ICS Village - ICS/ IOT Threat Landscape
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 335 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/48900 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 27326 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
MereologieSchedulingMultiplikationsoperatorSelbstrepräsentationComputeranimation
00:26
ComputersicherheitPhysikalisches SystemKontrollstrukturKontextbezogenes SystemHackerFormation <Mathematik>Computeranimation
00:50
Physikalisches SystemAggregatzustandInternet der DingeZeitrichtungCybersexSoundverarbeitungAttributierte GrammatikMinimalgradComputeranimation
01:47
TypentheorieComputerspielFörderverein International Co-Operative StudiesComputersicherheitWhiteboardPunktKategorie <Mathematik>ZehnEndliche ModelltheorieTypentheoriePivot-OperationReelle ZahlProgrammierumgebungHyperbelverfahrenBesprechung/InterviewComputeranimation
03:48
DatenverarbeitungssystemMultiplikationsoperatorComputeranimation
04:13
InformationZehnGruppoidNeuroinformatikRichtungMereologieDatenverwaltungVollständigkeitProzess <Informatik>Leistung <Physik>ProgrammierumgebungSoftwaretestRechter WinkelGrundsätze ordnungsmäßiger DatenverarbeitungErneuerungstheorieWasserdampftafelFlächeninhaltPhysikalismusMathematikGraphfärbungKomplex <Algebra>FernwartungAusnahmebehandlungComputerspielMultiplikationsoperatorDienst <Informatik>DiagrammGanze FunktionDatenverarbeitungssystemTeilbarkeitInhalt <Mathematik>AnalogieschlussFlächentheorieReelle ZahlComputeranimation
07:35
MereologieOpen SourceComputerforensikMAPFahne <Mathematik>Komplex <Algebra>Attributierte GrammatikExtreme programmingWort <Informatik>Computeranimation
08:39
RechnernetzWurm <Informatik>Physikalisches SystemExogene VariablePerspektiveNP-hartes ProblemComputerforensikEntscheidungsmodellPunktKette <Mathematik>SoftwareZweiRechter WinkelWurm <Informatik>AuswahlaxiomDifferenteData MiningAttributierte GrammatikCybersexUnordnungNeuroinformatikGüte der AnpassungFokalpunktInzidenzalgebraWeg <Topologie>MAPVerkehrsinformationFahne <Mathematik>PlastikkarteComputeranimation
11:18
Chi-Quadrat-VerteilungMereologieGanze FunktionPhysikalisches SystemBildgebendes VerfahrenRechenschieberWort <Informatik>BildschirmfensterFehlermeldungNotepad-ComputerVorlesung/Konferenz
12:32
PhishingPhysikalisches SystemSoziale SoftwareHackerWasserdampftafelSichtenkonzeptMaschinenschreibenWeb SiteStrategisches SpielVirtuelle MaschineAttributierte GrammatikElektronisches ForumNeuroinformatikPhysikalismusPhysikalisches SystemComputervirusProgrammierumgebungTotal <Mathematik>CybersexBildgebendes Verfahrensinc-FunktionMalwareInstantiierungFahne <Mathematik>Message-PassingAuswahlaxiomProfil <Aerodynamik>SchaltnetzRechter WinkelInhalt <Mathematik>InternetworkingAutorisierungFehlermeldungBildschirmmaskeComputeranimation
16:22
Kette <Mathematik>IterationProzess <Informatik>VorhersagbarkeitBeweistheorieMereologieIterationPunktSpieltheoriePhysikalisches SystemInfotainmentEndliche ModelltheorieProgrammierumgebungMaschinenschreibenKette <Mathematik>Wurm <Informatik>
18:02
Multiplikationsoperator
18:22
InternetworkingPlastikkartePunktwolkeComputeranimation
18:58
PlastikkarteAggregatzustandFacebookFunktionalPlastikkarteEndliche ModelltheorieComputeranimation
19:35
BeweistheorieSoftwareschwachstelleKategorie <Mathematik>TypentheorieRechter WinkelMultiplikationsoperatorGesetz <Physik>Patch <Software>CodeVektorraumHyperbelverfahrenComputeranimation
20:35
AggregatzustandVektorraumKryptologieZellularer AutomatVerschlingungSkriptspracheFaktor <Algebra>DefaultDreiecksfreier GraphHyperbelverfahrenPasswortNeuroinformatikSchaltnetzFormation <Mathematik>Online-KatalogSoftwareDifferenteBeweistheorieForcingSchreib-Lese-KopfMultiplikationsoperatorTypentheorieBandmatrixVarietät <Mathematik>ZahlenbereichExploitEindringerkennungVektorraumMooresches GesetzComputeranimation
22:26
FernwartungHyperbelverfahrenComputeranimation
22:57
Förderverein International Co-Operative StudiesInformationWhiteboardTwitter <Softwareplattform>ComputersicherheitComputeranimation
23:17
Elektronischer DatenaustauschFormation <Mathematik>Besprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:00
Yeah, so I'm on the Sherpa committee for that so we organize this where we bring out the staffers obviously representatives Lou and Landman didn't walk the floor this time but they were actually out here as a part of that and their staffers they actually went through the villages and so we organized the schedule and then we have multiple private
00:20
events outside of here also with them and I just think that's really cool because I mean one of these things yeah so I mean the ICS village that's right over there we're nonprofit we're a 501c3 and a lot of what we're doing is educating for education awareness particularly with folks who actually control legislation that kind of
00:40
affects our lives so it's it's great that they're actually out here at this and not just scared of all the you know dirty hackers they're here at Def Con so all right we'll get started I like this be interactive there's two ways for this be
01:00
interactive where you guys can voluntarily interact or I can help you do it to do it if any of you ever see me speak before you know how uncomfortable that can get so what we're going to go through is we're going to go through threat landscape of what have we what did we see in 2018 in the industrial control system and Internet of Things landscape so what
