Behavior-Based Defense in ICS
DragosInc
411 views
16 slides
Nov 26, 2018
Slide 1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
About This Presentation
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifyin...
Slide Content
Behavior-Based Defense in ICS
Joe Slowik
Dragos Inc
Joe Slowik
Dragos Inc
Place Your Header Here in Arial 22pt
Place Subtitle Here
WHOAMI
Joe Slowik, Adversary Hunter at Dragos
•Threat intelligence and threat hunting for ICS evil
•Former:
•Incident Response at Los Alamos National Laboratory
•US Navy Information Warfare Officer
Place Subtitle Here
WHOAMI
Joe Slowik, Adversary Hunter at Dragos
•Threat intelligence and threat hunting for ICS evil
•Former:
•Incident Response at Los Alamos National Laboratory
•US Navy Information Warfare Officer
Place Your Header Here in Arial 22pt
Place Subtitle Here
ICS-Focused
Malware
•STUXNET
•HAVEX
•BLACKENERGY2
•CRASHOVERRIDE
•TRISIS
ICS Disruptive Events
•2005-2010 (?):
STUXNET
•2014: German Steel
Mill Attack
•2015: Ukraine
BLACKENERGY3
•2016: Ukraine
CRASHOVERRIDE
•2017: Saudi Arabia
TRISIS
Disruptive/Destructive
Malware
•STUXNET
•CRASHOVERRIDE
•TRISIS
Place Subtitle Here
ICS-Focused
Malware
•STUXNET
•HAVEX
•BLACKENERGY2
•CRASHOVERRIDE
•TRISIS
ICS Disruptive Events
•2005-2010 (?):
STUXNET
•2014: German Steel
Mill Attack
•2015: Ukraine
BLACKENERGY3
•2016: Ukraine
CRASHOVERRIDE
•2017: Saudi Arabia
TRISIS
Disruptive/Destructive
Malware
•STUXNET
•CRASHOVERRIDE
•TRISIS
Place Your Header Here in Arial 22pt
Place Subtitle Here
More
Aggressive
Attacks
Greater
Risk
Tolerance
Pursuit of
Physical
PCN
Attacks
Heightened
Danger to
Companies
Place Subtitle Here
More
Aggressive
Attacks
Greater
Risk
Tolerance
Pursuit of
Physical
PCN
Attacks
Heightened
Danger to
Companies
Place Your Header Here in Arial 22pt
Place Subtitle Here
•Overall interest increasing
•Number of “major”, disruptive events remains small
Number of
Events
•Increasing severity of attacks as more disruptive events discovered
•Majority of attacks are “minor” in nature and amount of access and
info gathering
Attack Severity
•Major events are finely-tuned to target environment
•Little scope to apply direct observables to other environments
Attack
Specificity
•Defense is traditionally reactive, focus on learning from past events
•But if number of events is small, few items to learn from
Scope for
Learning
Place Subtitle Here
•Overall interest increasing
•Number of “major”, disruptive events remains small
Number of
Events
•Increasing severity of attacks as more disruptive events discovered
•Majority of attacks are “minor” in nature and amount of access and
info gathering
Attack Severity
•Major events are finely-tuned to target environment
•Little scope to apply direct observables to other environments
Attack
Specificity
•Defense is traditionally reactive, focus on learning from past events
•But if number of events is small, few items to learn from
Scope for
Learning
Place Your Header Here in Arial 22pt
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Your Header Here in Arial 22pt
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Your Header Here in Arial 22pt
Past Activity
Required to
Inform Defense
•Baseline for
defense
•Need to learn
from something
Insufficient ICS-
Specific Events
to Build Robust
Defense
•ICS-disruptive
events rare
•Scope for
learning remains
small
Identify
Alternative
Scenarios
Applicable to ICS
•Focus on entire kill
chain
•Mine other
intrusion data to
identify ICS trends
Past Activity
Required to
Inform Defense
•Baseline for
defense
•Need to learn
from something
Insufficient ICS-
Specific Events
to Build Robust
Defense
•ICS-disruptive
events rare
•Scope for
learning remains
small
Identify
Alternative
Scenarios
Applicable to ICS
•Focus on entire kill
chain
•Mine other
intrusion data to
identify ICS trends
Place Your Header Here in Arial 22pt
WormableMalware
Credential Theft & Re-use
“Living off the Land”
Wipers
WormableMalware
Credential Theft & Re-use
“Living off the Land”
Wipers
Place Your Header Here in Arial 22pt
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Subtitle Here
PHASE 1 -IT PHASE 2 -ICS
Place Your Header Here in Arial 22pt
IT
Attack
Trends
ICS
Threat
Surface
Items for
Analysis
IT
Attack
Trends
ICS
Threat
Surface
Items for
Analysis
Place Your Header Here in Arial 22pt
Identify
Behaviors of
Interest
Determine
Adversary
Means to
Achieve
Objectives
Determine
Visibility on
Adversary
Actions
Build
Detections
around Results
Identify
Behaviors of
Interest
Determine
Adversary
Means to
Achieve
Objectives
Determine
Visibility on
Adversary
Actions
Build
Detections
around Results
Place Your Header Here in Arial 22pt
•Attacker actions and objectives guide defense
•Orient defense towards offensive action
Adversary-Focused
•Indicators are specific examples of behavior
•Indicators are “brittle”
•Behaviors are fundamental means of operating
Behaviors over
Indicators
•Targeting behaviors ensures robust defense
•IOCs may change, but fundamental behaviors are
requirements
Behavior-Targeting
•What tools and telemetry are required to grasp adversary
behaviors?
•Guide procurement and investment toward these tools
Design Tools and
Visibility toward
Defense
•Attacker actions and objectives guide defense
•Orient defense towards offensive action
Adversary-Focused
•Indicators are specific examples of behavior
•Indicators are “brittle”
•Behaviors are fundamental means of operating
Behaviors over
Indicators
•Targeting behaviors ensures robust defense
•IOCs may change, but fundamental behaviors are
requirements
Behavior-Targeting
•What tools and telemetry are required to grasp adversary
behaviors?
•Guide procurement and investment toward these tools
Design Tools and
Visibility toward
Defense
Place Your Header Here in Arial 22pt
Place Subtitle Here
Identify Required
Adversary
Behaviors
Determine
Necessary Visibility
to Detect
Adversary Actions
Align Defense and
Monitoring to
Requirements
Train and Educate
Security Personnel
on Threat
Environment
Emphasize Root
Cause Analysis
when System Fail
Place Subtitle Here
Identify Required
Adversary
Behaviors
Determine
Necessary Visibility
to Detect
Adversary Actions
Align Defense and
Monitoring to
Requirements
Train and Educate
Security Personnel
on Threat
Environment
Emphasize Root
Cause Analysis
when System Fail
Place Your Header Here in Arial 22pt
Place Subtitle Here
Implement Alerts and
Responses
Build Detection and
Visibility on Behavior
Implementations
Identify Common
Requirements and
Behaviors
Place Subtitle Here
Implement Alerts and
Responses
Build Detection and
Visibility on Behavior
Implementations
Identify Common
Requirements and
Behaviors
Place Your Header Here in Arial 22pt
QUESTIONS?
Contact Information:
•[email protected] / [email protected]
•@jfslowik
QUESTIONS?
Contact Information:
•[email protected] / [email protected]
•@jfslowik
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 411
- Slides 16
- Age 2562 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views