SlideShare uma empresa Scribd logo

Dressing up the ICS Kill Chain

Transferir como PPTX, PDF
Dragos, Inc.
Dragos, Inc.

In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy. Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.

Tecnologia
1 de 19
Dressing up the ICSKill Chain DANIEL MICHAUD-SOUCY A Collision of Models
About • Daniel Michaud-Soucy,ICSSecurity guy • Current:Dragos, ThreatAnalyst • Previous: • Sempra Energy,Cybersecurity Engineer(R&D) • Red TigerSecurity, Professional ServicesDirector (vulnerabilityassessments, penetration testing, red teaming) • Universityof Ottawa: BASc ComputerEngineering
About Dragos ?
Agenda 01 THREATMODELING 02 ICSKILL CHAIN 03 BOWTIEMODEL 04 PRACTICALAPPLICATION
On Models... All models arewrong,but some areuseful - George Box Ce qui est simple est toujours faux. Ce qui ne l’est pasest inutilisable - Paul Valéry Only a Sith deals in absolutes - Obi-Wan Kenobi
Threat Modeling • Analysis of environment, threat actors, impacts, risks, crown jewels • Assists with prioritization of securitycontrols • Based on threat modeling, what security controls arein place to prevent an insider from changing logic to a controller from mycorporate network? • What about a 3rd party connection from a vendor directlyinto myOT network? • Someone else’s threat model !=your threatmodel
Threat Modeling – The Environment Corporatenetwork DMZ Operations Supervisory Control Instrumentation Vendor
Threat Modeling – The Threat Landscape INSIDER HACKTIVIST CYBERCRIME ”APT” A malicious insider, someonewith prior system knowledge and “thekeysto thekingdom” Propaganda-driven, not aswell resourced as others Financially-driven, opportunistic, commodity or custom malware Nation-state actors, well funded and resourced,most sophisticated
ICS Cyber Kill Chain • Originallycreated by Lockheed Martin as the CyberKill Chain, adapted to ICSby Michael J. Assante & Robert M. Lee • Understanding, visualizing and organizing the steps (tradecraft) required for an adversaryto achievetheir goal • Two stages: • Cyberintrusionpreparation and execution – “IT” • ICSattack development and execution – “OT” • Breaking the chainincreases adversary friction • As ICSnetwork defenders, wehave manyopportunities to do this!
ICS Cyber Kill Chain – ”APT” Style on Electric Power OSINT Spear-phishing campaign Email Malicious document Mimikatz IPv6DNS ICSnetworkbreach Info gathering Notobserved… NativeWindows commands Run payload as service Breakertrip
Bowtie Model • Risk assessment methodology • Originates from a blend of fault and event treemethodologies • Threats lead to an event on a hazardthat leads to consequences, plus barriers Hazard Event Threat Consequence Threat Consequence Barrier Barrier Barrier Barrier
Bowtie Model – Driving a Car Driving a car Car crashOther drivers Bodily injury Tire failure Vehicle totaled Car mirrors Defensive driving Airbag Bumpers Road conditions Expulsion from car ABS Seatbelt Threats Preventative Barriers Recovery Barriers Consequences Hazard Event
01 THREAT MODELING • Wehavea waytoanalyzethethreatsthatmatter to us • Thisprovidescontextandfeedsintoourkillchain 02 ICSKILLCHAIN • Weunderstandwhatstepsan adversaryhas togo throughtoaccomplishtheirgoal • Thesestepsbecomeour“threats” 03 BOWTIE MODEL • Wehavea waytovisualizeourthreatsas wellas our barriers • Ourbarriersareoursecuritycontrols Dressing up the ICS Kill Chain
Threat Modeling – The Environment Corporatenetwork DMZ Operations Supervisory Control Instrumentation Vendor KILL CHAIN
ICS Cyber Kill Chain – ”APT” Style on Electric Power OSINT Spear-phishing campaign Email Malicious document Mimikatz IPv6DNS ICSnetworkbreach Info gathering Notobserved… NativeWindows commands Run payload as service Breakertrip Domain Admin Credentials Credential Reuse Backdoor accounts Pivoting Credential harvesting New processes Service accounts EDR Disable account Application whitelisting Threats Preventative Barriers Recovery Barriers Consequences
Practical Application – ”APT” Style on Electric Power Loss of power delivery Operating a substation Reconnaissance Weaponization Targeting Delivery Exploit Install Modify C2 Act Develop Test Delivery Install Modify Execute ICS attack Limit public information Patch management Mail proxy, web proxy Hardening, patching Disable PowerShell DNS redirect Network segmentation Backup management N/A Privileged access Privileged access Controller run mode Awareness, culture AV, IDS Awareness, report phishing Anti-exploit, sandboxing EDR tool DNS logging Access control monitoring N/A N/A Behavior analytics Behavior analytics Process data monitoring Internal reporting Patching Sinkholing SOC SOC, CSIRT SOC, CSIRT SOC, CSIRT N/A N/A SOC, CSIRT CMDB, backups and recovery Incident response plan Kill ChainStep Protection Detection Response
Practical Application – Evaluation and Gap Analysis Loss of power delivery Operating a substation Reconnaissance Weaponization Targeting Delivery Exploit Install Modify C2 Act Develop Test Delivery Install Modify Execute ICS attack Limit public information Patch management Mail proxy, web proxy Hardening, patching Disable PowerShell DNS redirect Network segmentation ? N/A Privileged access ? ? Awareness, culture AV, IDS Awareness, report phishing Anti-exploit, sandboxing EDR tool DNS logging Access control monitoring N/A N/A ? ? Process data monitoring Internal reporting Patching Sinkholing SOC SOC, CSIRT SOC, CSIRT SOC, CSIRT N/A N/A ? ? ? Kill ChainStep Protection Detection Response Control exists Partial control No control
In Conclusion… • Threatmodeling is the first step • What does mynetworklook like, what are the threats I am worried about? • Understanding the adversary’s success criteria • What are tactics, techniquesand procedures utilized by threatactors I am concernedwith? • Complete by overlaying security controls as barriers • What do I have in place that allows me to protect, detect andrespond to these threats?
Thank you! Questions? DanielMichaud-Soucy dms@dragos.com, @danms0

