Tag Archives: strategic

Hacking Critical Infrastructure

Please accept my apologies in advance if you were hoping to read about an actual technical vulnerability in critical infrastructure or the exploitation thereof. Today we discuss a plausible strategic cby3r threat, and how one might go about hacking our critical infrastructure without going after the plant or the IT team(s) supporting the technologies in it (or at least not at first).  Before we get started, we’ll define two terms, relevant to the scope of this article:

  1. Strategic cyb3r threat intelligence would be that which is timely (i.e. received before an attack), researched in depth, and provides context to a potential attack scenario
  2. Personally identifiable information (PII) as a piece (or combination) of data that can uniquely identify an individual

Now, let’s take a minute to review a key point of a historical event, the OPM breach (you can brush up on it here http://www.nextgov.com/cybersecurity/2015/06/timeline-what-we-know-about-opm-breach/115603/).  According to the information that has been released, attackers did not originally steal personally identifiable information (PII) .  What the attackers did make off with was even more critical, manuals, basically the “schematics” to the OPM IT infrastructure.  [QUESTION: Are any of you logging access attempts (failed and successful) to your asset inventories, network diagrams, application architecture documentation? If you are, is anyone reviewing the logs?]  Many have forgotten the first items stolen were manuals, thanks to the media news buzz about “identities stolen” blah blah blah, and chalked it up to just another breach of PII and millions of dollars wasted on identity theft protection.   The attackers went after something that was considered by many to be a secondary or tertiary target, something that wasn’t “important”.  However, it was a consolidated information resource with phenomenal value.

So, what does this have to do with hacking critical infrastructure?  Well, aside of the option to leave malicious USBs laying around, what if I could compromise MULTIPLE infrastructure companies at once? [dear LEOs I have no plans to do this, I’m just creating a hypothetical scenario and hoping it makes someone improve security].  How could I do this? Where could I do this? Who would I try to compromise?  If I could get just ONE company, I could have the “blueprints” to components at multiple facilities! * insert evil genius laugh* Muahahahahahah!  If I could get these, then I could find a vuln that they’d all share, and then I could launch a coordinated attack on multiple plants at once, or I could launch a targeted attack which would cause a domino effect to hide further malicious acts.

Warning InfoSec professionals, grab your headache medicine now…

Where to begin…

First, I’d see if there was a way I could get a list of companies that created the technology used in the critical infrastructure such as boilers, turbines, and generators. In fact, there is a list, and it is publicly available!  YAY for research databases!! Wooo hooo!  In fact, I’m even able to break it down into coal, gas, geothermal, hydro, nuclear, oil, & waste.  Wait, it gets better. I can even determine the commission date, model, and capacity for each.  Next, if I find data missing from the awesome resource, I may be an OCD attacker and want all the details, I’d plan a social engineering attack. I bet that for those plants that have “missing data” I could probably call, pretend to be a college student doing research, and they’d tell me any one of the previously listed data elements, especially if I sent them the link to the public resource that already has “everyone else’s data” in it.  Although I did not do that, I did collect the manufacturer names for US infrastructure.  Admittedly some appear to have nominal differences in naming based by those who submitted the data, thus potential duplication, but as an attacker I probably wouldn’t care:

  • Aalborg
  • ABB
  • ABB, Asea Brown Boveri
  • Allis Chalmers
  • Alstom
  • American Hydro
  • ASEA
  • Babcock & Wilcox (B&W)
  • Baldwin-Lima-Hamilton (BLH)
  • BBC, Brown Boveri & Cie
  • Brown Boveri & Cie (BBC)
  • Brush
  • Combustion Engineering
  • Deltak
  • Doosan
  • Foster Wheeler
  • GE
  • GE Hydro
  • General Electric
  • Hitachi
  • Hitachi Japan
  • Hitachi Power Systems America
  • Hyundai/Ideal
  • Inepar
  • Kawaskai
  • Leffel
  • Melco
  • Melco Japan
  • MHI
  • MHI Japan
  • Mitsubishi Japan
  • Newport News Ship & Dry Dock
  • Noell
  • Nohab
  • Nooter
  • Nooter/Eriksen
  • Nooter-Erikson
  • Riley Stoker
  • S Morgan Smith (SMS)
  • Siemens
  • SWPC
  • Toshiba
  • TP&M
  • Voest Alpine
  • Vogt Power International Inc.
  • Voith Hydro
  • Westinghouse

