Detecting Moves Leading to Attack

Thursday, January 25, 2018 @ 11:01 AM gHale


By Robert Albach
Casual observers of sporting news can be forgiven for thinking that all sporting events are comprised of a handful of plays that result in a score. Similarly, security practitioners could be forgiven for thinking the same when it comes to news of ICS security.

With that in mind, for January I would like to nominate Trisis/Triton/Hatman (T/T/H) as the ESPN play of the month.

This offensive event has been brilliantly dissected by experts and commented upon with frequency. Make no mistake the work done by Mandiant and Dragos are quality efforts and the understanding of the incident critical to industrial defenders, it is indeed most newsworthy. But like Alabama’s wide left field goal attempt at 00:00 in the College Football National Championship regulation time, we should not forget there were nine other plays in that final drive resulting in varying success, and there was more to the game to come.

RELATED STORIES
From Mobile Toys to Useful Tools
Deep Packet Inspection: Setting the Rules
Securing Right Solutions for Protection
Security Storyline: Plan to Cut Downtime

Before most any “final” attack success or failure, there is a whole series of often forgotten or unseen steps or plays that took place. Reviews of attack campaigns normally reflect steps which can be roughly mapped to a process commonly called the Kill Chain, originally a military concept, then applied to cyber intrusions by groups at Lockheed-Martin. A key lesson to take from the Kill Chain concept is attacks can be described as serial processes whose success is determined by the ability to progress through the seven phases to the final act on a targeted system.

The direct impact on the Triconex safety system would be the penultimate stage of the kill chain concept. The attacker had left evidence of a set of attack tools. Those tools had very specific targets, a class of Schneider Triconex models.

Ready for Attack
Further evidence shows the attacker was able to execute preparation of the targeted Triconex successfully and thus ready for the final “attack” payload. What they were not successful at however was performing these final steps without detection – assuming that detection was undesired.

Unlike our widely-reported college football game, however, there are a great many steps that are not widely known to the public. The lack of knowledge opens the possibility of potentially damaging or helpful speculation. I will attempt to undertake the latter and avoid any statements of attribution or ultimate goals and instead focus on the implications of the kill chain process upstream of safety system impact.

It may be obvious but still worth stating, Safety Instrumentation Systems (SIS), exist to protect other process systems. With that end in mind, I will propose that at some point up-stream, the attackers may have executed or planned to execute similar activity on the process systems which this SIS was meant to protect. To be clear, I have no evidence of this and neither the relevant researchers or victim are obligated to share those details. That said, should similar situations arise within your environments, it would be well worth your time to investigate the surrounding systems as well.

Kill Chain Evidence
Moving further up the kill chain there is likely to be evidence of outbound communications with external control sources, manipulated systems, and horizontal and vertical movement. This assumes this stage and prior stages required such activity. An internal and trusted source could bypass those steps depending on their knowledge of the targeted systems. Both an internal and external attack source is likely to leave artifacts associated with their activities. The necessary steps to investigate are not dissimilar in either case. In the case of T/T/H the workstation upstream was found to be compromised (as expected).

Working backward from that workstation, a diligent security forensics investigator can hopefully detect and recreate the rest of the kill chain and any potential branches to ancillary targets.

As a defender, finding this path represents a chance to learn the weaknesses of the system and apply the right defenses.

Remember, each step the attacker must take represents an opportunity for the defender to slow and perhaps stop the next attacker’s progress.

These steps and plays are likely to be more generic and not nearly as exciting, but the opportunity to learn from them is equal to the ESPN play of the month. They are, however, equally important.
Robert Albach is the senior product manager for security at Cisco.



Leave a Reply

You must be logged in to post a comment.