• About
  • Advertise
  • Contact
Wednesday, March 3, 2021
No Result
View All Result
NEWSLETTER
iotphoenix
  • Home
  • Tech

    Electronics should sweat to cool down, say researchers

    Network slicing: Wireless virtualization to build 5G services and conserve spectrum

    What is a VPN

    Arista adds IoT, remote-work management to campus family

    IoT and AI boost Volvo Trucks vehicle connectivity

    Startup EdgeQ offers 5G and AI for the edge

    Trending Tags

    • IIoT
    • You’re probably doing your IIoT implementation wrong
    • Splunk debuts IIoT product for in-depth analytics
  • Mobile
  • Internet of Things
  • Technology Industry
  • Networking
  • Software
  • Cloud Computing
  • Security
  • Home
  • Tech

    Electronics should sweat to cool down, say researchers

    Network slicing: Wireless virtualization to build 5G services and conserve spectrum

    What is a VPN

    Arista adds IoT, remote-work management to campus family

    IoT and AI boost Volvo Trucks vehicle connectivity

    Startup EdgeQ offers 5G and AI for the edge

    Trending Tags

    • IIoT
    • You’re probably doing your IIoT implementation wrong
    • Splunk debuts IIoT product for in-depth analytics
  • Mobile
  • Internet of Things
  • Technology Industry
  • Networking
  • Software
  • Cloud Computing
  • Security
No Result
View All Result
iotphoenix
No Result
View All Result
Home Analysis

October 2020 Guest Opinion: Detecting an Advanced ICS Attack

by iotadmin
January 15, 2021
in Analysis, Guest Opinions, Insider Insights
0 0
0
0
SHARES
6
VIEWS
Share on FacebookShare on Twitter
October 13, 2020

By David Masson, Director of Enterprise Security, Darktrace

Darktrace OT threat finds: Detecting an advanced ICS attack targeting an international airport

As Industrial Control Systems (ICS) and traditional IT networks converge, the number of cyber-attacks that start in the corporate network before spreading to operational technology has increased dramatically in the last 12 months. From North Korean hackers targeting a nuclear power plant in India to ransomware shutting down operations at a US gas facility, and across Honda’s manufacturing sites, 2020 has been the year OT attacks have become mainstream.

Darktrace recently detected a simulation of a state-of-the-art attack at an international airport, identifying ICS reconnaissance, lateral movement, vulnerability scanning and protocol fuzzing – a technique in which the attacker sends nonsensical commands over an ICS communication channel in order to confuse the target device, causing it to fail or reboot.

Darktrace’s Industrial Immune System detected every stage of the sophisticated attack, using AI-powered anomaly detection to identify ICS attack vectors without a list of known exploits, company assets, or firmware versions. The attacker leveraged tools at every stage of the ICS kill chain, including ICS-specific attack techniques.

Any unusual attempts to read or reprogram single coils, objects, or other data blocks were detected by Cyber AI, and Darktrace’s Cyber AI Analyst also automatically identified the activity and created summary reports detailing the key actions taken.

The attack spanned multiple days and targeted the Building Management System (BMS) and the Baggage Reclaim network, with attackers utilizing two common ICS protocols (BacNet and S7Comm) and leveraging legitimate tools (such as ICS reprogramming commands and connections through SMB service pipes) to evade traditional, signature-based security tools.

Attack details

Figure 1: Timeline of the attack

In the first stage of the attack, a new device was introduced to the network, using ARP spoofing to evade detection from traditional security tools. At 11.40 am, the attacker scanned a target device and attempted to brute-force open services. Once the target device had been hijacked, the attacker then sought to establish an external connection to the Internet. External connections should not be possible in ICS networks, but attackers often seek to bypass firewalls and network segregation rules in order to create a command and control (C2) channel.

Figure 2: Darktrace Threat Tray 15 minutes after the pentest commenced. High-level model breaches have already alerted the analyst team to the attack device.

The hijacked device then began performing ICS reconnaissance using Discover and Read commands. Darktrace identified new objects and data blocks being targeted as part of this reconnaissance, and detected ICS devices targeted with unusual BacNet and Siemens S7Comm protocol commands.

Figure 3: Model alerts associated with ICS reconnaissance over BacNet. Machine learning at the ICS command level detected new and unusual BacNet objects being targeted by the attacker.

The attacker enumerated through multiple ICS devices in order to perform lateral movement throughout the ICS system. Once they had learned device settings and configurations, they used ICS Reprogram and Write commands to reconfigure machines. The attacker attempted to use known vulnerabilities to exploit the target devices, such as the use of SMB, SMBv1, HTTP, RDP, and ICS protocol fuzzing.

Figure 4: Visualization of the device enumeration performed by the attacker against multiple ICS controllers. The attacker used ICS Discover commands as part of the initial reconnaissance.

The attacker took deliberate actions to evade the airport’s cyber security stack, including making connections using ICS protocols commonly used on the network to devices which commonly use those protocols. While legacy security tools failed to pick up on this activity, Darktrace’s deep packet inspection was able to identify unusual commands used by the attacker within those ‘normal’ connections.