Next, I’d start searching to find events where multiple companies would attend.  As you can guess, there is yet another OSINT source that would list potential gatherings of these individuals http://wikicfp.com/cfp/call?conference=energy.  This is just one source, but it is such an amazing source I decided to share it (HINT: if you’re looking for InfoSec conferences, check out the security and technology categories).  For a moment, let’s just assume that this source didn’t yield any promising results.  Another option would be to find a single company that lists one or more of these manufacturers as their client or the technology as their area of expertise.  After a simple search for ABB (yeah had to go pretty far down that list there) we find https://www.turbinepros.com/about/oem-experience.  And wouldn’t you know it, they’re hosting some events of their own.  A search for ‘turbine generator maintenance’ yields http://www.turbinegenerator.com/ and their events tab takes me to http://www.powerservicesgroup.com/events/ and the process continues.  If I wanted a “current” status of critical infrastructure I could pull it from DHS reports/publications at https://www.dhs.gov/publication/daily-open-source-infrastructure-report (granted Jan 2017 they discontinued it).  I could also go here https://www.dhs.gov/critical-infrastructure-sectors and pull each sector’s plan which typically identify the number of plants running and the states in which they are located.  The amount of information available for a bad actor in open sources is plentiful, and allows them plenty of time to plan their attack.  Ironically, I wonder how many companies are doing the same thing to plan FOR the attack?

 

So, what’s next? As a bad actor, one wants bang for the buck so I want to find a conference listing the sponsors & speakers (who does that? #sarcasm), hopefully this might help me narrow down my target (i.e. the one with the largest collection of key players most likely). I also want to find one that isn’t too large, small-med conferences usually have smaller budgets thus, the only real security they put in place is some volunteer with no “security” experience at an entrance asking, “Do you have a conference badge?”  Also, keep in mind, these are energy conferences in this hypothetical scenario, security, especially cyb3r security is probably not on the top of their list.  Since these are not Information Security conferences, i.e. they are not BlackHat or DEFCON, nobody is running around yelling “turn off your Bluetooth, NFC, & WiFi” or “please don’t scan random QR codes”.  There’s also probably not anyone checking to see how many mobile access points (or stingrays) popped up before/after the conference or whether there’s a sniffer on the free conference (or hotel) WiFi.  Another thing an adversary might consider is chatting up the marketing guy, making sure to get his business card.  Also, get him to talk about other key leaders (everyone will talk plenty about the guy they dislike the most).  Then later that bad actor would be sending him (or someone else) a spear-phishing email as they are sure to have captured plenty of topics of interest.  The chances of the targeted victim clicking a link (or not reporting it) are more likely to succeed and avoid detection with a targeted phishing email than a mass blast.  The bottom line is, that from an attacker perspective, it is probably much easier for me to compromise a person from one of these conferences than it is for me to hack into infrastructure directly.

 

If I was a bad guy, I’d consider this casting a wide net, the key is though, that I only need to catch one fish.  Once I’ve caught one, then it is game on.  While all of them are worried about NERC or ISO compliance, how many of them are worried about if a bad actor is accessing IT asset inventories, network diagrams, purchase orders, IT road maps, or archived vulnerability scan reports?  One of the gaps in security that surprises me the most, is the lack of security surrounding previous penetration test reports.  The vendor providing the report(s) may give the highest protections to the documents when sending and storing them, and at first the client treats them with great protections when they first arrive.   However, once they are considered old (usually 12+ months) complacency sets in.  The irony is, the greatest frustration I hear from my Red Team friends is “we told them [1-10] years ago to fix this, and it’s still wide open.”  Well, not only is it wide open, the report now sits on all-company-access shared drive or worse a public FTP server because its “old”.

Bottom Line – It’s Game On.

