SlideShare a Scribd company logo
1 of 58
Download to read offline
NSM 101 for ICS
About me
Chris Sistrunk, PE
Electrical Engineer
Sr. ICS Security Consultant
– Control system security assessments
– ICS Village (DEF CON & RSA Conference)
Entergy (11+ years)
– SCADA Engineer (10 years)
– Project Robus (ICS Protocol Fuzzing)
• 30+ implementation vulnerabilities in DNP3 stacks
– Substation Security Team
BSidesJackson
What happens when you use nmap
or a fuzzer on an ICS?
If ICS are so vulnerable,
why haven’t we seen
more attacks?
We aren’t looking!
Two Key Reasons
Intent
Visibility
Intent
Very little ICS targeted attack data
 Maroochy Shire to Stuxnet to German Steel Plant
Why are targeted attacks different?
 It’s a “Who” not a “What”
 Professional, organized, well-funded
 If you kick them out, they will return
Visibility
Visibility
Public ICS Vulnerabilities Per Year
If your ICS gets hacked…
gadgets
water
electricity
you can’t make anymore
Now what?
 More Gov’t security regulations
 ICS security still lagging
 Breaches are inevitable
 Attacks aren’t stopping
 Every sector
 Including ICS
What can we do to get ahead of this???
Network Security Monitoring
“The collection, analysis, and escalation of
indications and warnings to detect and respond
to intrusions. NSM is a way to find intruders on
your network and do something about them
before they damage your enterprise.”
- The Practice of Network Security Monitoring
Network Security Monitoring
Invented in 1990, still in use today
Cliff Stoll
“Stalking the
Wily Hacker”
1988
Todd Herberlein
et al.
“A Network
Security
Monitor”
1990
US Air Force
Defense
Information
Systems Agency
Lawrence
Livermore
National Lab
Early 1990s
NetRanger
RealSecure
Snort
and many
others
Late 1990s -
early 2000s
Formal
definition of
NSM
2002
Before we start looking…
We need
 At least one person (to watch and hunt)
 The right tools to collect and analyze the data
The NSM Cycle
Collection
DetectionAnalysis
 Model for action, based on
network-derived data
 Requires people and process,
not just technology
 Focuses on the adversary,
not the vulnerability
Methods of Monitoring
 Network tap – physical device which relays a
copy of packets to an NSM sensor
 SPAN or mirrored ports – switch configuration
which sends copies of packets to a separate port
where NSM sensor can connect
 Host NIC – configured to watch all network traffic
flowing on its segment (usually on NSM sensor)
 Serial port tap – physical device which relays
serial traffic to another port, usually requires
additional software to interpret data
Fluke Networks
Stratus Engineering
Types of Data Collected
 Full content data – unfiltered collection of packets
 Extracted content – data streams, files, Web pages, etc.
 Session data – conversation between nodes
 Transaction data – requests and replies between nodes
 Statistical data – description of traffic, such as protocol
and volume
 Metadata – aspects of data, e.g. who owns this IP
address
 Alert/log data – triggers from IDS tools, tracking user
logins, etc.
Difficulties for NSM
 Encrypted networks
 Widespread NAT
 Devices moving between network segments
 Extreme traffic volume
 Privacy concerns
Difficulties for NSM
 Encrypted networks
 Widespread NAT
 Devices moving between network segments
 Extreme traffic volume
 Privacy concerns
Issues that most ICS do not face!
Example ICS
Enterprise/IT
DMZ
Plant
Control
Web
Historian or
other DB
DCS HistorianHMI
PLCs,
Controllers,
RTUs, PACs
Anatomy of an Attack
22
Over all Mandiant attack investigations,
only a little more than half of victim computers have malware on them.
While attackers often use malware to gain an initial foothold,
they quickly move to other tactics to execute their attacks.
Unauthorized Use
of Valid Accounts
Known &
Unknown
Malware
Command &
Control Activity
Suspicious
Network Traffic
Files Accessed by
Attackers
Valid Programs Used
for Evil Purposes
Trace Evidence &
Partial Files
Attacker Objectives
Attacker’s goals:
 Damage equipment
 Affect or steal process info
 Cause safety or compliance issue
 Pivot from vulnerable ICS to
enterprise
Attacker’s options:
 Gain physical access to an ICS host
 Gain remote access to an ICS host
 Compromise a highly-privileged
client machine with access to the
ICS network
Enterprise/IT
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
Let’s do some NSM!
Let’s do some NSM!
Inquisitive mind
NSM collection tools
NSM hunting tools
Protection
NSM Collection
 Firewall Logs
 Session Data
 NIDS/HIDS Logs
 Full packet capture
 Windows Logs and syslog
 SNMP (CPU % etc.)
 Alerts from security agents
(AV, whitelisting, etc.)
Enterprise/ITEnterprise collectors Logs and/or Agent
Network sensors Logs only
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
NSM Collection
http://3.bp.blogspot.com/-B6PtheVJ9Jg/Uj4EErYhHdI/AAAAAAAAAFE/i_2dk9emrp4/s1600/Deer+tracks.jpg
What are we looking for?
 Exceptions from baseline (e.g. A talks to B but never C)
 “Top Talkers”
 Unexpected connectivity (to Internet, Business network)
