,
25 tweets,
11 min read
Read on Twitter
Today at #S4x19, @electricfork and I debated different sides of "if OT tools and talent are needed to detect attacks on ICS." Some thoughts on ICS attacks and #TRITON in a tweep thread.
.@FireEye blogged/presented about #TRITON and some of the incident response activities in depth by @voteblake and friends in late 2017, fireeye.com/blog/threat-re… and
#TRITON was "unprecedented" it was "sophisticated" and it was "the first of its kind." It was also leaked to the internet (not by us), so nobody saw any other pieces, or talked about *how* the intrusion took place from an attacker TTP perspective.
In the #TRITON intrusion from the IT -> DMZ -> DCS -> SIS there were about 100 compromised systems, 99 of which were conventional Windows workstations and servers.
The #TRITON attackers used (or were observed using) DNS, HTTP, HTTPS, SSH, DCE/RPC, SMB, RDP protocols for various forms of interaction and C2. There were many connections directly to the internet.
The #TRITON attackers used Nmap, Iperf3, and other free utilities to perform internal reconnaissance and identified hosts and services on the "OT" network.
The #TRITON attackers used many sysinternals utilities including, but not limited to, PsExec, ADExplorer, ShareEnum, AccessEnum, ProcExp and so forth.
The #TRITON attackers lived off the land with things like PowerShell, ping, net, vssadmin. Standard stuff.
The #TRITON attackers used all the cats. Netcat, cryptcat, and @gentilkiwi's Mimikatz, the latter of which was used both in PE and PowerShell script form. #meow
When the jig was finally up, and remediation close, the #TRITON attackers did a quick smash and grab by stealing a fresh set of creds, SIS controller memory and project files from the SIS engineering workstation.
In June 2018, @reesespcres and I talked about "how" the malware developer(s) reverse engineered the #TriStation network protocol, fireeye.com/blog/threat-re…
In Oct 2018, @FireEye discussed elements of attribution and "who was behind" the #TRITON framework, fireeye.com/blog/threat-re…
If the #TRITON intrusion is a general exemplar for how ICS attacks occur, I see more similarities than I see differences from conventional intrusions in any other sector.
The notion of "ICS" is an artificial defender construct. Attackers see computers and networks. They don't care about the Purdue model. They follow a predictable attack lifecycle over the course of an intrusion.
The majority of so-called attacks on ICS are underpinned by basic computer intrusions enabled by conventional TTPs, tools and malware to serve as a conduit for impacting an industrial process. I think that we are best served by detecting adversary methods via @MITREattack TTPs
When ESET exposed #INDUSTROYER they extensively documented the unique attributes of the ICS tailored malware. Behind the scenes, the attack involved mostly conventional intrusion TTPs. #xp_cmdshell
There aren't that many ICS attacks/intrusion cases in the public discourse, and those that are discussed publicly often leave out the actual intrusion evidence and data. I want hard evidence, yo.
N anecdotes on ICS attacks do not meet our desired confidence interval or burden of proof, and even if N was sufficient, the opacity of shared data from these intrusion stories leave us without sufficient data to make a decision on how to best detect these things.
People in cybersecurity prefer to share what is new, novel, different rather than what is the same, even though what is the same offers a better basis for detection opportunities.
All of that said, what the hell do I know. I'm a newb in the ICS space. I came to #S4x19 to learn, not simply to pontificate and agree with myself. I'm looking for someone to convince me differently.
Are there any bona fide intrusions on ICS that show technical/forensic evidence contrary to my thesis? Show me the # of compromised systems. Show me the # of non Windows/Linux malware. Show me the forensic data. Convince me. Let's talk.
Nobody needs more #TRITON rumination from me. There are lots of great takes on the intrusion, malware, ICS attacks etc from other folks and its all just a google away.
If you're from the IT side and new to ICS threat stuff, I think you'll find @DragosInc blogs, @RobertMLee's robertmlee.org/tag/reading-li… and videos from S4 events youtube.com/channel/UC5MdL… extremely instructive.
