ICS Network Security Monitoring (NSM)

1
You Don’t Know What You Can’t See:
Network Security Monitoring in ICS
Chris Sistrunk Senior Consultant
Rob Caldwell Principal Consultant
S4x15

© Mandiant, A FireEye Company. All rights reserved. 2
Agenda
§  Overview of NSM
§  Instrumenting an ICS
§  Examples and Case Study
§  Tools
§  Conclusion
§  Questions

© Mandiant, A FireEye Company. All rights reserved.
If ICS are so
vulnerable, why
haven’t we seen
more attacks?

Two Key Reasons
1.  Intention
2.  Visibility

Intention
Why are targeted attacks different?
•  It’s a “Who”, not a “What”…
•  They are Professional, Organized & Well Funded…
•  If You Kick Them Out They Will Return

Visibility
We are not looking!
“Prevention is ideal, but Detection is a must…”

Visibility

The IOC problem
There are numerous sources of IOCs, which are a means to describe threat
data like evidence of compromise/activity, attacker methodology, or malware.
For example, from the recent “Ongoing
Sophisticated Malware Campaign” from
ICS-CERT.
What do you do with this?
Most ICS operators have no capability to
consume IOCs, much less generate them for
“information sharing”.
Common sources of ICS IOCs are ICS-CERT, US-CERT, and
many of the recent “vendor” reports.

Network Security Monitoring
“The collection, analysis, and escalation of indications and
warnings to detect and respond to intrusions. NSM is a way
to find intruders on your network and do something about
them before they damage your enterprise.”
- The Practice of Network Security Monitoring
Cliff Stoll
“Stalking the
Wily Hacker”
1988
Todd Herberlein
et al.
“A Network
Security
Monitor”
1990
US Air Force
Defense
Information
Systems
Agency
Lawrence
Livermore
National Lab
Early 1990s
NetRanger
RealSecure
Snort
and many
others
Late 1990s -
early 2000s
Formal
definition of
NSM
2002

The NSM Cycle
Collection
DetectionAnalysis
•  Model for action, based on
network-derived data
•  Requires people and process, not
just technology
•  Focuses on the adversary, not the
vulnerability

Methods of Monitoring
§  Network tap – physical device which relays a copy of
packets to an NSM server
§  SPAN or mirrored ports – switch configuration which
sends copies of packets to a separate port where NSM
can connect
§  Host NIC – configured to watch all network traffic flowing
on its segment
§  Serial port tap – physical device which relays serial
traffic to another port, usually requires additional
software to interpret data
Fluke Networks
Stratus Engineering

Types of Data Collected
§  Full content data – unfiltered collection of packets
§  Extracted content – data streams, files, Web pages, etc.
§  Session data – conversation between nodes
§  Transaction data – requests and replies between nodes
§  Statistical data – description of traffic, such as protocol
and volume
§  Metadata – aspects of data, e.g. who owns this IP
address
§  Alert/log data – triggers from IDS tools, tracking user
logins, etc.

Difficulties for NSM
§  Encrypted networks
§  Widespread NAT
§  Devices moving between network segments
§  Extreme traffic volume
§  Privacy concerns
Issues that most ICS do not face!

Example ICS
14
Enterprise/IT
DMZ
Plant
Control
Web
Historian or
other DB
DCS HistorianHMI
PLCs,
Controllers,
RTUs, PACs

Anatomy of an Attack
15
Over all Mandiant attack investigations,
only a little more than half of victim computers have malware on them.
While attackers often use malware to gain an initial foothold,
they quickly move to other tactics to execute their attacks.
EVIDENCE OF COMPROMISE
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
Move
Laterally
Maintain
Presence
Unauthorized
Use of Valid
Accounts
Known &
Unknown
Malware
Command &
Control Activity
Suspicious
Network Traffic
Files Accessed
by Attackers
Valid Programs
Used for Evil
Purposes
Trace Evidence
& Partial Files

Attacker Objectives
Attacker’s goals:
§  Damage equipment
§  Affect or steal process info
§  Cause safety or compliance issue
§  Pivot from vulnerable ICS to
enterprise
Attacker’s options:
§  Gain physical access to an ICS
host
§  Gain remote access to an ICS
host
§  Compromise a highly-privileged
client machine with access to the
ICS network
Enterprise/IT
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs

NSM Collection
17
•  Firewall Logs
•  Netflow Data
•  NIDS/HIDS
•  Full packet capture or NetFlow
•  Windows Logs and syslog
•  SNMP (CPU % etc.)
•  Alerts from security agents
(AV, whitelisting, etc.)
DMZ
Plant
Control
Web
Historian or
other DB
DCS HistorianHMI
PLCs,
Controllers,
RTUs, PACs
Enterprise/ITEnterprise technology collectors Logs and/or Agent
Network sensors Logs only

What Are We Looking For?
§  Exceptions from baseline (e.g. A talks to B but never C)
§  “Top Talkers”
§  Unexpected connectivity (to Internet, Business network)
§  Known malicious IPs and domains
§  Logins using default accounts
§  Error messages that could correlate to vulnerabilities
§  Unusual system and firewall log entries
§  Host-based IDS or other security system alerts
§  Unexpected file and firmware updates
§  Antivirus alerts
§  And others….