 Known malicious IPs and domains
 Logins using default accounts
 Error messages that could correlate to vulnerabilities
 Unusual system and firewall log entries
 Host-based IDS or other security system alerts
 Unexpected file and firmware updates
 Antivirus alerts
 And others….
NSM Detection & “Hunting”
Analyst looks at detected anomalies
or alerts then escalates to IR
!
 IDS alerts
 Anomaly detection
 Firmware updates, other
commands
 Login with default credentials
 High CPU or network bandwidth
 Door alarms when nobody is
supposed to be working
 Devices going off-line or behaving
strangely
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
NSM Detection
http://www.buckmasters.com
http://www.jimyuskavitchphotography.com/data/photos/56_1wolf_track4.jpg
NSM Analysis
Incident responders analyze the
detected anomalies to find evil
 Application exploitation
 Third-party connections (ex. ICCP
or vendor access)
 ICS-specific communication
protocol attacks (ex. Modbus,
DNP3, Profinet, EtherNet/IP)
 Remote access exploitation
 Direct network access due to poor
physical security
 USB-delivered malware
Plant DMZ
Control
Web
Historian or
other DB
SCADA HistorianHMI
PLCs,
Controllers,
RTUs, PACs
NSM Analysis
http://alistairpott.com/wp-content/uploads/2008/05/rabbit-owl.jpg
http://www.youtube.com
NSM Analysis
NSM Analysis
ICS NSM Examples
Session Data “Top Talkers”
FlowBAT characterizes Session Data, showing which nodes have the most traffic
Web traffic
Web traffic
NetBios
NTP
SiLK and FlowBAT can be easily
installed in Security Onion
Pcap Analysis for anomalies
NetworkMiner can find potential ARP spoofing (as well as many other indicators)
Pcaps - Abnormal DNS Traffic
NetworkMiner sees“strange” DNS requests originating from within the ICS
IDS alerts - Abnormal DNS Traffic
DNS requests shown in the Bro IDS log in ELSA
Pcaps – Malformed Modbus
Deep packet inspection of Modbus by Wireshark
Pcaps – Custom Modbus
Unknown Function Code 90
Schneider Modicon uses FC 90 to start/stop the PLC and other admin stuff
Metasploit module does too!
c
IDS Logs
 Bro IDS
– DNP3 & Modbus
– More ICS protocols being developed by UIUC
 Snort IDS
– DNP3 & Modbus preprocessors
– ET SCADA & DigitalBond Quickdraw Snort rules
 Suricata IDS
– New DNP3 parser & ET SCADA rules
IDS Logs
Modbus
DNP3
Bro IDS parses Modbus and DNP3 packets, ELSA consolidates Bro logs
IDS GUIs
Alerts in Sguil of scanning activity
Syslog
Syslog can be configured to send to a NSM sensor or detected in
network traffic if sent elsewhere. This is the Bro IDS Log for
Syslog from an RTU.
RTUs with Syslog
 SEL-3530 RTAC
 GE D20MX
 Novatech OrionLX
 Cooper SMP 16
If not…require syslog and other logs in the ICS
procurement language
NSM Tools for the 7 Data Types
Security Onion Linux distribution
– Easy to install and lots of documentation
 Full packet capture –
Tcpdump/Wireshark/NetworkMiner
 Extracted content – Xplico/NetworkMiner
 Session data – Bro/FlowBAT
 Transaction data – Bro
 Statistical data – Capinfos/Wireshark
 Metadata – ELSA (Whois)
 Alert data – Snort, Suricata, Sguil, Snorby
Peel Back the Layers of Your Network
Security Onion Tools
NetFlow Tools
SiLK & FlowBAT
 Install on Security Onion with 2 scripts
 www.flowbat.com
Security Onion Implementation
 Test in a lab first
 Select suitable hardware platform
 More RAM is better
 Bigger hard drive is better (longer retention)
 Mirrored/SPAN port on router/switch or a good
network tap
 Select proper placement of SO sensor
 The Practice of Network Security Monitoring
 Applied Network Security Monitoring
 Work with the right stakeholders if placing in
production
Security Onion Implementation
I installed SO on an industrially hardened box
 SEL-3355
 16GB RAM
 1TB SSD
Other boxes out there suitable for NSM sensor
for industrial environments
Security Onion Implementation
SO for ICS = Security Ogre
 The Cuckoo’s Egg by Cliff Stoll
https://www.youtube.com/watch?v=EcKxaq1FTac
1-hour NOVA Special (1990)
 The Practice of Network Security Monitoring
by Richard Bejtlich
http://www.nostarch.com/nsm
 Applied Network Security Monitoring
by Chris Sanders & Jason Smith
http://www.appliednsm.com/
 The NSM Wiki http://nsmwiki.org
 http://securityonion.net
NSM References/Resources
Takeaways
You can implement NSM in ICS
today – without impacting your
operations
There are free tools available to
help you start looking at your ICS
and hunting for evil
People…
…the most important part of NSM!
 Gigabytes of data and 1000s of
IDS alerts are useless without
interpretation
 Analyze data collected to understand
what’s normal – and what’s not
 Identify adversary TTPs and act to disrupt them
Remember
Adversaries are a “Who”, not a “What”
Greets
@ICS_Village – GO THERE!
@dougburks & @securityonion team
@chrissanders88 & @automayt
@taosecurity
@robertmlee for also banging the “NSM for ICS" drum
@dan_scali & @robac3
My ICS peeps, SCADAbrothers, & SCADAsisters
My love, @shannonsistrunk
Find Evil
chris.sistrunk@mandiant.com
@chrissistrunk

