Challenges in Cri-cal Infrastructure Security

(1)

6th Interna*onal Conference on Autonomous Infrastructure, Management and Security (AIMS 2012) 1

Challenges in

Cri-cal Infrastructure Security

Corrado Leita

(2)

Symantec Research Labs

•

CARD (Collabora*ve Advanced Research Department) group

–

Sophia An*polis, FR

–

Culver City, CA

–

Herndon, VA

•

European projects:

–

WOMBAT (2008-‐2011): Worldwide Observatory of Malicious Behaviors

and AQack Threats

–

VIS-‐SENSE (2011-‐2013): Visual Analyi*cs of Large Datasets for Enhancing

Network Security

–

CRISALIS (2012-‐2014): CRi*cal Infrastructure Security AnaLysIS

–

BIGFOOT (2012-‐2014): Big Data Analy*cs of Digital Footprints

(3)

Convergence between IT and ICS technologies

•

Interconnec*on of standard computer

systems with industrial control systems

•

An

opportunity

?

–

Lower costs and increased system eﬃciency

–

Opportunity to leverage standard IT

techniques (intrusion detec*on, ﬁle scanning,

standard hardening techniques, …)

–

Opportunity to enable ICS suppliers to

manage and support ICS devices at scale

•

A

threat

?

–

Enable aQacks and incidents that are typical of

standard IT environments

–

Enable aQacks on cri*cal infrastructures and

environments such as energy, gas, medical

–

Privacy viola*ons from data being more

widely available

(4)

What is this talk about?

Why is research on Industrial Control Systems security

important? How does it diﬀer from standard IT security?

What are the challenges associated to doing research on

ICS security?

Q1

Q2

(5)

What are the challenges in the protec-on

of ICS environments?

(6)

Threat

economy

IT VS OT

culture

Oﬀ-‐the-‐shelf

suitability to ICS

(7)

Are oﬀ-‐the-‐shelf product suitable for ICS security?

(8)

Smart Grid as a complex ecosystem

SCADA

AMI

Our

focus

(9)

Physical environment

A composi-on of complex environments

servers

clients in separate network

clients in main network

gateways

ﬂow datagram generated from the analysis of one

hour of opera*on of a water pump control system

diverse, o]en

non-‐standard protocols

(10)

Threat

economy

IT VS OT

culture

suitability to ICS

(11)

(12)

The interes-ng lesson

Is it possible to burn-‐out a water pump by solely interfacing with

the SCADA layer? Fail-‐safe mechanisms exist to prevent physical

damage!

(13)

Threat

economy

IT VS OT

culture

suitability to ICS

(14)

Threat economy

•

Security mechanisms o]en aim at

rendering an intrusion “diﬃcult

enough”

•

Their eﬀec*veness depends on the

value of the target!

–

Requiring a signed cer*ﬁcate to inject a

kernel driver

–

Keeping valuable resources in a private

network

–

Storing a cer*ﬁcate in a secure room

–

…

co

st

reven

ue

reven

ue

(15)

Stuxnet, Duqu, Flamer

•

Stuxnet: ﬁrst publicly known malware to cause public damage

•

Duqu: shares many similari*es, used for cyber espionage

•

Flamer: even more advanced pladorm for data exﬁltra*on

è

Cyber warfare is not a myth!

(16)

Is this the -p of an iceberg?

(17)

What is your experience with each of this type of

abacks? (1580 industries contacted, 2010)

Symantec 2010 Critical Infrastructure Protection Study - Global: October

2010

16

(18)

How many -mes have you suspected or been sure each

of the following has occurred in the last 5 years?

2010

17

(19)

Cost es-ma-ons of all the abacks over the 5 years

2010

18

(20)

Research in ICS security

(21)

The problems

•

Few or no informa*on is available on the threat landscape and

on ongoing aQacks against ICS environments

•

The few informa*on we have at our disposal shows very

advanced threats carried out by groups or governments with

almost unlimited resources

How do we ensure the

relevance

of our research?

How do we ensure the

(22)

How do (should) we do research?

D

raw

c

on

cl

us

io

ns

An

al

yze

re

su

lts

Pe

rf

or

m

e

xp

er

im

en

ts

Fo

rm

Hy

po

th

es

is

Obse

rve

DATA

(23)

An example: Rogue security sogware

All done in Javascript!

Marco Cova, Corrado Leita, Olivier Thonnard, Angelos Keromy*s, Marc Dacier,

“An analysis of Rogue AV campaigns”, RAID 2010

1.

