Transcript Symbolic Honeynets for Gathering Cyber

Mike Burmester
Work with W. Owen Redwood and Joshua Lawrence
1. Critical Infrastructures protection
Critical infrastructure ecologies, resilience, real vs ideal world simulations
b. Protection and control architecture for EG substations
c. Vulns of an IEC61850 enabled EG substations, synchronized attacks
a.
2. Honeypots
a.
real-time situational awareness tools
b.
Cyber-Physical Systems
i.
ii.
SCADA / Critical Infrastructure
Vulns & Security & state of Threat Intelligence
3. Symbolic Cyber-Physical Honeynets
a.
Situational Awareness for SCADA / ICS
Human
A
Physical
Cyber
(real world adversary)
controls all communication channels
A
(ideal world adversary)
controls all communication channels
Human
Physical
Cyber
Human
Physical
Cyber
F (protected functionality)
Bricks
Bricks
Ethernet
connectivity
to
SCADA & HMI
IEDs I/O via fiber
IEDs I/O via fiber
Ethernet -- Substation Bus
Relay
IED
Meter
Other Substations
HMI
Remote Operator
Internet
Ethernet -- Process Bus
5
Merge Unit
Merge Unit
Control Center
Vulnerabilities are indicated by “ “ and involve physical/human/cyber entities. For example: the Remote Operator or their
computer may be compromised, the behavior of the Relay or the Merge Unit Brick may be irregular (because of unexpected
inputs), etc. Our goal is to:
Analyze realtime multi-layer vulnerabilities of EG infrastructures resulting from malicious/unexpected behavior.
Analyze cascading EG infrastructure faults.
Identify vulnerabilities & exploits of IEC61850 substation automation systems using hardware-in-the-loop realtime testing.
Develop a framework that addresses holistic integrity in realtime by enforcing trust policies and controls and by enabling
security mechanisms and tools (engines).
Maintaining Functionality at Sustained Levels
output power
sustained functionality level
time
Backup power
Capture:
●
●
●
●
●
●
●
●
●
Tool use
detection tests (and sometimes fail!)
initial intrusion
outbound connection initiated
...
expand access and obtain credentials
strengthening of foothold
data exfil
attempts to cover tracks
diagram from http://en.wikipedia.org/wiki/Advanced_persistent_threat
Honeynet - More than one honeypot
Low interaction
● simulates a controlled subset of the target’s attack surface
o
o
emulates common services, applications, OSes
low risk
High interaction
● utilizes real services, apps, OSs (near-real attack surface)
o
o
o
commonly have a HMI or GUI
high risk
capture far more data
● Good, currently-maintained tools for these are RARE
● Exploitation techniques & strategies
● Post-exploitation techniques & strategies, and
● end goals (very hard to observe)
computational systems that monitor and control
physical entities
●
●
●
●
●
control systems
sensor-based systems
autonomous systems
robotic systems
etc...
Typically a network of:
●
●
●
Remote Telemetry Units (RTUs)
Programmable Logic Controllers (PLCs)
Intelligent Electronic Devices (IEDs)
(may be a MAC-layer “station bus” network)==>
Controlled by:
●
●
●
●
Supervisory Control And Data Acquisition (SCADA) system(s)
Industrial Control System (ICS) system(s)
Process Control System (PCS) system(s)
Distributed Control System (DCS) system(s)
Are embedded systems,
●
●
●
●
Linux
VXworks
Solaris
custom firmware, custom OS...
with some specialized additions:
● sensors, actuators, regulators, communication devices, and “control”
processing units
Standards designed by engineers FOR engineers
Access to standards/documentation > $10,000
o
restricted access, yet expect everyone to adopt it
Descriptions of protocols are open, but closed-source code
is common
● Implementations thus differ per vendor
o
Makes things hell for the control systems vendors
Specialized Search engines:
● SHODAN - Sentient Hyper-Optimized Data Access Network
o http://www.shodanhq.com/
● ERIPP - Every Routable IP Project
o http://eripp.com/
● IRAM - Industrial Risk Assessment Map
o http://www.scadacs.org/iram.html
Project SHINE (early 2014):
● uses SHODAN to detect how many ICS systems are connected to internet
EACH DAY:
● 2000-8000 NEW ICS on internet PER DAY
● “forever-day” originated.
● n-days typically never get patched.
<==This trivializes the cost of target research.
● Accessible to all levels of threat
● Amplifies the impact / opportunities of all
other stages of the attack cycle
o
Stuxnet-level attacks aren’t possible without
research
● Thus the “low-hanging fruit” of attackers
can cause significant damage
● vendor backdoors are common
● 1990’s network interface cards, easy to DoS
● very hard to patch / update
Hacking: it’s like its 1980’s, once you get inside the
network
Security designed by Engineers != Security
No modern security like:
● Executable Exploit Mitigations:
o
o
o
o
o
o
ASLR
DEP / N^X / W^X
Control Flow Locking
GS / Stack cookies (compiler dependent)
safe heap allocators (compiler dependent)
kernel / file integrity watchdogs
GLEG Ltd (Russian Company) sells:
● Agora: since 2006, contains 160+ CPS exploitation
modules
● SCADA+: project containing “ALL publicly available
SCADA vuln”s in one exploit pack
Core Impact sells:
● ExCraft SCADA Pack: 50+ CPS exploitation modules
SamuraiSTFU (Security Testing Framework for Utilities)
provides:
● collection of web, network, and hardware exploitation tools targeted
for utility security teams/security firms.
Metasploit provides:
● several exploitation modules as well
● in the nice popular metasploit framework
SCADA Vulnerability and Exploit-PoC Repository:
http://scadahacker.com/vulndb/ics-vuln-ref-list.html
how often do these things even get attacked anyways???
ICS CERT: Surge In Brute-Force Attacks Against Energy Industry (06/2013)
http://www.darkreading.com/attacks-breaches/ics-cert-surge-in-brute-force-attacks-ag/240157599
Addressing Cyber Threats to Oil and Gas Suppliers (June 2013)
http://www.cfr.org/cybersecurity/addressing-cyber-threats-oil-gas-suppliers/p30977
● increasing threats, ranging from cyber espionage by foreign intelligence, to attempts to
disrupt operations
Congressional Report:
“Electric Grid Vulnerability: Industry Responses Reveal Security Gaps” (May)
http://www.scor.com/en/sgrc/pac/cyber-risks/item/2573.html?lout=sgrc
●
Bleak outlook. Cyber threats against CPS are far likelier and riskier than high-altitude
EMP detonations
From 2014-2015:
● BlackEnergy APT campaign
● SandWorm APT campaign
o
also used blackenergy malware
● Dragonfly APT campaign
o
aka Energetic Bear / Crouching Yeti

