APT and Impact to SCADA
Systems
Mark Fabro CISSP, CISM, CSSE
President and Chief Security Scientist
Lofty Perch, Inc.
2010 SANS European Community SCADA and Process Control
Summit
October 11-13, 2010
London, U.K.
© 2010 Lofty Perch, Inc.
Agenda
• Defining APT for the session
• APT requirements
• Observations
– Security Assessments
– APT Focus Reviews
– „fly away‟ response
• Countermeasures
• Conclusions
© 2010 Lofty Perch, Inc.
What is APT?
The term was used to describe
specific groups associated with
nation-states that aggressively
and successfully penetrated
critical infrastructure networks
and established well
developed, multi-level
footholds in those networks.
But now it increasingly means
“generally bad thing from the
Internet”.
© 2010 Lofty Perch, Inc.
The perfect storm is upon us as a new breed of sophisticated
cyber attackers emerge. Honing in on their high value targets,
they deliver a persistent torrent of multi-faceted, advanced attacks
that can subvert even the most cutting edge protective systems to
steal valuable data, or threaten critical infrastructures.
It has dawned upon today’s government and business leaders that
they can no longer depend on mere perimeter protections to
keep their assets safe.
© 2010 Lofty Perch, Inc.
Framing the Definition
(for this discussion)
• The „A‟ should be for Adequate
– No new hacks unless it is really required
• „Advanced‟ is relative to the
countermeasures deployed for maintaining
presence or previously unseen capabilities
• The threat is the actor
– Not the exploits
– Not the tools
– Not weaponized precision malware
© 2010 Lofty Perch, Inc.
Exfiltration Problem
CORE
DATA
FIREWALLS
IDS/IPS
CONTENT
FILTERING
AV
ASSESSMENT
TESTING
CONFIG
MGMT.
© 2010 Lofty Perch, Inc.
APT Elements
• High chance of success
• Targeted (very rarely opportunistic)
• Organized and structured
– Mid-term and long-term plans
– No random elements
• Exploit human nature
– Software and wetware vulnerabilities
– Legitimate credentials are acquired
High
Chance of
Success
Organized/
Structured
Target
Folders
• E.g „Gh0stNet„ and obvious C2 chain
• Newness‟ is really defined by elements of attack
The value of the target data
greatly exceeds investment cost
to get it
© 2010 Lofty Perch, Inc.
Tactics, Techniques,
Procedures
• Advanced attributes are defined by 0-days, code
nuances, and structured exploits built on
KNOWN APPLICATIONS
• Creating a super-kit for SCADA just not feasible
• ROI is maximized when APT methods are
reused
– Often same MD5 of C2 channel or dropper
• Each threat has a TTP or a „fist‟ that is often
recognizable and defendable
– Self preservation/expansion/replication
– Stuxnet not so easy
© 2010 Lofty Perch, Inc.
Observations From the Field
• Sources of data are several
– Secruity assessments
– APT „focus reviews‟
– „fly away‟ incident response (with law
enforcement)
© 2010 Lofty Perch, Inc.
Observations From the Field
• ICS instances appear to be collateral
– Connectivity enabled the compromise, lateral functions simply
catch automation
• Of 37 instances to investigate anomalous activity and
rogue compromise 3 yielded artifacts suggesting actual
direct APT impact on ICS
– And the activity on ICS was secondary based on collected
(compromised) intelligence
• Target folders exist but nothing beyond level 1 adversary
with standard OSINT
– Folders full of stuff we know or have seen before
• No artifacts on field equipment
– No need if compromise HMI or FEP
© 2010 Lofty Perch, Inc.
Artifacts on ICS
• Obvious C2 channel
• Windows and *nix
• No indication of intent to damage system,
only collection
– Typical of most APT
• Q:How do we know ICS was not targeted?
– We don‟t
– What if time to ICS compromise was really
short?
© 2010 Lofty Perch, Inc.
Observations From the Field
• Target folders
• Corporate analysis
• Peer business
activities
• Integration/service
provider investigation
• Not obvious channels
• Port 80 or ICMP
• Comms from ICS:
• Out to corp
• Direct to Internet
• Out via VPN
• Phishing
• SQL Injection
• Trust abuse
Recon
Penetration
Command
and Control
Escalation
and Lateral
Activity
• Rogue network sockets
open by processes
• Evidence of driver layering
•Packet interception and
keystroke capture
•SCADA/ICS done well
after initial domain
© 2010 Lofty Perch, Inc.
Target Folder
ACME CORP.
• Emails
(exec/admin/legal/HR)
• Personnel profiles
• Facebook
• Twitter
• Family Trees
• Blog pages
• Corporate ppt
• Corporate events
• M&A
• 501(c)
• Network diagrams
(notional)
• Network diagrams
(integrators
• Case studies
• Nmap/nessus
reports
• Service records
• ISP data
• Peer comms
• ipindex
• Recent data
• Progress
• C2 monitoring
© 2010 Lofty Perch, Inc.
Countermeasures
• Of the observed „APT‟ damage was avoided by
implementation of defense in depth
– Existing host and network tools work perfect
• Live SCADA forensics proved very useful to
aggregate anomalies
• Code analysis provided framework for egress
and DNS corrective actions
• Persistence is proportional to vulnerabilities
– Kernel locking works very well for 0 days
• It is very hard to get rid of some of these
© 2010 Lofty Perch, Inc.
Exfiltration Problem
CORE
DATA
FIREWALLS
With
Ingress/Egress
Filtering
IDS/IPS
CONTENT
ASSESSMENT CONFIG
AV
PROPERLY
FILTERING
TESTING with MGMT.
TUNED BEHAVIOR BASED
APT Components
ICS/SCADA DOMAIN
© 2010 Lofty Perch, Inc.
Active APT Forensics on ICS
• Must be fast and non-intrusive to process
– load similar to virus scan
• Actually easier when system is operating for a single purpose!
Main Imaging
Access pre
loaded servlets
Map known
process .exe .dll
Running Processes
Review open
handles and map
to virtual address
space
Egress
monitoring
Review open
network sockets
Core
Device/driver layering
Walk linked list (loaded kernel modules)
Identify hooks (System Call Table, Interrupt
Descriptor Table, Driver Function Table
Identification of loaded
drivers and verification
of signatures
© 2010 Lofty Perch, Inc.
Facts
• Any real frequency of SCADA/ICS APT is
several orders of magnitude below
defense contractors, embassies, and FI‟s
• Only mild indicators that initial target was
ICS
– But this is almost impossible to know
– Future modus operandi may provide intel
• Expect to see a lot more now that we
know what to look for
© 2010 Lofty Perch, Inc.
Caution
“In the cyber security domain, APT is
quickly becoming the new Smart Grid.
Pretty soon it will be a catch-all for
everything we are not clever enough to
understand, and become so ethereal that
only the people trying to sell it will have a
definition – and different ones at that.”
© 2010 Lofty Perch, Inc.
Thank You
QUESTIONS?
Mark Fabro CISSP, CISM, CSSE
President and Chief Security Scientist
Lofty Perch, Inc.
[email protected]
2010 SANS European Community SCADA and Process Control
Summit
October 11-13, 2010
London, U.K.
© 2010 Lofty Perch, Inc.