What is the big picture?

2.

Is there any major diﬀerence

(24)

Methodology

1.

Scope deﬁni-on: deﬁni*on of lists of domains likely to be

related to the threat

–

Norton Safeweb, Malware Domain Lists, …

–

Data enrichment using robtex.com

2.

Data enrichment: collec*on of informa*on on the

infrastructure hos*ng the content

–

Registra*on informa*on, DNS informa*on, server informa*on, …

3.

Data mining: deﬁni*on of a set of features for each domain

and applica*on of MCDA

–

Manual analysis of each generated cluster

(25)

PC An-spyware

/24 network

Domain name

Web server

Web server/DNS server

Registrant email

(26)

Level of

coordina-on

Registra*on date

This is unique to this

threat and not shared

by, for instance, drive-‐

(27)

Are these ﬁndings speciﬁc to the threat landscape?

•

Experiment: drive by downloads

–

Analysis of 5304 domains known to be landing pages for Internet Explorer

ADODB.Stream Object Installa*on Weakness (CVE-‐2006-‐003)

–

Repeated feature collec*on and analysis using MCDA

•

Only 21 clusters were found accoun*ng for a total of 201

domains (3.8%)

–

The domains under analysis do not share a common infrastructure

–

The infrastructure is not actually owned by the perpetuators of the

aQacks

–

Important diﬀerence with the Rogue AV scenario

•

How to jus*fy this diﬀerence?

(28)

Rogue AV economics

•

What are the costs/revenues associated to the rogue AV

business?

•

Costs (informal survey)

–

Average monthly cost:

50$

–

Annual domain registra*on costs:

3-‐10$

–

Total annual costs:

879-‐2,230$

•

Revenues

–

Average price for a rogue AV:

30-‐50$

–

Client volume?

??

–

Total annual revenues:

??

(29)

Rogue AV servers and Apache mod_status

•

6 servers (193 domains) were

discovered to be oﬀering u*liza*on

sta*s*cs through the output of

Apache mod_status

– 

Con*nuous sampling of the output

over a period of 44 days

– 

Filtered out probing/scanning aQempts

– 

Tracked a total of 372,096 dis*nct IP

addresses

(30)

Behavior evolu-on

Cumula*ve number of dis*nct IP addresses for each

behavior type

Successful scans: 25,447

Unsuccessful scans: 306,248

Hit rate: 7.7%

A scan is considered

successful if a download is

performed by the same IP

address within 24 hours

(31)

Comple-ng the table

•

What are the costs/revenues associated to the rogue AV

business?

•

Costs (informal survey)

–

Average monthly cost:

50$

–

Annual domain registra*on costs:

3-‐10$

–

Total annual costs:

879-‐2,230$

•

Revenues (pessimis-c es-mate)

–

Average price for a rogue AV:

30-‐50$

–

Expected mone*za*on rate for client hit:

0.26%

(in previous studies on spam)

–

Client volume over 44 days:

331,695

–

Total annual revenues:

214,621-‐357,702$

(32)

Challenges

•

Rigorous data collec*on is

essen-al

to security research

–

Understanding the threat landscape

–

Understanding the threat economics

–

Evaluang/benchmarking real-‐world applicaon of speciﬁc solu*ons

•

It’s an

expensive

process

–

Highly dynamic threat landscape

•

Need to ensure representa*veness of the observa*ons, but also repeatability

–

It’s an itera*ve process

•

The eﬀort

cannot be easily shared

–

Field data experimenta*on is associated to lots of legal and ethical

concerns when it comes to sharing data

(33)

The importance of observa-on

•

What should we really do research on?

(34)

WINE: Benchmark for Computer Security

http://www.symantec.com/WINE

Symantec’s

worldwide sensors

experimental reproducibility

Pladorm for

(35)

The Worldwide Intelligence Network Environment

(WINE)

•

Goal: repeatable cyber security experiments at scale

•

Field data collected on millions of

end-‐hosts

•

Data sampled from Symantec’s

opera-onal data

sets

•

Access WINE on SRL site:

Culver City, CA

or

Herndon, VA

–

Fee required

•

Store

reference data

sets used in prior experiments

•

Maintain

lab book

(36)

What WINE is not …

•

… a deﬁni*ve benchmark suite

•

… a data set that can be copied outside of SRL

•

… a system that can be accessed remotely

•

… a repository for all the data that Symantec collects

•

… an eﬀort targeted exclusively at cyber security

(37)