targets IEC 60870
● …. Each of these has been going on for years and were only
discovered in 2014
CISCO CIAG’s SCADA
HONEYPOT (2004)
DIGITAL BOND’s SCADA
Honeynet Project (2010)
CONPOT - The Honeynet
Project’s ICS Honeypot
TREND MICRO’s closedsource honeypot project
ROS Honeypot
● We’re good OK at tracking the attacks against cyber…
● What about how cyber attacks against one end of a
CPS can affect directly/indirectly other parts of the
physical system.
 upstream
 downstream
The ROS honeypot is the 1st true cyber-physical
honeypot
●
●
DEFCON 20 experiment
providing a high-interaction vulnerable HMI that
interfaces
with actual robotic hardware running ROS.
●
o
Thus, is able to capture cyber attacks against the
underlying physical system
But this solution would not scale for large CPS…
● Too expensive
● Too complicated
● High maintenance
Novel features:
● symbolic simulation/analysis of physical part
● emulation of everything else (SCADA / ICS protocols)



Provides realistic stimuli to HMI = believable target
Allows capture of post-exploitation behavior
Organize and highlight attack data in a “cyber-physicalanomaly-centric manner”
Why “Symbolic”???
● The anomaly detection engine analyzes each parameter
as a set of symbols.
o
doesn’t care about the data types

voltage, current, temperature, load, status, ...
The Interaction Layer
The Honeynet Layer
eth0
Internet
Exposed
Interface
vmnet0
(virtual bridge to eth0)
Infrastructure Modeling Layer
vmnet1
host-only mode
Simulated cyber-physical
systems
SCADA HMI
Exposed
Honeynet
HONEYNET
FRAMEWORK
Honeynet and SCADA
HMI Logging
The Logging Layer
Anomaly
Detection
vmnet2
Isolated
host-only
Design Principles:
● All components are modular
● HMI interaction is coupled with the simulated physical
model
o
multiple HMI’s all reflect one overall physical model
● Layers are strictly partitioned
Designed to:
● facilitate greater interactivity than existing cyberphysical honeypots,
o
to entice more sophisticated threat actors
● be easier to expand upon
● present data in a higher order representation.
o physics anomalies presented with corresponding network traffic
Symbolic data flow model which simulates the
physical parts of a cyber-physical system,
●
●
Provides realistic stimuli to HMI = believable target
Based on Kahn Process Network (KPN)
o Many engineering models based on KPN model
IML’s data flow model defines a process by a set of
signals, actors, and firing rules.
References
http://www.cs.fsu.edu/~burmeste/pubs.html