1/30/14 Q&A Session
Were we Just Hacked? Applying Digital Forensic Techniques for your Industrial Control Systems: Q&A Session
Webcast Q&A session with presenters Matt Luallen, Co-Founder Dragos Security LLC and Robert Lee, Co-Founder, Dragos Security LLC.
- Q: Do you recommend honey pots to detect intrusions in industrial systems?
- A: CAUTION: Prior to incorporating any honeypots ensure that you have taken the measures similar to the twenty critical controls. Anything can be a great tool when leveraged correctly; but to be honest honeypots are one of my favorite tools to use and we think they can be very beneficial to industrial systems. One of the key pieces of defense that is available to an industrial network owner is that their network, configuration, type of devices, etc. are all largely initially unknown to the adversary. Therefore, setting up honeypots on the inside of the network where no one should be accessing them can be very revealing. When activity is detected in the honeypot it is either malicious or a misconfiguration and can be one of the first indications of a compromise. In addition, using honeypots outside of your network can give an indication on what type of threats are out in the wild that haven’t affected your networks yet. In this way, you can build defenses and mitigations to threats that you’ve never interfaced with on your network. This is a concept of Threat Intelligence and is very powerful when used correctly.
- A: CAUTION: Prior to incorporating any honeypots ensure that you have taken the measures similar to the twenty critical controls. Anything can be a great tool when leveraged correctly; but to be honest honeypots are one of my favorite tools to use and we think they can be very beneficial to industrial systems. One of the key pieces of defense that is available to an industrial network owner is that their network, configuration, type of devices, etc. are all largely initially unknown to the adversary. Therefore, setting up honeypots on the inside of the network where no one should be accessing them can be very revealing. When activity is detected in the honeypot it is either malicious or a misconfiguration and can be one of the first indications of a compromise. In addition, using honeypots outside of your network can give an indication on what type of threats are out in the wild that haven’t affected your networks yet. In this way, you can build defenses and mitigations to threats that you’ve never interfaced with on your network. This is a concept of Threat Intelligence and is very powerful when used correctly.
- Q: Our control systems use the corporate LAN. What are the advantages and disadvantages (from a security point of view) to this architecture?
- A: From a security point of view we would caution that this is largely a disadvantage to security for control systems. Admittedly, one benefit of having control systems on the corporate LAN (although we would largely argue against doing this) is that the defensive systems for the LAN are inherited by the control systems. As an example, the corporate LAN likely has intrusion detection systems, configured firewalls, and other security applications that the control systems would benefit from having in terms of boundary defense. However, control systems segregated from the corporate LAN correctly have even higher levels of such defense. Imagine an attacker that has to break into a network. One of their main points of entry is going to be a corporate network where users are browsing websites or reading emails. An attacker can utilize a range of entry vectors such as a client side attack to infiltrate the network. If control systems are on the network they are largely vulnerable. If control systems are on a segregated network where there are limited connections to the corporate network (if any) the defenders have more opportunities and time to catch the attackers. Lastly, most control system protocols were designed to only be used on networks that were considered secured and air gapped from other vulnerable IT networks. We know that the air gap is not a feasible defense strategy but it is important to keep in mind that the ICS protocols were not designed with security in mind.
- Q: Can we obtain a MAC address for a device that is trying to access my control network? If so, can we assume the MAC address is real and not fake?
- A: It depends on the point in which you are detecting the MAC address. For example, if you have noticed interesting IP traffic trying to access your control network from another network control such as the corporate network then look at the ARP and MAC address table on the appropriate routers and/or switches on that network. However, if the IP address is coming from another network that you do not have control over then it is highly unlikely that you will ever determine the MAC address. Determining a MAC address may not always be useful because it is very easy to spoof, or fake, a MAC address. An attacker could state that their MAC address is one value while it is actually another. However, if you have great insight into your network (which you should for control networks) and can identify machines based on their MAC addresses it can be helpful in identifying rogue or infected devices and quarantining them from the network. As an example, you could use the prefix on the MAC address (IEEE OUI) to attempt to identify the type of device you are looking for and limiting your search on the network with that information.
- A: It depends on the point in which you are detecting the MAC address. For example, if you have noticed interesting IP traffic trying to access your control network from another network control such as the corporate network then look at the ARP and MAC address table on the appropriate routers and/or switches on that network. However, if the IP address is coming from another network that you do not have control over then it is highly unlikely that you will ever determine the MAC address. Determining a MAC address may not always be useful because it is very easy to spoof, or fake, a MAC address. An attacker could state that their MAC address is one value while it is actually another. However, if you have great insight into your network (which you should for control networks) and can identify machines based on their MAC addresses it can be helpful in identifying rogue or infected devices and quarantining them from the network. As an example, you could use the prefix on the MAC address (IEEE OUI) to attempt to identify the type of device you are looking for and limiting your search on the network with that information.
- Q: A list of the tools (and sources thereof) that you (both) have mentioned
- A: Absolutely; here are some of our favorite tools and websites where they can be found. Remember though, understanding your network and empowering your analysts is the greatest tool you have. These tools all require that you have a sufficient baseline to compare against.
- Digital Imaging software
- Encase: www.guidancesoftware.com
- FTK: www.accessdata.com
- Free forensic toolkit
- SIFT Workstation: https://digital-forensics.sans.org/community/downloads
- Memory Analysis
- Volatility: https://code.google.com/p/volatility/
- Packet Analysis
- Wireshark: www.wireshark.org
- tcpdump: www.tcpdump.org
- Intrusion Detection Systems
- Snort: www.snort.org
- Bro: www.bro.org
- Helpful Links
- ICS-CERT: Ics-cert.us-cert.gov
- SANS Forensics Reading Room: https://www.sans.org/reading-room/whitepapers/forensics
- Digital Imaging software
- A: Absolutely; here are some of our favorite tools and websites where they can be found. Remember though, understanding your network and empowering your analysts is the greatest tool you have. These tools all require that you have a sufficient baseline to compare against.