Contextual informa*on

Opera-onal Model

DB

Virtualized

Server

…

Malware Samples

Researcher

5

NDA

1

WINE

Catalog

2

Proposal

• 

Hypothesis

• 

Data needed

3

Publica*on

• 

Ack: WINE

8

5

Isolated Red Lab

Contract

4

6

7

(38)

New

AQacks

Vulnerability

Dissemina*on

& Concealment

Zero-‐Day

AQacks

Patch

Advisory

Remedia*on

Malware

Samples

WINE Data Set:

Malware

(39)

New

AQacks

Vulnerability

Dissemina*on

& Concealment

Zero-‐Day

AQacks

Patch

Advisory

Remedia*on

Malware

Samples

Binary

Reputa-on

WINE Data Set:

Binary Reputa0on

Norton Insight

(opt-‐in program)

Submissions

Queries

MachineID

Timestamp

MD5 of binary

SHA2 of binary

Download URL

Protocol version

(40)

New

AQacks

Vulnerability

Dissemina*on

& Concealment

Zero-‐Day

AQacks

Patch

Advisory

Remedia*on

Binary

Reputa*on

A/V, IPS

Telemetry

WINE Data Set:

A/V & IPS Telemetry

Malware

Samples

Threats detected by

Norton products

Telemetry

AQack signature

Timestamp

Target OS

Target process

AQacking IP

CPU make & model

(41)

New

AQacks

Vulnerability

Dissemina*on

& Concealment

Zero-‐Day

AQacks

Patch

Advisory

Remedia*on

Binary

Reputa*on

A/V, IPS

Telemetry

Spam

WINE Data Set:

Spam

Malware

Samples

• 

Samples of spam and phishing emails

• 

Sta*s*cs on blocked spam

(42)

New

AQacks

Vulnerability

Dissemina*on

& Concealment

Zero-‐Day

AQacks

Patch

Advisory

Remedia*on

Binary

Reputa*on

A/V, IPS

Telemetry

Spam

URL Reputa-on

WINE Data Set:

URL Reputa0on

Malware

Samples

• 

Data collected by

crawling the Web

•  http://safeweb.norton.com

URL Reputa-on

Site name

Site ra*ng

Threat URL

Threat type

Threat name

Timestamp

(43)

Distributed Data Collec-on

Binary reputa-on:

35M machines

Malware:

7M samples

Spam: 2.5M decoys

URL reputa-on:

10M domains

A/V telemetry:

130M machines

(44)

Ac

ad

em

ia

End

use

rs

Industr

y

Can we extend the WINE idea to ICS research?

•

CRISALIS: 3-‐year collabora*ve project (funded by FP7-‐SEC)

•

Par*cipants:

–

Symantec (Ireland)

–

Siemens (Germany)

–

Security MaQers (Netherlands)

–

EURECOM (France)

–

Chalmers (Sweden)

–

University of Twente (Netherlands)

–

ENEL (Italy)

(45)

The problems

•

Few or no informa*on is available on the threat landscape and

on ongoing aQacks against ICS environments

•

The few informa*on we have at our disposal shows very

advanced threats carried out by groups or governments with

almost unlimited resources

How do we ensure the

relevance

of our research?

How do we ensure the

(46)

Threat economy (reminder)

•

Security mechanisms o]en aim at

rendering an intrusion “diﬃcult

enough”

•

Their eﬀec*veness depends on the

value of the target!

–

Requiring a signed cer*ﬁcate to inject a

kernel driver

–

Keeping valuable resources in a private

network

–

Storing a cer*ﬁcate in a secure room

–

…

co

st

reven

ue

reven

ue

(47)

Stuxnet

•

Windows worm discovered in

July 2010

•

Uses

7

diﬀerent self-‐propaga*on methods

•

Uses

4

Microso] 0-‐day exploits +

1

known vulnerability

•

Leverages 2 Siemens security issues

•

Contains a Windows rootkit

•

Used

2 stolen digital cer-ﬁcates

(second one introduced

when ﬁrst one was revoked)

•

Modiﬁed code on Programmable Logic Controllers (PLCs)

•

First known PLC rootkit

(48)

Stuxnet and the myth

of the private network

In

te

rn

et

C&C servers

P2P communica*on

Remote propaga*on

(49)

Stuxnet: an isolated incident?