01:20
was actually happening where possible let's establish attribution who is doing it at the end of the day while conferences like this we're focused a lot on the technical side of how we might do these things and we'll talk through that to some degree I think it's important to recognize that particularly when we're looking at the fact that there's nation-state on nation state it's not just a technical question there are multiple arrows in the quiver cyber is
01:44
one of them to cause those effects so who am I I founded grim and scythe and then with Tom Van Norman we both co-founded the ICS village over here we've been doing this for many years I'm also on the board of advisors for the Army Cyber Institute and I'm a fellow at the
02:02
National Security Institute basically I don't have a life so like I said we're going to walk through the landscape we're going to talk through particular types and then I'm going to give you some references as well as give you a take-home lab so who saw on the news what the Russians did this week nobody saw on the news what the Russians did this week did you
02:24
even look at the news because they do something every week Raymond Blaine what did they do damn it you're the only like name I see anybody else I know in here didn't they arrest a bunch of folks the Russians I feel like that's every day kind of sucks to live there
02:42
right kleptocracy okay so the Russians just got caught doing using IOT devices for lateral movements so there were three categories of devices Microsoft's the one who caught them and what they were doing was first of all compromising the IOT device and environment which guess what really easy to do I give a talk showing how you can do that against tens of
03:03
thousands of devices across the planet with no technical experience expertise true story I gave it at besides Las Vegas this week I've been giving this talk for two years and what I was primarily trying to show is we get too focused on as consumers the creepiness of our IOT somebody's
03:21
going to get into my webcam and watch me get out of the shower as you can tell nobody wants that so that's not a problem but that's not the real threat model the real threat models exactly what the Russians just did this week I can easily get into an IOT device and more importantly that device gives me a pivot point to get something that I do want something that is interesting so I actually give you a take-home lab where you can do that in the comfort of
03:45
your own home all right so we've got through that okay so in 2018 courtesy of Kaspersky no irony there a lot of companies get attacked most companies have had a breach and we see this
04:03
kind of thing in the news all the time we're all going to hell in a handbasket we're all going to die tomorrow the electric grid is fucked what are we going to do yet here we are so let's start with my very complex diagram explaining how OT is different from IT has everybody heard
04:21
of OT before you know what that is so OT operational technologies this is how we are segregating that the traditional infrastructure that we're used to and that we're playing around with our computers in our daily jobs is separate from these computers that are what's providing us water and electricity and all the different parts of the infrastructure that
04:40
underpins modern society without these we go back to the Stone Age it's like said we have a very complex diagram to show that those are two different things the other joke of course could be is that they're air gapped everyone know what an air gap is has anyone ever actually seen a real air gap no because they don't actually exist an air gap is not an air gap is not an
05:01
air gap not a single time in my entire life of pen testing and industrial control environments where someone's like these are air gapped and I go I just kind of stop and pause like raise the eyebrow and they go well I mean except when we do this or every other Wednesday when we do this there's always something that means they're not air gapped so of course we hear all this
05:22
and we understand that computers increase our surface area which increases our risk so why are we introducing computers into something like the electric grid if this is causing these problems why are we doing it why don't we just make it simpler why don't we just go back to this what changed right something had to have changed if we go back 30 40 years ago there
05:45
were kind of computer things then something in the last 30 to 40 years substantially shifted the environment that has caused us to be here any guesses eye contact what is it no you can't look away after I point at you technology but yeah so the reason
06:03
there's more technology is technology yes sir because I want to work remotely right that drives efficiency but I mean if it really was that kind of risk then I would say you know I'm not gonna let you do that but yeah that is that is a factor but what is the significant change the way the managers managers look like to look cool who doesn't like pretty colors
06:33
see I was in the military this is how you made generals happy every general had some color that he liked or she liked and you'd be like ah he's the light blue one she kind of likes
06:43
an aqua and god forbid you put the wrong color in there because it didn't matter what the content was funny but no not true so what actually changed is 30 years ago power was generated at a plant and transmitted to you the consumer one direction today it's no
07:05
longer one direction right consumers through renewables like solar energy now contribute power back into the grid and what used to be a very simple unidirectional where I had to worry about remote administration and efficiencies and I was looking for those kinds of things now
07:20
I need the computers to handle the exponentially more complex electric grid of the fact that well it sounds like it's easier because one way this way and one way that way except for the physics of electricity make that a much more complex problem that's why we're here okay here's our actors anybody out there that surprises you nope we know who they are right whenever
07:46
you hear people talking about the complexities of attribution at the end of the day I think we can kind of look at motives and determine a lot of what's happening you don't always have to do all the technical forensics to figure out so I will argue there's one flag that's not up here that should be any guesses that is China America UK China Israel Russia
08:10
North Korea and Iran Vietnam in the last year we have seen the Vietnamese conducting nation-state espionage at an extreme level where they the what the part that has been
08:25
publicly disclosed and everything I say is going to be open source of course they are hacking all of the car manufacturing plants in their countries and stealing everything out of it so Vietnam gets honorable mention alright let's start with the first one Olympic
08:41
destroyer so originated during the 2018 Olympics hence the name started with spear fishing so targeted fishing with a weaponized document people pop that open created a data or a network worm that then started warming its way through things one of the things they did that was interesting is this concept of a data wiper what a data wiper is is exactly
09:00
what it sounds like I'm going to do destructive things I'm going to be on any computer I go on I'm gonna start deleting things now there's two reasons why I want to do that one could be that my interest is chaos and I'm trying to actually cause destruction on your network the second is it's also awfully hard to do forensics in an instant response when I'm destroying the data of what you're trying to find the reason that their foot three flags up
09:25
here for attribution is because a significant amount of deception has been used in this so it's kind of difficult we know it's one of these three from a motive perspective we saw Olympic destroyer appear again attacking European bio labs does anybody remember how the Russians didn't cheat in the Olympics yeah it's like every Rocky movie right so from a
09:46
perspective that would seem to be the Russians however some of the track techniques and trade craft and the fact that there was a focus on money indicates either China or North Korea the North Koreans in particular who remembers the Cold War money if you're old raise your hand
10:02
most of us are old at this point the Soviet Union had rubles do you remember any have you ever seen rubles and before like the fall of communism no rubles were worthless rubles only matter inside the Soviet Union and even then they barely did they needed hard currency
10:21
the US dollar is the currency of choice across the world for the financial system it underpins everything you can trade in and out of it you couldn't do that with rubles so as a Soviet you needed to get your hands on hard currency dollars to be able to do things overseas or of course get luxury goods for the apparatchiks at the top of the communist chain there North Koreans same kind of problem nobody cares about their currency they're in a
10:45
closed economy they're locked out of the world stage so if you know dear leader wants whiskey and Ferraris he can't buy it with the local currency he needs the US dollars he needs hard currency he needs a foreign currency so their primary motive from the cyber perspective is theft
11:01
and we see this where they're attacking banks and they're attacking different cards of critical infrastructure from a financial perspective UN report that just came out the other week that the UN has classified that they have managed to steal two billion dollars alone WannaCry so WannaCry was not in 2018 it originally appeared in 2017 targeting windows
11:24
we all remember that one took down a significant part of hospital system in the United Kingdom but what is interesting is a variant reappeared in 2018 so when I gave this talk at RSA it's I just happened to meet the CISO at Apple the night before for drinks and I was about to tell
11:44
him how I had this slide laid out because the Taiwanese manufacturer went down that was that's not a an error a quarter of a billion dollars of impact and the word on the street was actually that Apple's shipping was delayed because the entire manufacturing plant went down how it was introduced was and this is a problem that we see a lot in manufacturing plants in
12:04
