Presented at ToorCon San Diego 20 (2018)
Sept. 15, 2018, 4 p.m.
ICS attacks are increasingly in the spotlight, yet significant misconceptions exist as to how these attacks are executed. Most research, presentations, and news items focus on the final element of what are prolonged, multi-step attacks: the final disruptive ICS malware. A better, more complete understanding of such attacks embraces the entire attack sequence – from initial intrusion through ICS compromise to final attack delivery – to identify multiple methods for gaining access to critical network resources, and multiple places to stop such attacks in their tracks. This discussion will take the two most-recent, high-profile ICS disruptive events – CRASHOVERRIDE and TRISIS – and examine how these represent the culmination of adversary actions, with multiple potential points for detection and mitigation, rather than a sudden “bolt from the blue” against which defenders have no recourse. In making this presentation, attendees will emerge with a better understanding of what is required to execute an ICS attack, from start to finish, as well as a greater appreciation for what defenders can do to halt such efforts.
2017 was a highlight year for Industrial Control System (ICS) security: the first electric grid-targeting malware was identified (CRASHOVERRIDE); and the first Safety Instrumented System (SIS) tailored infection event was revealed (TRISIS). While these events appear dissimilar in terms of targeting and technology, closer analysis identifies multiple points of similarity. By examining these events in detail, defenders can gain knowledge on how future ICS-focused attacks will develop, and orient defense appropriately.
CRASHOVERRIDE and TRISIS targeted different environments (electric distribution and SIS) in geographically disparate areas (Ukraine and Saudi Arabia). But for these high-level differences, the two attacks featured a number of elements in common: the capability to reverse-engineer relevant ICS software to develop an attack package; the ability to penetrate and navigate from IT to ICS networks to deliver an attack; and flexibility in building modular frameworks for malware delivery. Additionally, both groups leveraged ‘living off the land’ intrusion techniques to penetrate and move laterally through the ICS network before switching to more bespoke malware. These elements indicate the development of a pattern in ICS intrusions. By focusing on these common – and in some cases, required – elements, defenders can begin to formulate responses to anticipate future developments in ICS attacks.
Looking beyond CRASHOVERRIDE and TRISIS, a number of lessons are obvious: understanding one’s own ICS environment to identify malicious ICS functionality; and learning to apply robust detection and response to cover malicious use of legitimate system commands. ICS defenders can expect to see future variants of these attacks leveraging much of the same underlying tactics, techniques, and procedures. When combined with the recent surge in wormable, credential-theft focused malware (e.g., OlympicDestroyer) further possibilities exist for automating ICS intrusion and attack events. Based on lessons from these headline incidents, defenders can prepare and potentially prevent the next significant ICS attack.
Joe Slowik is an avid Blue Teamer and Threat Hunter, currently fighting ICS threats with Dragos.
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to ‘take the fight to the adversary’ by applying forward-looking, active defense measures to constantly keep threat actors off balance.