Recomendados

Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 

Recomendados

Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
Cahyo Darujati
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Prachi Mishra
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
Alfred Ouyang
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 

Mais conteúdo relacionado

Mais procurados

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 

Mais procurados (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Soc
SocSoc
Soc
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 

Semelhante a Dressing up the ICS Kill Chain

The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 

Semelhante a Dressing up the ICS Kill Chain (20)

Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk score
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Outpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust model
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Scot Secure 2016
Scot Secure 2016Scot Secure 2016
Scot Secure 2016
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 

Mais de Dragos, Inc.

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 

Mais de Dragos, Inc. (20)

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Dressing up the ICS Kill Chain

  • 1. Dressing up the ICSKill Chain DANIEL MICHAUD-SOUCY A Collision of Models
  • 2. About • Daniel Michaud-Soucy,ICSSecurity guy • Current:Dragos, ThreatAnalyst • Previous: • Sempra Energy,Cybersecurity Engineer(R&D) • Red TigerSecurity, Professional ServicesDirector (vulnerabilityassessments, penetration testing, red teaming) • Universityof Ottawa: BASc ComputerEngineering
  • 4. Agenda 01 THREATMODELING 02 ICSKILL CHAIN 03 BOWTIEMODEL 04 PRACTICALAPPLICATION
  • 5. On Models... All models arewrong,but some areuseful - George Box Ce qui est simple est toujours faux. Ce qui ne l’est pasest inutilisable - Paul Valéry Only a Sith deals in absolutes - Obi-Wan Kenobi
  • 6. Threat Modeling • Analysis of environment, threat actors, impacts, risks, crown jewels • Assists with prioritization of securitycontrols • Based on threat modeling, what security controls arein place to prevent an insider from changing logic to a controller from mycorporate network? • What about a 3rd party connection from a vendor directlyinto myOT network? • Someone else’s threat model !=your threatmodel
  • 7. Threat Modeling – The Environment Corporatenetwork DMZ Operations Supervisory Control Instrumentation Vendor
  • 8. Threat Modeling – The Threat Landscape INSIDER HACKTIVIST CYBERCRIME ”APT” A malicious insider, someonewith prior system knowledge and “thekeysto thekingdom” Propaganda-driven, not aswell resourced as others Financially-driven, opportunistic, commodity or custom malware Nation-state actors, well funded and resourced,most sophisticated
  • 9. ICS Cyber Kill Chain • Originallycreated by Lockheed Martin as the CyberKill Chain, adapted to ICSby Michael J. Assante & Robert M. Lee • Understanding, visualizing and organizing the steps (tradecraft) required for an adversaryto achievetheir goal • Two stages: • Cyberintrusionpreparation and execution – “IT” • ICSattack development and execution – “OT” • Breaking the chainincreases adversary friction • As ICSnetwork defenders, wehave manyopportunities to do this!
  • 10. ICS Cyber Kill Chain – ”APT” Style on Electric Power OSINT Spear-phishing campaign Email Malicious document Mimikatz IPv6DNS ICSnetworkbreach Info gathering Notobserved… NativeWindows commands Run payload as service Breakertrip
  • 11. Bowtie Model • Risk assessment methodology • Originates from a blend of fault and event treemethodologies • Threats lead to an event on a hazardthat leads to consequences, plus barriers Hazard Event Threat Consequence Threat Consequence Barrier Barrier Barrier Barrier
  • 12. Bowtie Model – Driving a Car Driving a car Car crashOther drivers Bodily injury Tire failure Vehicle totaled Car mirrors Defensive driving Airbag Bumpers Road conditions Expulsion from car ABS Seatbelt Threats Preventative Barriers Recovery Barriers Consequences Hazard Event
  • 13. 01 THREAT MODELING • Wehavea waytoanalyzethethreatsthatmatter to us • Thisprovidescontextandfeedsintoourkillchain 02 ICSKILLCHAIN • Weunderstandwhatstepsan adversaryhas togo throughtoaccomplishtheirgoal • Thesestepsbecomeour“threats” 03 BOWTIE MODEL • Wehavea waytovisualizeourthreatsas wellas our barriers • Ourbarriersareoursecuritycontrols Dressing up the ICS Kill Chain
  • 14. Threat Modeling – The Environment Corporatenetwork DMZ Operations Supervisory Control Instrumentation Vendor KILL CHAIN
  • 15. ICS Cyber Kill Chain – ”APT” Style on Electric Power OSINT Spear-phishing campaign Email Malicious document Mimikatz IPv6DNS ICSnetworkbreach Info gathering Notobserved… NativeWindows commands Run payload as service Breakertrip Domain Admin Credentials Credential Reuse Backdoor accounts Pivoting Credential harvesting New processes Service accounts EDR Disable account Application whitelisting Threats Preventative Barriers Recovery Barriers Consequences
  • 16. Practical Application – ”APT” Style on Electric Power Loss of power delivery Operating a substation Reconnaissance Weaponization Targeting Delivery Exploit Install Modify C2 Act Develop Test Delivery Install Modify Execute ICS attack Limit public information Patch management Mail proxy, web proxy Hardening, patching Disable PowerShell DNS redirect Network segmentation Backup management N/A Privileged access Privileged access Controller run mode Awareness, culture AV, IDS Awareness, report phishing Anti-exploit, sandboxing EDR tool DNS logging Access control monitoring N/A N/A Behavior analytics Behavior analytics Process data monitoring Internal reporting Patching Sinkholing SOC SOC, CSIRT SOC, CSIRT SOC, CSIRT N/A N/A SOC, CSIRT CMDB, backups and recovery Incident response plan Kill ChainStep Protection Detection Response
  • 17. Practical Application – Evaluation and Gap Analysis Loss of power delivery Operating a substation Reconnaissance Weaponization Targeting Delivery Exploit Install Modify C2 Act Develop Test Delivery Install Modify Execute ICS attack Limit public information Patch management Mail proxy, web proxy Hardening, patching Disable PowerShell DNS redirect Network segmentation ? N/A Privileged access ? ? Awareness, culture AV, IDS Awareness, report phishing Anti-exploit, sandboxing EDR tool DNS logging Access control monitoring N/A N/A ? ? Process data monitoring Internal reporting Patching Sinkholing SOC SOC, CSIRT SOC, CSIRT SOC, CSIRT N/A N/A ? ? ? Kill ChainStep Protection Detection Response Control exists Partial control No control
  • 18. In Conclusion… • Threatmodeling is the first step • What does mynetworklook like, what are the threats I am worried about? • Understanding the adversary’s success criteria • What are tactics, techniquesand procedures utilized by threatactors I am concernedwith? • Complete by overlaying security controls as barriers • What do I have in place that allows me to protect, detect andrespond to these threats?