Threat_actors_and_vectors_with_whiiteandblack_boxtesting.pptx

Unit 2 and 3 CMPC 403

Black Box testing vs White box testing White Box Assessment intent: Identifies security vulnerabilities, not exploit capabilities. Information disclosure: Asset Owner needs to provide significant information for a successful test. Potential false positives: May include false positives. Comprehensive view: Offers a thorough look at vulnerabilities and risks. Black Box Realistic representation: Shows the system as attackers see it. Intellectual property protection: Protects Asset Owner's intellectual property. Incomplete risk exposure: Doesn't cover all risks.

DATA Collection Documentation Validation: Validation of documentation and characterization of system assets are crucial. Familiarization for Rapid Identification : Assessors become more familiar with systems to rapidly identify critical physical and logical assets. Online Sources : Online sources are vital for identifying all devices connected to the industrial network, updating documentation, and uncovering hidden devices. Identification of Communication Ports : Online data collection helps accurately identify open communication ports and running applications/services. Scanning Tools : There are various scanning tools available, but they should be used cautiously due to potential catastrophic effects on ICS components. Active vs. Passive Tools: Active scanners, although highly automated, can be risky and are recommended for use only in offline environments or during manufacturing outages. Passive tools pose minimal threat and are safer for ICS. Offline Resources : Extensive information can be obtained from offline resources like technical documentation, system configuration data, and prior assessments, which can improve the outcome of security testing.

Device Scanners Network Mapper ( nmap ) : A popular device scanner offering capabilities like host discovery, service detection, operating system identification, and scripting. Ping and ICMP Limitations : Ping commands, relying on ICMP, may be inaccurate due to host-based application blocks and security appliance restrictions. ARP-based Tools : Tools like arping and arp -scan utilize ARP traffic to identify hosts, even across security perimeters. nmap Limitations : While nmap provides a view similar to an attacker's, it's inadequate for identifying system assets accurately due to its network-based data collection method. Netstat Utility : Netstat displays host-based network features, including active connections, communication ports, and routing tables, making it valuable for identifying running applications and services without impacting network communication.

Scanners Vulnerability Scanners: Various open-source (e.g., OpenVAS) and commercial (e.g., Tenable Nessus, Qualys Guard) vulnerability scanners are available. They identify vulnerabilities by comparing hosts against databases of known vulnerabilities, but the effectiveness can vary. Choosing a tool capable of recognizing ICS components is crucial for vulnerability assessment in industrial networks. Features often include device scanning before actual vulnerability analysis and can integrate with other scanners for efficiency. Traffic Scanners: These tools collect raw network packets for analysis, including host identification, data flows, and firewall rule set creation. Basic forms include tcpdump for Linux and windump for Windows. Wireshark is commonly used for traffic analysis but not recommended for raw packet collection due to security and performance issues. Wireshark uses protocol dissectors to visualize OSI layer protocols, including various industrial protocols like Modbus and PROFINET. Microsoft Message Analyzer, the successor to Microsoft Network Monitor, offers capture and visualization features for network analysis and supports trace files from tools like Wireshark and tcpdump .

Host Identification "Quiet"/"Friendly" Scanning Techniques: Examples demonstrate the use of arping and arp -scan commands for sending ARP requests to identify hosts. tcpdump command is used for packet capture without resolving addresses to hostnames. An example illustrates the tcpdump command capturing traffic with specific IP destination address and communication port, highlighting the need for appropriate filtering. "Noisy"/"Dangerous" Scanning Techniques: Examples involve the use of nmap for ping sweep and SYN scan on a subnet, and hping3 for sending specific packets to test firewalls. The provided commands should be tested offline before deployment in operational networks due to potential impact on network availability. Port Mirroring and Span Ports: Details are given on setting up port mirroring or span ports on switches to monitor network traffic. The mergecap utility is introduced for merging captured traffic from multiple switches for analysis. Command Line Tools: Commands for Windows-based systems, including ipconfig for network configuration, netstat for active connections and listening ports, systeminfo for system details, and wmic for system management. Examples demonstrate redirection of command outputs to text files for analysis and reporting purposes. The text emphasizes the importance of thorough testing and caution when using online tools in an industrial network environment.

