DeepSec 2018 Talk: Defense Informs Offense Improves Defense – How to Compromise an ICS Network and How to Defend It – Joe Slowik
Industrial control system (ICS) attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. Yet when looking at the situation – especially recent attacks – from a defender’s perspective, nothing could be further from the truth. Initial attack, lateral movement, and entrenchment within an ICS network requires – and probably operates best – via variations of ‘pen tester 101’ actions combined with some knowledge of the environment and living off the land. Only after initial access is achieved and final targets are identified do adversaries need to enhance their knowledge of ICS-specific environments to deliver disruptive (or destructive) impacts resulting in a potentially large pool of adversaries capable of conducting operations.
Examining concrete ICS attack examples allows us to explore just what is needed to breach and impact industrial environments. More importantly, using malware and data captured from recent attacks – specifically TRISIS and CRASHOVERRIDE – defenders can identify how the attackers ‘messed up’ their attacks and why a more simplified and direct approach to achieving offensive goals might not only be more effective, but likely far more difficult for defenders to catch as well.
Following this examination, offense might be better able to attack networks but defenders will now be clear on what actions and measures are necessary to protect ICS networks from attack. Specifically, an examination of host-based approaches, network proxies for host-based logging, and architectural solutions will be covered in brief to outline the requirements for effective defense in ICS environments against even the most savvy of adversary.
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other data available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to ‘take the fight to the adversary’ by applying forward-looking, active defense measures to constantly keep threat actors off balance.