•

September 2011:

a European company seeks help to

inves*gate a security incident that happened in their IT system,

and contacts CrySyS labs (Budapest University of Technology

and Economics)

•

October 2011:

CrySyS labs iden*ﬁes the infec*on and shares

informa*on with major security companies

–

Duqu: named a]er the ﬁlenames created by the infec*on, star*ng with

the string “~DQ”

–

A few days later, Symantec releases the ﬁrst report on Duqu malware

sample with the help of the outcomes of the original CrySyS inves*gators

(50)

Signed Drivers

•

Some signed (C-‐Media cer*ﬁcate)

•

Revoked immediately a]er discovery

(51)

Extremely stealthy

and targeted infec-on

•

0-‐day vulnerability in

TTF font parser

•

Shellcode ensures

infec*on only in an 8

days window in August

•

No self-‐propaga*on, but

spreading can be

directed to other

computers through C&C

–

Secondary target do not

communicate with C&C,

communicate instead

through P2P

Infec*on leaves almost no trace

on hard drive: only the driver ﬁle is

stored in stable storage!

(52)

Command & Control Complexity

•

Communica*on over TCP/80 and TCP/443

–

Embeds protocol under HTTP, but not HTTPS

–

Includes small blank JPEG in all communica*ons

–

Basic proxy support

•

Complex protocol

–

TCP-‐like with fragments, sequence and ack. numbers, etc.

–

Encryp*on AES-‐CBC with ﬁxed Key

–

Compression LZO

–

Extra custom compression layer

•

CnC server hidden behind a long sequence of proxies

(53)

Targets

(54)

Duqu “strange clues”

•

TTF Exploit

–

Font name “Dexter Regular”

from “Show*me Inc.”

–

Only two characters deﬁned:

: )

•

Inside the keylogger

component is a par*al

image

–

“interac*ng Galaxy System NGC

6745”

(55)

W32.Flamer

•

Recently discovered, but ac*ve for more than 2 years

–

Extremely high complexity

–

LUA Interpreter

•

Comprehensive toolkit for data exﬁltra*on

–

Ability to record from internal microphone

–

Bluetooth toolkit

(56)

What have we learned so far?

1.

Abacker mo-va-on:

no security prac*ce is likely to

make the intrusion diﬃcult enough. New movaons for

aQackers (crime, cyber warfare) mean more resources and

incen*ves to conduct aQacks.

2.

Myth of the private network:

also because of 1. ,

relying on network isola*on from the Internet as main

security protec*on is ineﬀec*ve. Physical security cannot be

enforced in prac*ce, and network isola*on renders cloud-‐

based security technologies impossible to apply (e.g.

reputa*on, data analysis, signatures, …).

3.

From Intrusion Preven-on to Intrusion

Tolerance:

a layered approach is required with several

safety nets and managerial procedures to handle fallback

modes.

(57)

The CRISALIS approach

Syste

m

disc

ove

ry

O.1

Securing the systems

O.2

Detec-ng the intrusions

O.3

Analyzing successful

intrusions

End user support

SCADA

environments

AMI

(58)

System discovery: the founda-on

of the CRISALIS project

•

Understand the environment being monitored

–

Devices

–

Interconnec*ons among devices

–

Semancs of the interacons

•

Challenges

–

Proprietary devices and protocols

–

Lack of protocol parsers

Syste

m

disc

ove

ry

O.1 Securing the systems O.2 Detec-ng the intrusions O.3 Analyzing successful intrusions

(59)

O.1 Securing the systems

•

Penetra*on tes*ng

–

Globally accepted methodologies in ICT infrastructures

–

Methodology needs to be carefully revisited to be applicable to ICS

(dangerous!)

•

Vulnerability discovery

–

AQen*on to the automated discovery of vulnerabili*es in ICS devices

•

Sta*c analysis of the binary code

•

Dynamic analysis

–

Drive the vulnerability discovery process through informa*on on the

protocol speciﬁca*on

Syste

m

disc

ove

ry

(60)

O.2 Detec-ng the intrusions

•

Vulnerability discovery is unlikely to exhaus*vely iden*fy all the

possible threat vectors. How to iden*fy and block a successful

intrusions?

•

Targeted aQacks: we need to avoid a-‐priori assump*ons on the

threat vector

–

Tradi*onal assump*ons on the threat model are likely to not hold

–

Signature-‐based technologies are not appropriate

–

Revisit behavior-‐based detec*on in ICS environments

–

Revisit host-‐based monitoring techniques

Syste

m

disc

ove

ry

(61)

O.3 Analyzing successful intrusions

•

Be ready to fail: provide instruments to detect suspicious

modiﬁca*ons to the devices and analyze their eﬀects

–

Forensic analysis of industrial devices: how can we understand if a PLC

device has been compromised? How can we understand the impact of the

modiﬁca*ons?