Hardware and Software inventory Identification of Network-Connected Hosts: Use arp -scan or passive methods like tcpdump and Wireshark to identify active devices on the network. Wireshark's Endpoints feature displays actively communicating devices but may miss those not active during capture. Authorization Confirmation: Verify that identified hosts are authorized for the industrial network. Physically inspect unauthorized nodes and take appropriate actions. Update system architecture drawings with new information. Collection of Host Platform Information: Gather hardware and operating system details, network configurations, BIOS revisions, and firmware details. Use systeminfo command or SNMP applications for Windows-based devices, and manual methods or web services for non-Windows devices. Collection of Application Information: Obtain application vendor, name, revision, installed patches, and other installation details. Use the wmic command with the product get option to gather this information. Consolidation of Information: Compile all gathered data into a spreadsheet or portable database, ensuring sensitive nature of the data and adhering to local policy for classification and control.

Data flow Analysis Understanding communication channels and data flow within Industrial Control Systems (ICS) is crucial. Misunderstandings among asset owners and vendors regarding the value of documenting these flows are common. Lack of documentation can lead to firewall misconfigurations and difficulties in managing security conduits between security zones. Creating a data flow diagram requires two main pieces of data: network traffic snapshots and local host service mappings. Network traffic snapshots are collected using tcpdump and analyzed using Wireshark's Statistics features to identify active host-to-host sessions and associated TCP/UDP ports. The netstat command provides further details on local host services and their associated network devices, including application and service names. Combining these methods yields a comprehensive data flow analysis, essential for effective ICS management and security.

Threat Identification Threat identification is a critical step in industrial cyber security, encompassing the methodology of recognizing potential risks to industrial control systems (ICS). This process involves dissecting threats into three main components: threat events, sources/actors, and vectors. The complexity of industrial environments often makes threat identification challenging. Factors such as interconnected systems, diverse assets, and evolving technologies contribute to this complexity. However, overlooking this step can leave systems vulnerable to a wide range of potential threats. Therefore, mapping assets to specific threats is crucial for effective risk management. By understanding the potential risks faced by each asset, organizations can prioritize their security efforts and deploy appropriate controls to mitigate these risks. Overall, thorough threat identification lays the foundation for robust security measures in industrial environments.

Threat Actors/Sources Common Assumptions : Many industrial cyber security programs assume that the greatest threats come from external sources, often hostile and malicious. This assumption leads to deploying security controls primarily focused on defending against external attacks. Reality Check : Documented incident reports reveal that the majority of incidents and the greatest risk to protected architectures stem from insiders or trusted partners. Despite being overlooked, insiders pose significant threats due to their knowledge, access, and potential malicious intent. List of Common Threat Actors/Sources : Adversarial: Outside individual, Inside individual, Trusted insider, Ad hoc group, Established group, Competitor, Supplier, Partner, Customer, Nation state. Accidental: User, Privileged user, Administrator. Structural: Information technology equipment, Software. Environmental: Natural disaster (e.g., fire, flood, tsunami), Man-made disaster (e.g., bombing, overrun), Unusual natural event (e.g., solar EMP), Infrastructure failure (e.g., telecommunications, electrical power).

Threat Vectors Threat vectors represent the pathways or methods through which threats can impact targets within industrial environments. They encompass various entry points and tactics used by threat actors to exploit vulnerabilities and compromise assets. Beyond Traditional Access Mechanisms : It's essential to look beyond traditional IT access mechanisms when identifying threat vectors. This includes considering physical access, social engineering tactics, and policy weaknesses, in addition to network-based vectors like USB flash drives or networks. Entry Points and Trust Boundaries : Identifying entry points into industrial systems helps in understanding potential threat vectors. Establishing trust boundaries helps in scoping and limiting the entry points or vectors entering a zone, enhancing overall security posture. Example : An industrial network connected to the business network via a firewall has its entry point through the firewall connection. Understanding these entry points helps in focusing security measures and mitigating potential threats effectively.

