in the light of the kinds of attacks we’ve discussed Identify an area in which security analytics could improve your ability to detect and respond to cyber attacks Identify compromised end-user devices (eg, anomalies in behavior)? Identify compromised servers (eg, evidence of beaconing)? Identify lateral movement across your network (eg, anomalies in network traffic)? Prototype or pilot security analytics in that area 25