Events Add an event Speakers Talks Collections
 
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
Critical Infrastructure Network Attacks: Code Red, Alert Network Operators
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
439
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

Just a few years ago ransomware attacks typically included only file encryption capabilities. In 2021, cyber criminals will target critical infrastructure operators by adding hacking operation capabilities to multistage ransomware attacks. In this session we will analyze the new TTPs used by cybercrime actors targeting critical infrastructure providers with ransomware-embedded attacks.

About speaker

Israel Barak
CISO at Cybereason
Share

Hello, everyone from joining us for the session on critical infrastructure, Network attacks and specifically the tax that we saw when we are performed a utility or industrial control system oriented Honeypot, research. My name is Israel Barack and a sea. So it's a brazen. So without further Ado, let's say let's kick this off. Now, looking at the, the Honeypot research goals, our primary goals or really, to expand our tracking write-up of changes in the adversarial landscape. Are the tools that techniques, the practices that FedEx guys are

using that for my friend until perspective, and in really wanted to add threat, until context, and analytics, context around the Telemetry that we often collect from both i, t and an LG environment now. Help accomplish that this the specific Honeypot research was built to emulate an electric transmission. Substation that work and we basically use the network. Identifier is both internal and external network. Identifier is very similar to a known large electricity provider to entice attackers to show interest and maybe even Target this

honey pot. Looking at the at the outcomes. So far from this research. I think the Spectre of cyberattacks against utility providers and then be interested in protecting them,. This is a profile of adversaries who Target industrial control system. Providers is really broadening and I think wild usually industrial control system attacks, or link to a PT or advanced persistent threat. Actor groups in a nation-state for an actress and there was probably still you know, that the primary profile of an adversary that will Target these

environments. We were able to make that assessment. I think today based on based on honey pot data that we collected, it really, it really shows that the profiles for Thatcher is the target. These utility environments, these industrial control system. Environment is broadening and we're seeing many more types of thread. Pictures, getting into that mix and many more tears of threat actors, getting into that mix. Before we dive into the, the honey pot research results. I'd like to set

some some contacts on some key trends in the ransom or space to work is going to be going to be important for us to understand to put in contacts, what we saw in the Honeypot research. And and I think those are going to be single stage ransomware and multi-stage ransomware operations. So Rensselaer has historically been used in the so-called shotgun approach, right? Basically a distributed by the ransomware, to its many targets as possible and then and thereby increasing the chances of of generating a revenue. And when these cases The

Ransom operator, basically acquires a list of targets that many times in the form of a mailing list or an email address distribution, lists and distributes that email to them and Tire Distribution list. Now. Usually this is done with their little customization. Usually just customizing the language to the geographic location of where that presume Target actually, actually, is those, those single stage ransomware attacks are usually very, a very quick to detonate. Usually, when the target receives that Outreach, they the email where that link

and the ransom or lands on the endpoint of that of that Target. Usually that needs a blonde and Patrick that needs very, very quickly, it starts and corrupting the data and basically asked for a for money. Now, when you look at single stage Ransom work, there usually is usually exists, a few indicators, every year was right, you see a large variety of of, of strains into space a lot of new strains are being developed every every month than the idea. Is that those are fairly Simple rudimentary tools, Philly,

blunt Tools in. So there's not a lot of, a lot of need to reuse code, from from previous strange, actually get money out of these operations and then actually makes it difficult to detect those where the Next Generation a bees and in static analysis, tools. And those are, those are single stage ransomware attacks. Can be can be fairly impactful. But usually, when you think about business risk, those are actually the ones that pose less a risk to corporate and larger Enterprise organizations, one of the critical trainings in Ransom or threats is the growth of

a new operational Paradigm that which is a multi-stage. Rains, were a multi-stage hacking operations, where the threat at your breeches, a victim's Network and the forms of several post breach actions, and those actions are meant to result in a fairly low. Ransom payment. The general idea behind these operations is that a ransomware operator. Can generate significant revenue from the relatively small number of victims. If each of them pays a large amount when you think about all these ransomware cases that we've been seeing on the news that pay your lease extorted

for a six-figure sums up doesn't usually multi-stage ransomware attack now, In a multi-stage attack and attack itself, typically involves Data Theft Auto stealing, user credentials and laterally moving through the victim Network and uncompromising, other endpoint sending basically targeting critical assets, like domain controllers and others in the network. Now this this operational attack pattern to tempt impact, the victim and several different ways, including confidential data loss and sensitive user credentials theft disabling large amounts of

systems to effectively cause of large-scale service disruption in in, in I think the the idea behind these attacks is is, is ready to create or behind the operational pattern of multi-stage ransomware attack is to create as many leverage points, but the attacker can take advantage of to facilitate a large extortion. Ransomware attacks, both single stage and in multi-stage are very prevalent. In fact, in fact that it's more operations into the primary area focus

and in source of revenue for them and rinse worth red actor is that Target industrial control systems or critical infrastructure requirements are presumed to be much less prevalent. Usually when you when you go through threat intelligence reports, those are usually presume to be much less prevalent and while at the onset of this ice she has Honeypot. We actually did not expect to encounter one. We ended up realizing that these attacks can very likely be a lot more frequent than we might be used.