Many of you might have objections to me laying out this attack scenario on a public blog.  You would argue that I’m giving bad guys ideas and shame on me.  I considered that, however, the more likely truth is that they’ve already thought about this, and we have our heads so far up our 4th point of contact running around screaming about ransomware, malware, hashes, IOCs, and malicious domains that we, the InfoSec community, do not give 1/100th of our time to thinking about strategic cyb3r threats.  We do not plan for attack scenarios beyond device compromise.  Blue Teams spend all day fighting a tactical battle and Red Teams spend all day attacking systems. We rarely stop to give thought to the person we “let in” through the front door.   When do we stop and think about domino effects and strategic cyb3r threat scenarios, so that we can take a harder look at our environments for hints of a strategic attacker and then actually go look for footprints?  Most, if not all of you reading this will say, we don’t ever do that.  That is why I’ve written this.

We have to change what we’re doing and start thinking outside of immediate [tactical] cyb3r threats or we’ll lose the fight not for lack of technology and effort, but for lack of creative and disruptive thinking.

 

FOOD FOR THOUGHT

  1. Look [in your environment] at the sensitive documents listed in this blog (app architecture, network architecture, asset inventory, purchase orders, pentest results, vulnerability reports etc.). Are you logging who/what has accessed them?  Do you see any non-human accounts accessing them?  Is every copy/download accounted for?
  1. Are you adequately educating your staff who attends conferences on the elevated security risks? When’s the last time you made a forensic image of an executive’s laptop?  If you allow BYOD are you adequately inspecting the devices upon return? What changes in procedure for “conference attendance” can you make to better protect your environment?
  1. Do you have relationships with local FBI/Police/InfoSec Community so that you can learn about any potential threats, especially cyb3r threats? Are you sending an InfoSec person to these non-InfoSec conferences with your staff to assess the InfoSec risks/threats?

 

Thank you for taking time to read the blog, please feel free to leave comments and questions.  I will respond as time permits.

 

 

Beyond Whack-a-Mole “Intel”

In recent days I had some conversations with folks regarding the common INFOSEC comprehension of threat intelligence and what it really is, and we all come back a marketing buzz phrase “actionable intel”. My concern is that the definition of “action” seems to be getting diluted these days and at worst it has been morphed into “write a signature to prevent X” or create some hot new technology that uses artificial intelligence to anticipate ABC and block the attack. Also, everyone wants to be first to blog about the latest threat that hit the landscape. Researches spend hours trudging through dashboards, PCAPs, log files and retro hunting with yara rules looking for that needle in a mountain of needles that is sitting inside of their grandmothers sewing bench, and hope they don’t prick themselves wasting time with “unrelated” data or false positives. We’re inundated and consumed with the tactical execution. Why? Money, and possibly a case of nearsightedness.

Businesses are consumed by needing to show immediate value (nearsighted), and value is usually measured in the number of bad things blocked. Thus the tactical war against malicious actors saturates every aspect of our information security programs, our hiring for INFOSEC roles, the reports we produce, the metrics we pull our hair out trying to develop, and most of all BUDGET – where we spend our money. We are at constant war, just ask any incident response, forensics, malware reverse engineer, threat researcher, or SOC analyst – it is an all out 24/7 war against bad guys, and one thing you need to win a war besides soldiers, beans and bullets? Strategy.

Strategic operations are nothing new to any military organizations. Nor is strategy new to any successful CEO trying to position his company to gain a competitive advantage over a market share, but strategic planning and execution to an INFOSEC threat intelligence team seems to be as foreign as a fully nude woman standing in the flesh in front of a virgin. The concepts of profiling, understanding, and anticipating your enemy so that you can not only win battles but win the war, are something I find few people grasp. Make no mistake, I am not saying that the tactical activities mentioned above are without merit, they are 100% critical and vital to protecting assets both tangible and intangible, and even lives. What I am saying is that, organizations that have reached a maturity level where they are effective with near-surgical precision in squashing malware and phishing attacks, should be looking to take things to the next level.