The attacker used ARP spoofing to slow any investigation using asset management-based security tools – including two other solutions being trialed by the airport at the time of the attack. They also used multiple devices throughout the intrusion to throw defense teams off the scent.

Darktrace’s AI technology also launched an automated investigation into the incident. The Cyber AI Analyst identified all of the attack devices and produced summary reports for each, showcasing its ability to not only save crucial time for security teams, butbridge the skills gapbetween IT teams and ICS engineers.

Figure 5: The Cyber AI Analyst threat tray at the end of day 1. Both devices used by the attacker have been identified.

The Cyber AI Analyst immediately began investigating after the first model breach, and continued to stitch together disparate events across the network to produce a natural language summary of the incident, including recommendations for action.

Figure 6: AIA incident summary at the end of day 2, detailing the use of SMB exploits as part of the attack chain against one of the ICS devices.

Potential ramifications

Had the attack been allowed to continue, the attackers – potentially activist groups, terrorist organizations, and organized criminals – could have caused significant operational disruption to the airport. For example, the BMS is likely to manage temperature settings, the sprinkler system, fire alarms and fire exits, lighting, and doors in and out of secure access areas. Meddling with any one of these could cause severe disruption at an airport, with significant financial and reputational effects. Similarly, access to baggage reclaim networks could be used by criminals seeking to smuggle illegal goods or steal valuable cargo.

This simulation showcases the possibilities for an advanced cyber-criminal looking to compromise integrated IT and OT networks. The majority of leading ICS ‘security’ vendors are signature-based, and fail to pick up on novel techniques and utilization of common protocols to pursue malicious ends – this is why ICS attacks have continued to hit the headlines this year.

The incident showcases the extent of Cyber AI’s detections in a real-world ICS environment, and the level of detail Darktrace can provide following an attack. As Industrial Control Systems become increasingly integrated with the wider IT network, the importance of securing these critical systems is paramount. Darktrace provides a unified security umbrella with visibility and detection across the entire digital environment.

Thanks to Darktrace analyst Oakley Cox for his insights on the above investigation.

Learn more about the Industrial Immune System

Darktrace model detections:

  • ICS / Unusual ICS Commands
  • ICS / Multiple New Reprograms
  • ICS / Multiple New Discover Commands
  • ICS / Rare External from OT Device
  • ICS / Uncommon ICS Protocol Warning
  • ICS / Multiple Failed Connections to ICS Device
  • ICS / Anomalous IT to ICS Connection

David Masson is Darktrace’s Director of Enterprise Security, and has over two decades of experience working in fast moving security and intelligence environments in the UK, Canada and worldwide. With skills developed in the civilian, military and diplomatic worlds, he has been influential in the efficient and effective resolution of various unique national security issues. David is an operational solutions expert and has a solid reputation across the UK and Canada for delivery tailored to customer needs. At Darktrace, David advises strategic customers across North America and is also a regular contributor to major media outlets in Canada where he is based, included CBC and The Globe and Mail. He holds a master’s degree from Edinburgh University.

Download Premium WordPress Themes Free
Download Best WordPress Themes Free Download
Download Nulled WordPress Themes
Free Download WordPress Themes
lynda course free download
download samsung firmware
Download Nulled WordPress Themes
udemy paid course free download
Tags: Artificial Intelligence
iotadmin

iotadmin

Next Post

New AI Chips, Managed Services Among Flood from AWS at re:Invent 2020

Recommended

The Upload: Your tech news briefing for Monday, February 2

1 year ago

Top auto makers rely on cloud providers for IoT

1 year ago

Popular News

    Buy CBD Online

    • CBD Oils
    • CBG
    • Sleep spray
    • CBD gummies
    • buy CBD oil
    • Dab pens
    • CBD Patches
    • CBD pills
    • Pet CBD
    • CBD for pain
    • CBD for sleep
    • CBD Flower
    Facebook Twitter Youtube RSS

    Newsletter

    Subscribe our Newsletter to get our latest updates.

    Loading

    Category

    • Analysis
    • Careers
    • Cloud Computing
    • Data Centers
    • Databases
    • Guest Opinions
    • Hardware
    • Infrastructure
    • Insider Insights
    • Internet of Things
    • IT Leadership
    • Mobile
    • Networking
    • New Connections
    • News
    • Open Source
    • Opinion
    • Research
    • Security
    • Software
    • Software Development
    • Technology Industry
    • Uncategorized
    • Unified Communications
    • Videos
    • Virtualization
    • WAN

    About Us

    Advance IOT information site of Phoenix USA

    © 2019-20 iotphoenix.com.

    No Result
    View All Result
    • Home
    • Internet of Things
    • Security
    • WAN
    • Cloud Computing
    • Data Centers
    • Mobile
    • Networking
    • Software
    • Technology Industry

    © 2019-20 iotphoenix.com.

    Login to your account below

    Forgotten Password?

    Fill the forms bellow to register

    All fields are required. Log In

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In