Now, before we dive into the honey pot research results, this is a quick overview of the architecture of the Honeypot that we that we had set up. Basically the, the honey pot network was built to resemble an electric transmission. Substation. The network architecture is very typical to wait a large, a large substation. It contains several different elements are either a DMC area that is facing the external, the external World. In this case, the, the internet, or the environment, some of the critical

Services here in the DMZ include typical services that you would find in a substation Network like on the remote technician and her face is. So for the station is currently in the unmanned situation, a technician would be able to connect remotely and and support different types of a different types of Of ellesse shoes, or or analyze different types of issues. Or if, if remote support is needed by an escalation point, and those are, it was her, it was that those Personnel are able to, to connect remotely, will see that that component in the network actually, played a

critical, a critical role in the incident that we're going to talk about in here serving as an initial access point for the attacker. Other components here in the environment, include the industrial control system, Network itself. In this case. You can see her. The devices that was her different types of ICS controller. Is that we had here in the onion in the honey pot, ICS Services segment in the network was focused on the HMI systems that are based on an open scada end of the service. Self-service segments are in the network that are fairly typical

to a large is a large substation. Looking at further into what we had here in the, in the environment, the endpoints themselves were typically windows or Linux based on the way. We collected Telemetry from the endpoints here in from the ICS environment was using the the Sabres and sensor. That's basically deployed on these in points and collecting system user application behavior is on these important that we were able to sensually correlating and analyze to identify potential attack patterns and provide visibility into them. I can

also see that the network segmentation was fairly typical to a combined environment or the it areas of the system are fairly fairly reasonably segregated via various firewalls, and this case from the it Network itself. No, one of the primary incidents that occurred in this honey. Pot is what we believe to be a multi-stage ransomware attack by a cyber crimes, for an actor at at Glens and we'll take up. We'll take a look shortly into these steps of attack any more details through screenshots from the environment. The timeline of the attack started, essentially, two days, right? After we've

connected the Honeypot environment into into the internet. So it's basically a time equals zero. The network was was ready. We we had it connected to the internet and it took us two days, to get to the initial compromise of the environment. No, Dina in the initial compromise, but we can see here as the primary techniques that were used by the attacker. The initial access was through the remote technician interface, that you basically Brute Force, Brute Force, user account credentials and were able to the gain access

with those Brute Force. Credentials into the RDP system. They then ran a series of Discovery techniques performing discovery on the active directory in the domain as well as the DNS server, that was in there. Primarily doing reverse DNS, hookups to identify where they are. And what assets are in that Network and persistence was was was done in a fairly rudimentary way in this in this initial phase using a local user creation. Basically creation of a backup user. The idea was that if we would go and change back or replace the passwords that they were able to brute-force. They would

still have a way to log in. And it get back into the environment. Now, that was the two days after we got this environment, connected to the internet. Destroyed amount of time is very likely indicative of some sort of automatic scanning activity that's going on that allowed the TV threat group here to identify. The new asked if it was connected and in perform, these these actions. Are you like the automatically on those on the remote technician interface for days. After this two days

after the 1st the 1st or the 1st access the FedEx or access into the environment. We started noticing a different set of ttp's. I'm We Believe by the way that the change of ttp's that we're seeing between step two and three are very likely due to a hand off of this environment. Between two different fractures, a very likely a first one that only got access to the environment and then sold it over. To a second for that church, that continue to work on target. Probably based on the attractiveness of the indicator is on which network, they

believe they compromised. Now I'm in instead of three basically is the the thread actor in your a started operating in a mode. That was very, very focused on moving in the environment towards towards the, a higher goal. And what we saw here is a is a operational patterned. It's actually it's actually very common to multi-stage ransomware attacks. The first stage is to steal credentials, basically steal their passwords of every user that logged on to the machine. In this case, the

remote technician access machines, and the tool that they use was was Mimi cats. And then day you that the second stage is to basically collect, Annex will trade all the data files that exist on that machine. The third stage was to drop earrings were on to that machine. So, at this point, the thread actor, isn't detonating the ransom work. They're placing the rain somewhere on the machine, but they're not yet detonating. It died. The ideas to wait until a later moment in time until they actually didn't eat this. If they're