I tweeted recently something to the effect that the words “new malware” literally have a Pavlov’s effect on threat researchers. Everyone gets excited about the shiny new malware, we all want to rip it apart, see how it works, hopefully find flaws in it, & blog about and HOPEFULLY to share indicators of compromise (IOCs) with the whole world to make the Internet a safer place. (Side rant – if you blog about threats and don’t share IOC’s and actionable intel, IMHO you are a douche nozzle being used for an enema) Back to the topic at hand…..We want to tell everyone how the malware did it’s backflip, blindfolded, across hot coals and broken glass, shit a peanut that turned into a malware tree, that bloomed ransomware buds whose pollen poisoned the threat landscape and that’s how we got money to grow on trees. Okay, not exactly, but close enough. But then what? Then we all go back to looking for the next shiny piece of malware, cuz we can never have too many in our collection right? Well, this all falls into tactical operations, a very instrumental element to protecting and defending our orgs and current customers, not to mention attracting new customers. The race is to be the one that finds it first, blogs first, and makes current and potential customers feel safer – basically whack the mole the fastest and most accurately. Heaven forbid if another organization blogs about some new major threat and you didn’t, your org is destined to get a tsunami of “are we protected” inquiries. And of course, that’s what the business is worried about – happy customers who feel safe because that’s what pays the bills. So I ask again, but then what?

In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)? Trying to teach strategic threat research in one blog post is insane, so I’ll try to give an example via an imaginary conversation.

*****************************************************************
Do you know or understand why *THAT* malware was used against *THAT* organization? NO

What about that domain, have you run down the registrant to see what other domains he/she owns and if there’s any other malware associated with them? YES

Oh really! Well do you know if it’s the same kind of malware? It’s not

It’s not? Well bad actors are kind of like serial killers they usually have a modus operandi (method of operation) aka M.O., a habit, that they rarely deviate from, so why did you actor change his M.O.? I don’t know

OK, go figure out if something caused your actor to change his M.O or if this indicates multiple actors sharing the same registration information.

Is it on a dedicated/shared IP? SHARED, on an ISP that only owns 200 IPs and only hosts 100 domains, and they’re behind bulletproof hosting

Do you have enough information based on victims to build a potential target profile so we can figure out where/who they might attack next? NO

What vertical was that attack against? Transportation

What org? a trucking company

What geographic region? Timbuktu

Are there any key political figures headed to that region? sporting events coming up? tourist or entertainment events planned in the near future? Yes

Really, hmm what other resources are needed to support (X from previous question)? Catering? Power? Decorating? Air Travel? Yes
*****************************************************************

Now the scenario above is completely made up, and there is an entire line of questions that could follow. In fact, changing the answer to any one question can change the next round of questions that would follow. Nonetheless I think you get my point. And if you really do get my point, then you’ll understand why a massive “threat intelligence feed” from a company is practically useless. You’re better off just ingesting a black/whitelist from some trusted asset with an understanding that you may have false positives, but you’d rather be secure and inconvenienced. It is time the INFOSEC community take threat intelligence to a new level and start looking past the shiny new malware and actually start trying to understand attackers.

It kind of reminds me of the sci-fi movie I watched this weekend (I won’t name it because I don’t want to get sued). Basically our planet had been attacked in the past and we defeated the enemy. Then the humans studied the technology left behind from the aliens. They used it to advance the human race and unite the world. But then years later, another alien shows up, without hesitation we blasted it out of the sky, then a bigger alien shows up and threatens the planet again. However, a group of scientists takes the time to study and understand the first alien that showed up those years later. They come to find out the motivation behind that alien, learn from their observations and if they apply the knowledge correctly they can then ultimately defeat the massive alien force that now threatens them.

The key here, is that they took time to study – let me type that out a little more slowly “T H E Y T O O K **T I M E**” to “S T U D Y” – of course it was after they whacked the mole, but they did do the deeper investigation. This is where we all need to be headed. After we’ve honed our skills at quickly finding and annihilating the immediate threat, let’s start adding a new function to our INFOSEC portfolios: teams to do strategic analysis, enemy profiling, and developing threat intelligence that allows us to take proactive measures to prevent attacks or at the very least identify behaviors that indicate a larger (measured by impact not volume) threat on the battlefield.

THE END 🙂

BTW, Business people – please pick your faces up off the floor, I know, I just said we need to invest time and money into something that has long-term payouts and not immediate ones. Let me know if you need me to pay your co-pay for your hospital visit.

As always, thanks for reading and supporting.