Defense Informs Offense Improves Defense: How to Compromise an ICS Network and How to Defend It

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

ICS attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. When looking at the situation from a defender's perspective, nothing could be further from the truth. Attacking and potentially taking down an ICS network requires - and probably operates best - via permutations of 'pen tester 101' actions combined with some knowledge of the environment and living off the land.

In this talk, we will explore some concrete ICS attack examples to explore just what is needed to breach and impact this environment. More importantly, using malware and data captured from recent attacks - specifically TRISIS and CRASHOVERRIDE - we'll see how the attackers 'messed up' their attacks and why a more simplified and direct approach to achieving offensive goals would not only be more effective, but likely far more difficult for defenders to catch as well. To close the conversation, we'll explore what defensive measures can be applied - and are necessary - to detect and stop such attacks in their tracks.


Presenters:

  • Joe Slowik - Dragos
    Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other data available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to 'take the fight to the adversary' by applying forward-looking, active defense measures to constantly keep threat actors off balance. An important part of this strategy is understanding adversary techniques and actions: good defense requires knowing (and at times practicing) offense.

Links:

Similar Presentations: