Tag Archives: prevention strategy

Triton: Dangerous and Puzzling – Part III

18 March 2018

The reports published on Triton so far give no hint on how the attack was started. With Occam’s razor in mind I concluded in part II of this post series that it is very likely, that the attacker compromised the Engineering Service Providers (ESP) network and the systems used for developing the SIS software. Since the next software update is sure to come, it is only a matter of time until the SIS installation in the production network gets compromised.

In this part I will talk about how to prevent and protect against such attacks.

Part III: Prevention and Protection

To protect against such kind of attacks data integrity must be ensured across the entire supply chain.

Ensure Integrity Across the Supply Chain

Ensure Integrity Across the Supply Chain

Engineering Service Provider’s responsibilities

Build: The ESP must make sure that the project data and software cannot be compromised in his facilities during software design and build.

Transfer: The ESP must secure the data against manipulation during transport.

Plant Operator’s responsibilities

Validate: After handover, the operator must check that the software and project data fulfil only the intended functions, before the SIS or DCS is updated. This must be governed by a Standard Operating Procedures (SOP) with formal approvals.

Install: The operator must follow a SOP for secure update of SIS and DCS software.

In the following section I will give some best practice to achieve data integrity across the supply chain. Anti-malware solutions are not listed because they are industry standard. Nevertheless, it is important to note that in Triton like cases pattern based anti-malware solutions will not prevent or protect against the attack. Pattern based anti-malware solutions protect only against malware “in the wild”. That’s not the case here, thus we have to apply other means to ensure integrity.


Development network

  • Perform all project work in an isolated Development Network (D-NET) with a Development DMZ (D-DMZ).
  • Control remote access to the D-DMZ through a user proxy to allow access for authorized staff only. Two Factor Authentication is mandatory for access to the D-DMZ.
  • For remote user access to the D-NET use a jump station in the D-DMZ.
  • Terminate all connections from the Office Network to the D-NET in the D-DMZ.
  • Terminate all connections from the D-NET in the D-DMZ.
  • If an SIS or DCS is operated in the D-NET, it should be placed in an isolated in a network  zone (D-SIS) in the D-NET. Allow only incoming connections from the engineering station to the SIS or DCS. Terminate all outgoing connections from the D-SIS in the D-NET.

Data exchange

  • For data exchange with the Office network allow only outgoing connections from the D-DMZ to dedicated systems/ports in the Office network.
  • Don’t use the SMB protocol for exchange of data between the office network and the D-DMZ and D-NET.
  • Implement Network Access Control (NAC) in the D-DMZ and D-NET to block connections of untrusted devices.
  • Never connect mobile workstations used in the D-NET or D-DMZ to other networks and vice versa. Once such a workstation was connected to a network outside the D-NET or D-DMZ it is potentially compromised.

System hardening

  • Block all USB disk devices in the D-NET.
  • Block all internet access and e-mail in the D-DMZ and D-NET.
  • Lock down all workstations and servers in the D-NET and D-DMZ.
  • Perform regular integrity checks on all systems in the D-NET and D-DMZ.

Software development best practice

  • Set up software version control for all development work.
  • If contractually possible, handover only sources, makefiles and checksums to the operator.

  • Secure network transfer is the method of choice. Bundle all sources in an encrypted archive. Send the encryption key in a secure e-mail to the operator.
  • If transfer by USB devices is required use only USB devices with AES hardware encryption and key pad. Run a secure before the new software is copied.

  • Extract the software to a trusted development system in an isolated network zone of the operators network.
  • Validate the checksums of the sources and makefiles against the supplied checksum details.
  • Build the software.
  • Install the software on a test system and verify that only the intended functions are implemented.

  • Use a secure transfer method to move the new software and project data to the SIS or DCS  network.
  • Install the software with regards to the corresponding SOP.

Have a great week.

Advertisements

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

A mere detection strategy will fail in the defense of cyber-attacks. Just like a mere prevention strategy.

10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!