More Related Content

What's hot

BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 

What's hot (20)

BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
ICS security
ICS securityICS security
ICS security
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Viewers also liked

Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinthchrissanders88
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Securitychrissanders88
 
Error Propagation Effect of AES and Techniques to ward off the problem
Error Propagation Effect of AES and Techniques to ward off the problemError Propagation Effect of AES and Techniques to ward off the problem
Error Propagation Effect of AES and Techniques to ward off the problemBikramjit Sarkar, Ph.D.
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3William Lee
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
Как сдать IELTS на 8.5?
Как сдать IELTS на 8.5?Как сдать IELTS на 8.5?
Как сдать IELTS на 8.5?MBA Consult
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
BriMor Labs Live Response Collection
BriMor Labs Live Response CollectionBriMor Labs Live Response Collection
BriMor Labs Live Response CollectionBriMorLabs
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 

Viewers also liked (20)

Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Security
 
Error Propagation Effect of AES and Techniques to ward off the problem
Error Propagation Effect of AES and Techniques to ward off the problemError Propagation Effect of AES and Techniques to ward off the problem
Error Propagation Effect of AES and Techniques to ward off the problem
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
Как сдать IELTS на 8.5?
Как сдать IELTS на 8.5?Как сдать IELTS на 8.5?
Как сдать IELTS на 8.5?
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
 
BriMor Labs Live Response Collection
BriMor Labs Live Response CollectionBriMor Labs Live Response Collection
BriMor Labs Live Response Collection
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 

Similar to DEF CON 23 - NSM 101 for ICS

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 -  Chris Sistrunk - nsm 101 for ics Defcon 23 -  Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Felipe Prado
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
謝續平
謝續平謝續平
謝續平9577601
 
A Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecurityA Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecuritySébastien Tandel
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Networks
 
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security DevicesCh13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devicesphanleson
 
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)sequi_inc
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 

Similar to DEF CON 23 - NSM 101 for ICS (20)

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 -  Chris Sistrunk - nsm 101 for ics Defcon 23 -  Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Day4
Day4Day4
Day4
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
謝續平
謝續平謝續平
謝續平
 
A Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecurityA Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive Security
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
 
SIEM
SIEMSIEM
SIEM
 
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security DevicesCh13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
 
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy Sector
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 

More from Chris Sistrunk

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeChris Sistrunk
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachChris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridChris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteChris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisChris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityChris Sistrunk
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 

More from Chris Sistrunk (11)