very, very similar to a pattern that exists in the multi-state ransomware attacks. And in the final aim, the idea is to use all these stolen credentials from this machine to move laterally the other machines in this environment, in this case, they chose to use SMB and specifically PS exact to move move in the environment. This stage took some time Rite Aid, took him several days to move throughout the environment through this case. They're focused on their still in the it environment. They're not yet in

the OT that moving around the it environment. 23 days after we started, that was 19 days. After the previous tab, the attacker exhibited, a behavior that actually came as as as as a surprise to us. Right. But we expected them to do is to spread through the Attic by T environment, and then drop them that need the ransom or in the it environment. Instead of that. They waited, they kept moving laterally in the environment and then on day 23 for the Honeypot, they made a lateral movement from the it

environment into the old 10 largement. And what do you use to accomplish that since the environments were separated, in this case with wood firewalls they used Web service found her ability, that existed in there, open skate on HMI, and then, that surprised us because what that showed us is that the attacker came in with the Playbook that they were able to execute on for pivoting between an IT and an OT environment. Right? What they showed us was, obviously the majority of the environment did not have access into the HMI cord to the ICS Services

environmentally specific services in the it environment had that type of access and what the thread actress showed us was that they were able to move laterally and they kept moving Indian Barbie. In this case, for 19 days until they found a service that have the ability to access the HDMI system, in this case, to see the HMI. Datum. And then what they did with that level of access is the is, is to Pivot into the OT Network by exploiting a web service on her ability in rahmi system. That was that was that was a surprise

from the moment. They gained access into the OT environment. They started going through the same multi-stage, ransomware operation pattern, changing, pic. Techniques, and procedures a little bit. And this case, since the environment was linux-based, the credential access was done via past the hashtag that passed, the ticket technique and a lateral movement was again of the SMB, not Pious except in this environment, but SMB using past the ticket technique, but the procedure for multi-stage, a ransomware attack was very similar with each new host. If they got access to

a ransomware was dropped, not detonated. But dropped this time in the OT, environment data was collected in Excel training over the command control Channel. And the stolen credentials were used to keep moving in the environment. And then later on day 20, for the environment itself, the OT, and I was not very big, so they complete that portion of their pattern of laterally moving in that environment on the 24 and when they completed the exhaust of their ability to move laterally in the environment late late on d24. They detonated. The Ransom work

across both the it and the OT environment simultaneously and basically encrypting all the data that was there in in leading to system shutdown, right across the entire environment and then demanding their Ransom. If we look at EDR data from from this attack, and I'm I'm using screenshots taken from the side reason. DVR console. We can see the attack here, starting with the attack or compromising, our remote technician RDP service by basically brute-forcing the local administrator password then using

Powershell right to the point where the first stage of the attack and among other things initiate, a theft from this this compromise system, and start performing persistence by creating a local, and you local admin account. In the next stage. The the actually we can actually see any more details, right? The creation of a of the of the malicious local admin account that is used as as backup in case someone would reset the passwords for whether users at the originally Brute Force. Their

next step was to start downloading and staging additional tools and specifically the ransomware drop. We can see that they're using Powershell. In this case to perform a the Dead the file download, right? Or dropping of those initial tools or additional tools on the endpoint. Or one of these tools was the ransom work, at this point. They're still not that the rents were there. Placing it in a temporary folder on each of the hosts. If they gain access to if they're still not that Manning it. Why the ideas again to wait until the cycle for lateral movement Data Theft, credential

theft, maximum leverage, right has been achieved on the Target and then detonate the environment as a whole. The Next Step was before meeting at sistance network discovery. We can see that they're actually using a commodity network discovery to hear as part of their arsenal of tools, which I think is probably more indicative of a cyber crime threat. After then, it is of a more sophisticated, a PT Cruiser. And I think we'll see that pattern repeating itself. We saw it in the, in the network discovery.