•

Challenges

–

Perceived absence of real threats by the industry

–

Deployment of proprietary components and protocols

–

Lack of persistent storage capabili*es

Syste

m

disc

ove

ry

(62)

Valida-on environment

•

How can we validate the soundness of the obtained results?

What is the performance of an intrusion detec*on methodology

in real world environments?

•

Valida*on environments:

–

ENEL Security Lab (Livorno, Italy): replica of a real-‐world SCADA system

used in power genera*on

–

Alliander Tes*ng deployment (Netherlands): tes*ng AMI deployment

Syste

m

disc

ove

ry

(63)

Thank you!

the U.S. and other countries. Other names may be trademarks of their respec*ve owners.

This document is provided for informa*onal purposes only and is not intended as adver*sing. All warran*es rela*ng to the informa*on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa*on in this document is subject to change without no*ce.

Corrado Leita

(64)

An example: CRISALIS and protocol learning

•

Can we try to aQach seman*cs to the diﬀerent edges with no a-‐

priori knowledge on the protocol structure?

•

Can we infer causality…?

(65)

ScriptGen

•

Protocol-‐agnos*c algorithm

•

Observe conversa*on samples between a client and a real server

•

Infer semancs using bioinformacs algorithms

•

Proved good results in handling determinis*c exploit scripts

MAIL

FROM:

<alice

@syma

ntec.co

m>

MAIL FROM: <bob@

symantec.com>

MAIL FROM: <carl@syma

ntec.com>

MAIL FRO

M: <xxx@

bad.ru>

250 OK

550 ERR

MAIL FROM:

<*@*.*>

MAIL FROM: <*@symantec.

com>

(66)

Region analysis

1 2 3 4

Region synthesis

Multiple alignment

Clustering

M A I L F R O M : < a l i c e @ e u r e c o m . f r >

M A I L F R O M : < b o b @ e u r e c o m . f r >

M A I L F R O M : < c a r l @ e u r e c o m . f r >

M A I L F R O M : < x x x @ b a d . r u >

4

3

2

1

Micro clustering

MAIL FROM:<*@eurecom.fr>

MAIL FROM:<*@*.*>

Challenges in Cri-cal Infrastructure Security

Challenges in

Network Security

Opportunity to leverage standard IT

environments such as energy, gas, medical

ICS security?

Threat

SCADA

diverse, o]en

damage!

Requiring a signed cer*ﬁcate to inject a

Flamer: even more advanced pladorm for data exﬁltra*on

of the following has occurred in the last 5 years?

Research in ICS security

How do we ensure the

All done in Javascript!

Data enrichment using robtex.com

/24 network

Experiment: drive by downloads

The infrastructure is not actually owned by the perpetuators of the

Revenues

over a period of 44 days

Unsuccessful scans: 306,248

Total annual costs:

Evalua*ng/benchmarking real-­‐world applica*on of speciﬁc solu*ons

concerns when it comes to sharing data

The Worldwide Intelligence Network Environment

sets used in prior experiments

Contextual informa*on

AQacks

AQacks

Protocol version

Samples

Telemetry

AQacks

URL Reputa-on

A/V telemetry:

University of Twente (Netherlands)

How do we ensure the

network

2 stolen digital cer-ﬁcates

C&C servers

informa*on with major security companies

Some signed (C-­‐Media cer*ﬁcate)

communicate with C&C,

Embeds protocol under HTTP, but not HTTPS

CnC server hidden behind a long sequence of proxies

“interac*ng Galaxy System NGC

make the intrusion diﬃcult enough. New mo*va*ons for

based security technologies impossible to apply (e.g.

Syste

Seman*cs of the interac*ons

Syste

O.1 Securing the systems

protocol speciﬁca*on

Syste

O.2 Detec-ng the intrusions

Signature-­‐based technologies are not appropriate

Syste

O.3 Analyzing successful intrusions

modiﬁca*ons?

Syste

Valida-on environment

Syste

Thank you!

Copyright © 2010 Symantec Corpora-on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora*on or its aﬃliates in

Corrado Leita

Infer seman*cs using bioinforma*cs algorithms

com>

Evaluang/benchmarking real-‐world applicaon of speciﬁc solu*ons

Some signed (C-‐Media cer*ﬁcate)

make the intrusion diﬃcult enough. New movaons for

Semancs of the interacons

Signature-‐based technologies are not appropriate

Infer semancs using bioinformacs algorithms