•  IDS alerts
•  Anomaly detection
•  Firmware updates, other
commands
•  Login with default credentials
•  High CPU or network bandwidth
•  Door alarms when nobody is
supposed to be working
•  Devices going off-line or behaving
strangely
19
NSM Detection
Analyst looks at detected anomalies
or alerts then escalates to IR
Enterprise/IT
DMZ
Plant
Control
HMI
PLCs,
Controllers,
RTUs, PACs
!
DMZ
Plant
Control
Web
Historian or
other DB
DCS HistorianHMI
PLCs,
Controllers,
RTUs, PACs

NSM Analysis
Incident responders analyze the
detected anomalies to find evil
Enterprise/IT
DMZ
Plant
Control
HMI
PLCs,
Controllers,
RTUs, PACs
•  Application exploitation
•  Third-party connections (ex. ICCP
or vendor access)
•  ICS-specific communication
protocol attacks (ex. Modbus,
DNP3, Profinet, EtherNet/IP)
•  Remote access exploitation
•  Direct network access due to poor
physical security
•  USB-delivered malware
DMZ
Plant
Control
Web
Historian or
other DB
DCS HistorianHMI
PLCs,
Controllers,
RTUs, PACs

Top Talkers
FlowBat characterizes NetFlow data, showing which nodes have the most traffic
Web traffic
Web traffic
NetBios
NTP

Address Spoofing
NetworkMiner can find potential ARP spoofing (as well as many other indicators)

Bro IDS Logs
Modbus
DNP3
Bro parses Modbus and DNP3 packets, ELSA consolidates Bro logs

IDS GUIs
Alerts in Sguil of scanning activity

Malformed Modbus
Deep packet inspection of Modbus by Wireshark

Syslog
Syslog can be configured to send to the SO server, or detected in network
traffic if sent elsewhere.

15 minutes of network traffic capture data revealed
external DNS requests (to some dubious hosts…)
Case Study – ICS Operator
27

Abnormal DNS Traffic
“Strange” DNS requests originating from within the ICS

Abnormal DNS Traffic
DNS requests shown in ELSA

NSM Tools
Security Onion Linux distribution
‒  Easy to install and lots of documentation
§  Full packet capture – Tcpdump/Wireshark/NetworkMiner
§  Extracted content – Xplico/NetworkMiner
§  Session data – Bro/FlowBat
§  Transaction data – Bro
§  Statistical data – Capinfos/Wireshark
§  Meta data – ELSA (Whois)
§  Alert data – Snort, Suricata, Sguil, Snorby
Peel Back the Layers of Your Network

Security Onion Tools

Security Onion Implementation
§  Test in a lab first
§  Select suitable hardware platform
‒  More RAM is better
‒  Bigger hard drive is better (longer retention)
§  Mirrored/SPAN port on router/switch or a good network
tap
§  Select proper placement of SO sensor
‒  The Practice of Network Security Monitoring
‒  Applied Network Security Monitoring
§  Work with the right stakeholders if placing in production

NetFlow Tools
SiLK & FlowBAT
§  Install on Security Onion with 2 scripts
§  www.flowbat.com

Takeaways
§ You can implement NSM in ICS
today – without impacting your
operations
§ ICS IoCs are becoming more
common – need tools to look
for them

People…
…the most important part of NSM!
§  Gigabytes of data and 1000s of IDS alerts are useless without
interpretation
§  Analyze data collected to understand what’s normal – and
what’s not
§  Identify adversary TTPs and act to disrupt them
Remember, adversaries are a “Who”,
not a “What

Set the Right Goal
DETECT
ICS network
instrumented with
security technology
and monitored by
security personnel
RESPOND
Effective process for
response to ICS
cyber security
incidents
CONTAIN
Business continuity
and DR planning
consider ICS asset
compromise
Showing evidence of
conformance/compliance
Finding indications of
compromise

Redefine the Win
Reconnaissance Weaponization Delivery Exploitation Installation
Command &
Control
Actions on
Objectives
http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf
Halting the attacker anywhere
in the cycle stops them from
achieving their objective

§  The Cuckoo’s Egg by Cliff Stoll
https://www.youtube.com/watch?v=EcKxaq1FTac
1-hour NOVA Special (1990)
§  The Practice of Network Security Monitoring by Richard
Bejtlich
http://www.nostarch.com/nsm
§  Applied Network Security Monitoring by Chris Sanders &
Jason Smith
http://www.appliednsm.com/
§  The NSM Wiki http://nsmwiki.org
§  Security Onion distribution http://securityonion.net
NSM References/Resources
38

Questions?
chris.sistrunk@mandiant.com
@chrissistrunk
robert.caldwell@mandiant.com
@robac3

ICS Network Security Monitoring (NSM)

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to ICS Network Security Monitoring (NSM) (20)

More from Digital Bond (14)

Recently uploaded (20)

ICS Network Security Monitoring (NSM)