We saw in that in that strain of ransomware, that was used a fairly commodity strain of, of ransomware. And we'll see you in a couple of other other places. I think it's it's probably more indicative of cybercrime thread actor is, in this particular escape space, but what they're doing with this network, discovery is first and for those looking for assets that are critical for the network like domain controllers. File server is databases. 2 watt to scan, and discover first before discovering other other in points in the network. The

attackers, then a stealing user credentials from the compromised asset. And basically, as you can see, they're using mini cats right to dump credentials from this compromise, their assets. And then they're using the stolen credentials in combination with legitimate, administrative tools, as you can see her with Pious, exact, to move into other Assets in the environment, right. So, they're taking encryption keys from elsasser taking credentials and user passwords from this machine. The legitimate user is remote technicians, in

this particular case and they're using these credentials as well as a illegitimate administrative tool. PS exact to move in the environment that the first spread points that they were going after are actually the assets that will pose the probably the least amount of Suspicion but likely, cause the highest amount of impact to the organization, like domain controller is a file server, is indeed a b server. Is that, you know, these compromising points usually access It's part of their normal day-to-day activity. And again, I think it's the use of commodity to, on this

case, for credential dumping and four lateral movement. I think is that is probably another another indicator here for a cybercrime actor that very likely prefer his speed and simplicity more than stealth and operational security. Spell. They will continue to steal data and use your credentials. Either, right of way, right through this environment, using these techniques that we sign here, basically, until they've exhausted, their ability to move laterally and only after they've completed that first stage, which in this case in in this

honey pots, environment took several days are closer to 3 weeks for them to go through the it and then make the pivot into OT and a cycle through the OT environment. Only after they've completed that first age, will the actually that Nate that Ransom work and it will do it simultaneously in that ran somewhere that we saw them dropping at a very early stage in the attack across. To all those compromising Point know what this result in many cases, is a significant disruption to the victims of business and then obviously, a significant risk of of operational risk and

Island risk of the loss. When the extent of the destruction is large enough in in obviously unless an organization has full and isolated Dr. Capabilities that they can quickly referred to even recovering from backups. May not be a good enough option because of the amount of time a large-scale recovery. Can take an in-depth leads organizations in and sometimes even insure is to start considering negotiating with the attacker. Looking at some of our takeaways from this, from this honey pot and we saw some of the mechanics of the attack.

And in in we, we understood how attackers get to the point where they can leverage the attack to try to extort large amounts of of money. And we also saw the element that at least us, you know, we found surprising was that playbook for pivoting from itot, which was very surprising for us to see and I in a cybercrime a church up for us on the key. Takeaways from this research, you know, first and foremost, the diversity of threat actors that are actually targeting utility providers and ICS systems. I think judging by how quickly these attackers operated and

their ability to Pivot from the it environment to the OT environment. I think, while we can conclude that this is likely a cybercrime group. They're still very familiar with ice. PS employment, security measures that utility providers, Implement in any atom move from an IT environment to an OT environment. And I think with this suggests that this honey pie that wasn't the first time that they've done this and they probably been implementing. This looks fairly often. The other thing is, I think that the fact that multiple tiers of attackers find ICS environment,

interesting. Very likely means increased risk for people who operate these type of systems. I think the security Basics are really what's going to prevent a bad day. For me, coming at catastrophic cats trophic date in this environment to think about these these environments and utility providers. Not all of them, but I would say most environments of these systems are old their franchise out. And then even trained hacking units, make mistakes that the cause failure is in these controls. In, in Accra seeking to Make a name for themselves or or simply prove that they can

get into a system. I think are far more likely to cause failure is out of ignorance, rather than malice. And I think this makes instant response than in an attribution harder, but I think it also is more likely to result in an unintended real world. In fact, second. I think it's important that the company is what I C, S environments operated unified suck. That provides visibility into the IT n, o, t environment. I think we sign in the honey pot research attackers are looking to use it environment, just

gateways into OT environments. I think we need to, we need to have an ability to correlate activities that are starting the it environment. We're starting at the OT environments and Traverse read that that bridge between those environments. We can have a better understanding of how to respond to them in the nature of the risk. A present. I think often companies have a knock monitoring the OT environment, but I combined the sock. Lets you see all operations as they move through the network. I think having that visibility is important because attackers as we see here, could very likely

start in the it environment and moved to the OT environment. And lastly I think hunting is this is critical know, this is the second Timothy looks for indicators that attackers are already in the company's environment instead of waiting to react to an alert issued by a security. To, I think hunting allows the fenders to take a proactive approach to security by the texting adversaries before they cause severe damage to a network. And I think establishing a disability, having behavioral detection capabilities are going to be critical for Effective, turn hunting, let alone for

scoping at responding to those incidents. And with that first and foremost, I would like to thank you for a for joining us on the session than in open. Open the session up for any questions.

Cackle comments for the website

Buy this talk

Access to the talk “Critical Infrastructure Network Attacks: Code Red, Alert Network Operators”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Selena Larson
Senior Threat Intelligence Analyst at Proofpoint
+ 1 speaker
Camille Jackson Singleton
Strategic Cyber Threat Lead at IBM
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Katie Nickels
Director of Intelligence at Red Canary
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “Critical Infrastructure Network Attacks: Code Red, Alert Network Operators”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content