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

DEF CON 23 - NSM 101 for ICS

  • 2. About me Chris Sistrunk, PE Electrical Engineer Sr. ICS Security Consultant – Control system security assessments – ICS Village (DEF CON & RSA Conference) Entergy (11+ years) – SCADA Engineer (10 years) – Project Robus (ICS Protocol Fuzzing) • 30+ implementation vulnerabilities in DNP3 stacks – Substation Security Team BSidesJackson
  • 3.
  • 4. What happens when you use nmap or a fuzzer on an ICS?
  • 5. If ICS are so vulnerable, why haven’t we seen more attacks? We aren’t looking!
  • 7. Intent Very little ICS targeted attack data  Maroochy Shire to Stuxnet to German Steel Plant Why are targeted attacks different?  It’s a “Who” not a “What”  Professional, organized, well-funded  If you kick them out, they will return
  • 11. If your ICS gets hacked… gadgets water electricity you can’t make anymore
  • 12. Now what?  More Gov’t security regulations  ICS security still lagging  Breaches are inevitable  Attacks aren’t stopping  Every sector  Including ICS What can we do to get ahead of this???
  • 13. Network Security Monitoring “The collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise.” - The Practice of Network Security Monitoring
  • 14. Network Security Monitoring Invented in 1990, still in use today Cliff Stoll “Stalking the Wily Hacker” 1988 Todd Herberlein et al. “A Network Security Monitor” 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002
  • 15. Before we start looking… We need  At least one person (to watch and hunt)  The right tools to collect and analyze the data
  • 16. The NSM Cycle Collection DetectionAnalysis  Model for action, based on network-derived data  Requires people and process, not just technology  Focuses on the adversary, not the vulnerability
  • 17. Methods of Monitoring  Network tap – physical device which relays a copy of packets to an NSM sensor  SPAN or mirrored ports – switch configuration which sends copies of packets to a separate port where NSM sensor can connect  Host NIC – configured to watch all network traffic flowing on its segment (usually on NSM sensor)  Serial port tap – physical device which relays serial traffic to another port, usually requires additional software to interpret data Fluke Networks Stratus Engineering
  • 18. Types of Data Collected  Full content data – unfiltered collection of packets  Extracted content – data streams, files, Web pages, etc.  Session data – conversation between nodes  Transaction data – requests and replies between nodes  Statistical data – description of traffic, such as protocol and volume  Metadata – aspects of data, e.g. who owns this IP address  Alert/log data – triggers from IDS tools, tracking user logins, etc.
  • 19. Difficulties for NSM  Encrypted networks  Widespread NAT  Devices moving between network segments  Extreme traffic volume  Privacy concerns
  • 20. Difficulties for NSM  Encrypted networks  Widespread NAT  Devices moving between network segments  Extreme traffic volume  Privacy concerns Issues that most ICS do not face!
  • 21. Example ICS Enterprise/IT DMZ Plant Control Web Historian or other DB DCS HistorianHMI PLCs, Controllers, RTUs, PACs
  • 22. Anatomy of an Attack 22 Over all Mandiant attack investigations, only a little more than half of victim computers have malware on them. While attackers often use malware to gain an initial foothold, they quickly move to other tactics to execute their attacks. Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files
  • 23. Attacker Objectives Attacker’s goals:  Damage equipment  Affect or steal process info  Cause safety or compliance issue  Pivot from vulnerable ICS to enterprise Attacker’s options:  Gain physical access to an ICS host  Gain remote access to an ICS host  Compromise a highly-privileged client machine with access to the ICS network Enterprise/IT Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 25. Let’s do some NSM! Inquisitive mind NSM collection tools NSM hunting tools Protection
  • 26. NSM Collection  Firewall Logs  Session Data  NIDS/HIDS Logs  Full packet capture  Windows Logs and syslog  SNMP (CPU % etc.)  Alerts from security agents (AV, whitelisting, etc.) Enterprise/ITEnterprise collectors Logs and/or Agent Network sensors Logs only Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 28. What are we looking for?  Exceptions from baseline (e.g. A talks to B but never C)  “Top Talkers”  Unexpected connectivity (to Internet, Business network)  Known malicious IPs and domains  Logins using default accounts  Error messages that could correlate to vulnerabilities  Unusual system and firewall log entries  Host-based IDS or other security system alerts  Unexpected file and firmware updates  Antivirus alerts  And others….