industrial control systems is the gold image that was used because these things are old couldn't be patched was susceptible supplier brought it in installed it on a system inside the manufacturing plants and then because WannaCry actually couldn't beacon out it compromised everything it could touch and continue to move trying to find its way out
12:23
and took the entire plant down North Korea by accident they didn't intend to infect it this is a supplier who just happened to have had an image that was infected and introduced
12:40
it I know it's great isn't it alright Trisys so also started off in 2017 they used a combination of fishing and a watering hole approach so watering hole is I study the habits of the employees at your company and I look for the forums I look for the websites they
13:01
go to forms are great because there are a lot of errors in parsing so it's really easy for me to post something there that creates malicious content that then is served to anybody that goes there and of course inside profile that your employees go there particularly you sorry somebody else I know I get them another example of again we see them targeting
13:27
IT with trying to move laterally over to operational technology because again where's that air gap in the 2017 attack they were attacking the safety instrumented system that's a big deal so in industrial control systems this is the thing that's operating all of the
13:43
sensors and the computers that are actually changing things in the physical environment this is my view as a safety engineer of understanding what exactly is happening and if it's intolerance most compute like a PLC which is actually what's changing what's happening in the physical environment for industrial controls they're dumb computers all they do I don't have to
14:03
hack a PLC all I have to do is tell a PLC what to do they don't validate me they don't look for authority they don't even go that sounds like a stupid idea I'm gonna be doing this if I do it they don't have that kind of understanding that's what the SIS does and so that attack in 2017 was incredibly dangerous because of that we saw it appear in 2018
14:23
targeting the US oil and natural gas pipelines so a variant came out this one is great because of how it leaked this is again putting on my I am the cavalry hat one of the reasons why the responsible disclosure is so important in this instance that 2017 malware was uploaded a virus total where it was freely available for anybody to download so the reason that we have
14:46
no attribution is anybody anywhere in the world was able to download that malware make a few modifications and then launch it again in 2018 against the US we remember this one right
15:04
2016 however did you notice nothing happened in 2018 so this is where we credit the Russians for what happened in 2016 and credit them for their attempts in 2018 however the American flag goes up there the US government deployed a different strategy in responding to and this is I'm
15:21
putting this under the critical infrastructure piece because obviously voting machines aren't industrial control systems but first cyber command found the Russian agents or I mean the glorious Patriots who were conducting these campaigns and on their computers a message popped up and said
15:40
hi we're the US government we know what you're doing now the problem with that is as scary as that might be to anybody individually that the US government is saying hello it's not as scary as the GRU agent who's right behind you who's like you will continue right so all right I'm gonna keep doing that so I have a phrase a hacker can't hack what they can't touch
16:04
so just like that what cyber command did is they actually took down the entire IT infrastructure of the internet research agency in Leningrad so they weren't even able to get out so it didn't even matter what their intent was anymore they weren't able to effectively metal because they were taken offline so summary of what we saw in 18 first of all we saw more
16:25
activity guess what happens when I do this again next year for 2019 we're gonna see more the primary point here is that what we're seeing in critical infrastructure attacks is these are iterative intelligence campaigns we don't have much proof that what is intended is destructive
16:44
what we definitely have proof of is intent to learn and to move and to continue to worm into the infrastructure ransomware is becoming popular ransomware has two benefits one is destructive two it looks like it's not intended it can be destructive by you know by accident so
17:03
it kind of questions what the intent is doing one of my five-year kind of predictions and this is gonna kind of hopefully you won't feel bad well we'll try to end on a positive note somewhere is some point in the next five years I think that somewhere in the world somebody is gonna clearly wake up the next morning they were coming from Def Con they'll probably be hung
17:22
over they're gonna get their coffee they're gonna work their way down to their car to go to work and the second they turn on that car the infotainment system is gonna pop up ransomware send three bitcoins to turn it on I promise you within five years that's gonna happen somewhere in the world I have it it sounds funny but it sucks living off the land attackers
17:42