Threat Events Threat events represent specific actions or tactics carried out by threat sources to compromise the integrity, confidentiality, or availability of industrial control systems (ICS). They provide detailed insights into potential attack scenarios and help in assessing the severity of risks. Complexity : Identifying threat events can be complex due to the diverse range of potential attacks and tactics employed by threat actors. Threat events may vary in sophistication and impact, requiring thorough analysis to understand their implications fully. Systematic Approach : Developing an inventory of threat events involves a systematic approach, considering both adversarial and nonadversarial scenarios. This includes tactics, techniques, and procedures (TTPs) used by adversaries, as well as accidental events and system failures. Continuous Improvement : While the initial identification of threat events may be challenging, it lays the groundwork for ongoing risk assessment and mitigation efforts. Continuous improvement involves refining the inventory of threat events based on new insights, emerging threats, and evolving technologies.

Identification of Threats During Security Assessments Security assessments often reveal previously unidentified threats, adding to the comprehensive understanding of risks within industrial environments. Need for Continuous Monitoring : These indicators highlight the necessity of continuous monitoring and analysis to detect and respond to emerging threats effectively. Security assessments serve as a foundation for ongoing risk management practices, ensuring that industrial systems remain resilient against evolving threats. Indicators of Threats : Various indicators during the assessment process may signal the presence of threats, including: Infected media detected through anti-virus logs. Workstations compromised, as indicated by Windows Event logs. Data integrity issues found during local disk evaluation. Anomalies in network resource usage, indicating data copied to untrusted locations. Accounts with inappropriate access levels discovered during account reviews. Unauthorized use of stolen credentials for accessing systems. Network congestion or unusual patterns indicating potential attacks.

Common Threat Vectors Direct Local area network – Wired Local area network – Wireless Personal area network (NFC, Bluetooth) USB port SATA/ eSATA port Keyboard / mouse Monitor / projector Serial port Webcam Electrical supply Disconnect switch Indirect Application software (via media) Configuration terminal (via serial port) Modem (via serial port, internal card) Human (via keyboard, webcam)

Adversarial / Intentional Threat Events Perform network reconnaissance/scanning Perform organizational reconnaissance and surveillance Craft spear phishing attacks Create counterfeit/spoof websites Craft counterfeit certifications Inject malicious components into the supply chain Deliver malware to organizational systems Insert subverted individuals into organizations Exploit physical access to organization facilities Exploit poorly configured or unauthorized systems exposed to the Internet Exploit split-tunneling Exploit multitenancy in a cloud environment Exploit known vulnerabilities Exploit recently discovered vulnerabilities Exploit vulnerabilities using zero-day attacks Violate isolation in multitenant environments Compromise software of critical systems Conduct attacks using unauthorized ports, protocols, and services Conduct attacks leveraging traffic/data movement allowed across the perimeter Conduct Denial-of-Service (DoS) attacks Conduct physical attacks on organization facilities Conduct physical attacks on infrastructure supporting organizational facilities Conduct session hijacking Conduct network traffic modification (man-in-the-middle) attacks Conduct social engineering campaigns to obtain information Conduct supply chain attacks Obtain sensitive information via exfiltration Cause degradation of services Cause integrity loss by polluting or corrupting critical data Obtain unauthorized access Coordinate a multistate (hopping) attack Coordinate cyber-attacks using external (outside), internal (insider), and supply chain vectors

Non Adversarial Threat Events Spill sensitive information Mishandling of critical information by authorized users Incorrect privilege settings Communications contention Fire (Arson) Resource contention Introduction of vulnerabilities into software products Disk error Accidental deletion or modification of critical data Hardware failures or malfunctions Power outages or fluctuations Environmental disasters (e.g., floods, earthquakes) Software bugs or glitches Misconfiguration of systems or applications Data transmission errors Human errors in system operation or maintenance

Thank you

Threat_actors_and_vectors_with_whiiteandblack_boxtesting.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Threat_actors_and_vectors_with_whiiteandblack_boxtesting.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......