  • 29. NSM Detection & “Hunting” Analyst looks at detected anomalies or alerts then escalates to IR !  IDS alerts  Anomaly detection  Firmware updates, other commands  Login with default credentials  High CPU or network bandwidth  Door alarms when nobody is supposed to be working  Devices going off-line or behaving strangely Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 31. NSM Analysis Incident responders analyze the detected anomalies to find evil  Application exploitation  Third-party connections (ex. ICCP or vendor access)  ICS-specific communication protocol attacks (ex. Modbus, DNP3, Profinet, EtherNet/IP)  Remote access exploitation  Direct network access due to poor physical security  USB-delivered malware Plant DMZ Control Web Historian or other DB SCADA HistorianHMI PLCs, Controllers, RTUs, PACs
  • 36. Session Data “Top Talkers” FlowBAT characterizes Session Data, showing which nodes have the most traffic Web traffic Web traffic NetBios NTP SiLK and FlowBAT can be easily installed in Security Onion
  • 37. Pcap Analysis for anomalies NetworkMiner can find potential ARP spoofing (as well as many other indicators)
  • 38. Pcaps - Abnormal DNS Traffic NetworkMiner sees“strange” DNS requests originating from within the ICS
  • 39. IDS alerts - Abnormal DNS Traffic DNS requests shown in the Bro IDS log in ELSA
  • 40. Pcaps – Malformed Modbus Deep packet inspection of Modbus by Wireshark
  • 41. Pcaps – Custom Modbus Unknown Function Code 90 Schneider Modicon uses FC 90 to start/stop the PLC and other admin stuff Metasploit module does too! c
  • 42. IDS Logs  Bro IDS – DNP3 & Modbus – More ICS protocols being developed by UIUC  Snort IDS – DNP3 & Modbus preprocessors – ET SCADA & DigitalBond Quickdraw Snort rules  Suricata IDS – New DNP3 parser & ET SCADA rules
  • 43. IDS Logs Modbus DNP3 Bro IDS parses Modbus and DNP3 packets, ELSA consolidates Bro logs
  • 44. IDS GUIs Alerts in Sguil of scanning activity
  • 45. Syslog Syslog can be configured to send to a NSM sensor or detected in network traffic if sent elsewhere. This is the Bro IDS Log for Syslog from an RTU.
  • 46. RTUs with Syslog  SEL-3530 RTAC  GE D20MX  Novatech OrionLX  Cooper SMP 16 If not…require syslog and other logs in the ICS procurement language
  • 47. NSM Tools for the 7 Data Types Security Onion Linux distribution – Easy to install and lots of documentation  Full packet capture – Tcpdump/Wireshark/NetworkMiner  Extracted content – Xplico/NetworkMiner  Session data – Bro/FlowBAT  Transaction data – Bro  Statistical data – Capinfos/Wireshark  Metadata – ELSA (Whois)  Alert data – Snort, Suricata, Sguil, Snorby Peel Back the Layers of Your Network
  • 49. NetFlow Tools SiLK & FlowBAT  Install on Security Onion with 2 scripts  www.flowbat.com
  • 50. Security Onion Implementation  Test in a lab first  Select suitable hardware platform  More RAM is better  Bigger hard drive is better (longer retention)  Mirrored/SPAN port on router/switch or a good network tap  Select proper placement of SO sensor  The Practice of Network Security Monitoring  Applied Network Security Monitoring  Work with the right stakeholders if placing in production
  • 51. Security Onion Implementation I installed SO on an industrially hardened box  SEL-3355  16GB RAM  1TB SSD Other boxes out there suitable for NSM sensor for industrial environments
  • 53. SO for ICS = Security Ogre
  • 54.  The Cuckoo’s Egg by Cliff Stoll https://www.youtube.com/watch?v=EcKxaq1FTac 1-hour NOVA Special (1990)  The Practice of Network Security Monitoring by Richard Bejtlich http://www.nostarch.com/nsm  Applied Network Security Monitoring by Chris Sanders & Jason Smith http://www.appliednsm.com/  The NSM Wiki http://nsmwiki.org  http://securityonion.net NSM References/Resources
  • 55. Takeaways You can implement NSM in ICS today – without impacting your operations There are free tools available to help you start looking at your ICS and hunting for evil
  • 56. People… …the most important part of NSM!  Gigabytes of data and 1000s of IDS alerts are useless without interpretation  Analyze data collected to understand what’s normal – and what’s not  Identify adversary TTPs and act to disrupt them Remember Adversaries are a “Who”, not a “What”
  • 57. Greets @ICS_Village – GO THERE! @dougburks & @securityonion team @chrissanders88 & @automayt @taosecurity @robertmlee for also banging the “NSM for ICS" drum @dan_scali & @robac3 My ICS peeps, SCADAbrothers, & SCADAsisters My love, @shannonsistrunk