aren't bringing their own tools to the game they are taking what's already there in that environment and using it against you supply chain just like we saw with the hack against the Taiwanese manufacturing plant suppliers are a part of your risk model anything that touches your infrastructure is a part of your risk model it's no longer just you anymore
18:04
all right so we're gonna quick go through some consumer devices here this was me last year with Yahoo Finance walking the floor of the Consumer Electronics Show actually here in Vegas if you think Def Con is big imagine six times as many people in this city it's ridiculous
18:22
and what we saw is every device there first of all all of these IOT devices everything is trying to go to the cloud if you want to really have fun plugging IOT device in your home check the packets and see where they're going I have not seen a single device yet that I've plugged in that is not going to China now I'm not suggesting that's nefarious or malicious I'm just
18:43
suggesting every single one goes to China wait where they made and then the other thing of course is now we want to talk to our devices so these devices are always listening to you and they're always talking somewhere else did you know that a smart TV cost less than a TV with
19:03
no functionality why is that anyone got guess what's that yes they make money off your telemetry they make money off your data you are no longer just making the devil's bargain when you're on Facebook you're now making it when you buy a TV you're also making
19:24
it when you buy a car now there are multiple models where the car manufacturers are looking at how and what they can take from you from your data when you drive your car so state of affairs this is the IOT hack I was talking about they targeted the Russians this week just got
19:43
caught by Microsoft targeting three IOT categories I will share the lab so you can do this at home it'll show you how to find them how to deploy proof of concepts if you don't want to write your own proof of concepts just go to github and type in IOT POC or IOT vulnerability there 28,000 commits after last time I looked so free code out there to do it who patches their IOT who
20:04
patches their devices at home it'll work I am NOT suggesting you do that on anything other than your own equipment in your own house right let's not break the law but Microsoft caught them we
20:22
don't know what the intent was because they weren't able to laterally move to their targets of interest but they were able to get there and then they were then started employing traditional implant IT implants to move further all right so in IOT other than lateral vector which I just mentioned we see pretty much three common attacks the first of all is the what I'd like
20:44
to describe as the Brian Krebs attack this is where Mirai we saw a million devices harnessed to take him down and it worked I mean there was nothing anybody could do against that these devices by themselves not a lot of computational power not a lot of bandwidth times a million
21:01
this would be a lot ransomware described and then depending on whenever John McAfee tells us something is unhackable in Bitcoin that drives the prices crypto jacking is stealing your cycles to harvest coins so first problem we see it two kinds of attacks that are primarily out there in
21:21
the wild one is the Mirai type attack something like 90% of all IOT devices are shipped with about 10 different combinations of user IDs and passwords all I gotta do is try them that's how Mirai got millions of devices that was it anything I saw I just tried those combinations
21:40
do you think they even locked you out after three how many people in this room monitor the devices on their own network at home yeah right so and you're not doing it in real time so you're not going to stop me before I get there so I can brute force that more complex is the Reaper IO troop so I just talked about the number of commits on github that provide
22:03
this kinds of proof of concept what they did is they went and found 65 proof of concepts that are out there and days and of course we're not patching these and all they did was enemy device they went they enumerated it aka fingerprinted I know exactly this device I match it to my catalog of exploits and I'm in those are the two primary campaigns we've seen
22:24
that's all it takes oh this this is kind of a fun one so one other example of lateral movement is did you know a casino here in Las Vegas was compromised by a fish tank so you were I believe you you were the one who said remote administration yeah so they had a
22:43
access to monitor the temperature of the fish tank pop the fish tank once we're in the fish tank we looked around moved in and robbed the casino we think that was the Iranians so references from our info of course my nonprofit the ICS village IOT Security
23:03
Foundation and I am the cavalry come look for me on Twitter at Bryson board that's where the github is published if you want to do the take-home lab so you can do your own on your own devices compromise and movement any questions yeah
23:40
so the the question is where companies are selling out our data in my educating Congress
23:51
on that yeah yes all right well thank you you haven't seen the CTF I haven't seen the
24:03
ICS village go check it out appreciate your attention