Breaking System Down to Find APT

Thursday, July 9, 2015 @ 05:07 PM gHale

Advanced persistent threats (APTs) are a big issue that can keep security professionals up at night wondering if and when they will suffer from an attack.

Along those lines a critical infrastructure end user got in touch with ICS-CERT to evaluate the organization’s control systems environment for a possible APT.

Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem

In its analysis of a previous incident response, the end user discovered the bridge between the corporate and processing network suffered a compromise, according to a report in the ICS-CERT Monitor. Concerned about the integrity of the processing environment, the end user requested ICS-CERT support to analyze the systems for activity and then, secondarily, evaluate the overall security posture.

As a result, ICS-CERT deployed an incident response (IR) and assessment team to look for evidence of trespassers and to perform an architectural review of their security.

The following is a mini case history of what occurred during the teams’ site review, according to the report in the ICS-CERT Monitor. While the name of the end user is not available, the problems it faced are very real and similar to the same issues other companies are confronting on a daily basis.

Despite pre-planning measures, the ICS-CERT review efforts ended up hampered by insufficient asset management in the control systems environment that caused a significant delay in identifying systems for examination and evaluation. To compensate for incomplete documentation, the team instead led discussions and conducted reviews of available materials to determine undocumented systems and create an up-to-date representation of the network architecture.

Asset management issues also made it difficult to determine who had primary responsibilities for the various systems within the network. As the IR team interviewed workers, it was evident they lacked clearly defined roles and responsibilities for the systems within the control environment. This prolonged the response time for access requests, authorities, data, and information needed to support the incident response effort.

Host-based analysis efforts also ended up slowed due to a lack of forensic information that was not adequately preserved or maintained for the team. Because of this, ICS-CERT focused on network evaluation techniques identifying unusual use patterns in the ICS network. ICS-CERT also compared network-based findings against indicators collected from various sources in an attempt to identify adversary communications from any remnants.

While onsite the team quickly identified the facility was using the same physical network cables and routing equipment for both networks, and the only segmentation was the hard-coded IP addresses for the processing environment in a separate subnet from the corporate network. This meant the two networks had essentially no segmentation. This segmentation issue was emblematic of the poor network visibility identified by the IR and assessment teams. The user lacked capabilities to monitor network traffic and identify suspicious activity in the ICS and corporate enterprise. In addition, critical assets ended up unmonitored with no physical security, leaving any employee the ability to tamper with critical systems undetected.

ICS-CERT provided recommendations and proposed a network re-design to heighten overall security posture and reduce the risk of future intrusion. These recommendations were for the technical and policy levels and included guidance such as:
• Define and establish accurate asset management responsibilities and assign appropriate authorities
• Verify network architecture
• Deploy system patching
• Create network segmentation
• Deploy physical security of critical assets
• Increase security operations staff and define mission roles and responsibilities
• Apply application whitelisting for approved applications and user authentication for remote access
• Deploy a security monitoring solution to ensure adequate visibility into the re-architected network