Session ID:

Session Classification:

▶ Slide ▶ of 26 xxx-xxxx

xxxxxxxxxxxx

Stuxnet Lessons for Defenders

William Cheswickcheswick.comhttp://www.cheswick.com/ches

1

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 76 2

▶ I have never mounted a sophisticated cyber attack, nor have I

been cleared for official training.  The observations here come from twenty years of evil thoughts and

pondering offensive cyber activities.

Note:

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 76 3

▶ “Security people are paid to think bad thoughts”

▶ - Bob Morris

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Goals

EspionageDamageLoss of confidenceFalse flag operations

4

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Damage

Soft damageCan be very subtle, and disrupt operations for years.

Hard damagebest if replacement equipment is scarcemassive attack can overwhelm supply chainsIt is also much harder to do

5

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Soft Damage

Erasing or changing dataSubverting or destroying backups.

Make operators take the wrong actionPerhaps convince management that the project is not worthwhile

6

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Hard Damage

Destroying hardwaredisk crashes?Flash has a limited number of writes

Damage or destroy equipmentTake out a dam, blow transformers, etc.

7

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

“Gremlin attack”

Reduce confidence in the ventureMake them reject certain approaches“Cursing” a technique, certain equipment, or people

8

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

False flag operations

Attribution is the major problem in information warfare these daysMake it look like someone else is doing something bad

9

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Exploits

Day 0 exploits are rare, expensive, and have a shelf lifeStandard attacks still workCryptoBBB“social engineering” i.e. spy techniques

10

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26 11

software hacksday 0 exploits

expensive, single use, has a shelf lifewell-known exploits on old software

(which is common)

email/web injectionUSB sticks

Gain access

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

peoplenetworkdevicessoftware

12

Mapping

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

People

network administratorskey engineers/scientists

13

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

the Official Mapping/tracerouteSNMP dumpsreverse DNSpassive packet monitoringactivity of people (see above)

14

Network

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

industrial controllersnetwork gearclient hostsmisc. devices

often not updated

15

Devices

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Feedback

Operational progress, i.e. debuggingEspionage

16

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Exfiltrating Data

To the InternetVPNsstego: TCP headers, web requests, email, etc.Depends on the volume, which can be huge

Over the cell networkUSB sticks/laptops/cell phones?

strip search on your way out?

17

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Attacker’s concerns

Getting noticedGetting caughtExpending exploitsMisleading information

the double agent problem

Wasting time and money

18

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Attacker’s concerns

Controlling exponential growthMorris wormStuxnet got away, after a while

19

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 76 20

▶We know these attacks are real, and we know that you don’t have to be separating uranium

isotopes to be worth all this effort.

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26 21

You may well be a target

Attacks, even APT attacks, are relatively cheapThere is virtually no downside for the attackers

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

There are weak points in these attacks

Discovery phase can create brief signatures on the network and in hosts.Secret honeypots and sentinels can force attackers to show their handDeception toolkits

22

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Some thoughts

Require deep monitoring of your own peopleData exfiltration could be detectableBoot from clean operating system sources

23

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Network monitoring

Detect all SNMP activityLow TTL packets are highly suspect (traceroute of any kind)Any usual net activityHigh-entropy packets and flowsDay 0 backups for comparisons

24

Monday, February 18, 13

▶ Presenter Logo

▶ Slide ▶ of 26

Network topography

Internet gateway? Really?Bulkheads and enclaves.

25

Monday, February 18, 13

Session ID:

Session Classification:

▶ Slide ▶ of 26 xxx-xxxx

xxxxxxxxxxxx

Stuxnet Lessons for Defenders

William Cheswickcheswick.comhttp://www.cheswick.com/ches

26

Monday, February 18, 13