Mind the Gap, Bro: Using Network Monitoring to Overcome Lack of Host Visibility in ICS Environments

Presented at TROOPERS18 (2018), March 15, 2018, 2:30 p.m. (Unknown duration)

Defenders often find themselves in a position where visibility is either not ideal, or even nonexistent - especially for host artifacts. Using the example of ICS environments, this talk will provide a case study of how network visibility via Bro can be leveraged to gain proxy visibility on the host, with a special emphasis on YARA for file analysis.

Defenders often need to deal with networks where acquiring desired visibility - especially to the host - is difficult or impossible. From my background, this is certainly the case for many types of Industrial Control Systems, where software is old and logging is poor (or even non-existent). While host visibility is dreadful, network visibility is often quite good: sensors are frequently deployed and encryption is rare. Leveraging this set of circumstances, I was able to overcome the ‘visibility gap' at the host by deploying Bro, enabling file carving, and using YARA to identify items of interest or concern. While not perfect, this is a significant increase in visibility than previously, allowing for review and analysis of content while en route to host with far more fidelity than Snort (or Bro) signatures. With modifications, the same approach could be applied to other, similar environments to enhance situational awareness and enable defenders.

In addition to providing the theoretical and practical underpinnings of this project, I will illustrate how this model is actually implemented, including examples. The goal for attendees is to walk away with an additional tool - really made up of existing, already present capabilities - to solve otherwise intractable security monitoring problems. Finally, given that the capabilities in question are all open source projects, this talk will be completely vendor agnostic, and provide a solution possible in environments with even very limited budgets.


  • Joe Slowik
    Joe Slowik is currently an adversary hunter for Dragos: finding, tracking, and defeating ICS threats is both his job and his passion. Prior to that, Joe ran the incident response team at Los Alamos National Laboratory, where he transitioned the organization from passive alert monitoring to active hunting operations. Joe got his start in ‘cyber' thanks to the Navy telling him to work on computers instead of riding submarines - and he has been moving ever further away from government work since.


Similar Presentations: