View
48
Download
1
Category
Preview:
Citation preview
Session ID:
Session Classification:
▶ Slide ▶ of 26 xxx-xxxx
xxxxxxxxxxxx
Stuxnet Lessons for Defenders
William Cheswickcheswick.comhttp://www.cheswick.com/ches
1
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 76 2
▶ I have never mounted a sophisticated cyber attack, nor have I
been cleared for official training. The observations here come from twenty years of evil thoughts and
pondering offensive cyber activities.
Note:
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 76 3
▶ “Security people are paid to think bad thoughts”
▶ - Bob Morris
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Goals
EspionageDamageLoss of confidenceFalse flag operations
4
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Damage
Soft damageCan be very subtle, and disrupt operations for years.
Hard damagebest if replacement equipment is scarcemassive attack can overwhelm supply chainsIt is also much harder to do
5
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Soft Damage
Erasing or changing dataSubverting or destroying backups.
Make operators take the wrong actionPerhaps convince management that the project is not worthwhile
6
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Hard Damage
Destroying hardwaredisk crashes?Flash has a limited number of writes
Damage or destroy equipmentTake out a dam, blow transformers, etc.
7
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
“Gremlin attack”
Reduce confidence in the ventureMake them reject certain approaches“Cursing” a technique, certain equipment, or people
8
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
False flag operations
Attribution is the major problem in information warfare these daysMake it look like someone else is doing something bad
9
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Exploits
Day 0 exploits are rare, expensive, and have a shelf lifeStandard attacks still workCryptoBBB“social engineering” i.e. spy techniques
10
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26 11
software hacksday 0 exploits
expensive, single use, has a shelf lifewell-known exploits on old software
(which is common)
email/web injectionUSB sticks
Gain access
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
peoplenetworkdevicessoftware
12
Mapping
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
People
network administratorskey engineers/scientists
13
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
the Official Mapping/tracerouteSNMP dumpsreverse DNSpassive packet monitoringactivity of people (see above)
14
Network
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
industrial controllersnetwork gearclient hostsmisc. devices
often not updated
15
Devices
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Feedback
Operational progress, i.e. debuggingEspionage
16
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Exfiltrating Data
To the InternetVPNsstego: TCP headers, web requests, email, etc.Depends on the volume, which can be huge
Over the cell networkUSB sticks/laptops/cell phones?
strip search on your way out?
17
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Attacker’s concerns
Getting noticedGetting caughtExpending exploitsMisleading information
the double agent problem
Wasting time and money
18
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Attacker’s concerns
Controlling exponential growthMorris wormStuxnet got away, after a while
19
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 76 20
▶We know these attacks are real, and we know that you don’t have to be separating uranium
isotopes to be worth all this effort.
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26 21
You may well be a target
Attacks, even APT attacks, are relatively cheapThere is virtually no downside for the attackers
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
There are weak points in these attacks
Discovery phase can create brief signatures on the network and in hosts.Secret honeypots and sentinels can force attackers to show their handDeception toolkits
22
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Some thoughts
Require deep monitoring of your own peopleData exfiltration could be detectableBoot from clean operating system sources
23
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Network monitoring
Detect all SNMP activityLow TTL packets are highly suspect (traceroute of any kind)Any usual net activityHigh-entropy packets and flowsDay 0 backups for comparisons
24
Monday, February 18, 13
▶ Presenter Logo
▶ Slide ▶ of 26
Network topography
Internet gateway? Really?Bulkheads and enclaves.
25
Monday, February 18, 13
Session ID:
Session Classification:
▶ Slide ▶ of 26 xxx-xxxx
xxxxxxxxxxxx
Stuxnet Lessons for Defenders
William Cheswickcheswick.comhttp://www.cheswick.com/ches
26
Monday, February 18, 13
Recommended