Advance Malware protection in distribution and manufacturing environments
Rob Dolci, April 2016, copyright aizoOn USA.
aizoOn at a glance
2
aizoOn is a 500+ employees strong technology consulting firm
Focused on Smart Factory and Cybersecurity
Bologna
Cuneo
Roma
Torino
EUROPE
Genova
Milano
Sheffield
USA
Troy, MI
Lewiston, ME
New York, NY
Cambridge, MA
AUSTRALIA Sydney
Rob Dolci, April 2016, copyright aizoOn USA, inc.
Cyber scenarios: crime size and sophistication
3
http://www.informationisbeautiful.n
et/visualizations/worlds-biggest-
data-breaches-hacks/
Rob Dolci, April 2016, copyright aizoOn USA, inc.
Cyber scenarios: rapid detection and response
4Rob Dolci, April 2016, copyright aizoOn USA, inc.
• “The average targeted malware compromise was present for 205
days before detection, longest presence being 2982 days, and
69% were discovered by third parties” (Mandiant, 2015)
• 160,000 new pieces of malware/day flood the internet
• Ensuing Goals:
• Managing behavioral expectations
• Behavioral analytics
• Incident response process and team
• Tools to monitor people, process, technology
Cyber crime in manufacturing and distribution
5Rob Dolci, April 2016, copyright aizoOn USA, inc.
• Steel mill brought to standstill and damage to furnace in 2014
• Automotive OEM with fewer welding spots on 10 cars for
blackmailing purposes
• Emerging Trends:
• From stealing sensitive data (personal, financial) to IP
infringement, to changing parameters for damage/blackmail
• Exploitation of old PLC and communication protocols
• Disrupting operations on shopfloor or DC is a matter of
minutes for sizeable damage with our supplychains
23 Dec 2015, 3.35pm local time
6Rob Dolci, April 2016, copyright aizoOn USA, inc.
• 7 x 110kV and 23 x 35kV substations disconnected for 3 hours
• 80,000 companies affected, multiple business operations down at
last hour shipment time before Christmas
• Hackers used:
• Two separate SCADA hijack approaches
• Spear fishing and social engineering to gain access
• Remote access onto operators’s HMI
• UPS systems to trick into scheduled service outage
Diagnosis of OT attacks
7Rob Dolci, April 2016, copyright aizoOn USA, inc.
Cybersecurity gamut
8Rob Dolci, April 2016, copyright aizoOn USA, inc.
Improving ARCHITECTURE
9Rob Dolci, April 2016, copyright aizoOn USA, inc.
• Segment your network on principle of least privilege
• Enable logging for bot IT and OT assets
• Ensure your nodes (PCs, PLCs, Switches) can capture data
• Include MD5 and SH256 digital hash of the installers of your critical
software
• Test, and keep testing your tools and technologies for Passive and Active
defense
• Priotitize and patch vulnerabilities
• Use 2 form autenthication and need to use basis for remote connections
• Use system monitoring solutions
Improving PASSIVE Defense
10Rob Dolci, April 2016, copyright aizoOn USA, inc.
• Whitelist, and periodically revisit, your applications
• Define, and periodically revisit, your Demilitarized Zone and your network
segments
• Establish a central logging service to allow FORENSIC evidence to be
collected
• Implement alarm priorities for abnormal events
• Enforce password policy, especially for VPN and Admin accounts
• Protect against denial of service and known malware
• Install, and periodically revisit, an intrusion detection system that can
quickly find intruders
Improving ACTIVE Defense
11Rob Dolci, April 2016, copyright aizoOn USA, inc.
• Have cybersecurity analysts hunt for odd communications ENTERING
AND LEAVING your network
• Continuously monitor your network
• Have Incident Handlers connected also to your Legal and Finance
depts.
• Use a Security Operations Center (SOC)
• Use backup and recovery tools to take images, especially from your
supervisory environment such as HMIs, MES, WMS, MOM
• Train your analysists in YARA
aizoOn’s support to Cyber Security
12
INCIDENT HANDLING
APPLICATION
SECURITY
DIGITAL FORENSIC
MOBILE SECURITY
EMBEDDED
SECURITY
IOT SECURITY
aizoOnSECURITY
SYSTEM & NETWORKS
• Innovative Product
• Full service provider
Rob Dolci, April 2016, copyright aizoOn USA, inc.
4 founding pillars for Aramis
13
Aramis is an advanced malware identification product designed to:
IDENTIFY THREATS inside a network by highlighting the deviations from its normal behavior
FOSTER HUMAN ANALYSIS using proprietary pre-attentive dashboards and graphics
TAKE ADVANTAGE OF SPECIFICALLY DESIGNED BAYESIAN analysis engines and advanced deterministic rules
COLLECT DATA PASSIVELYwithout altering the current network layout, therefore avoiding detection
Rob Dolci, April 2016, copyright aizoOn USA, inc.
Aramis Workflow
14Rob Dolci, April 2016, copyright aizoOn USA, inc.
COLLECT ENRICH CORRELATE VISUALIZE
Engine: Bayesian network self-learning engine
15
▌ HTTP requests and replies
▌ FTP activity
▌ SSL sessions
▌ SSL certificates used
▌ SMTP traffic on a network
▌ DNS activity on a network
▌ Connections
▌ Network activity on non-standard ports
▌ Files transmitted over the network
▌ Unexpected protocol-level activity
Evaluate consistency in the network using ad hoc Bayesian network analysis. The consistency shows the level (between 0 and 100) of normality of the information in the data flow.
The Bayesian network analyzes different dimensions: Single Event Consistency
Overall Consistency trend
Rob Dolci, April 2016, copyright aizoOn USA, inc.
User Experience: Pre-attentive
16
The aramis Risk Visualizer collates
the information in pre-attentive
dashboards, because in certain cases
a person can understand
and react faster than a computer.
aramis gives
the analyst the right
tools to be aware
of what is going on,
in real time
Rob Dolci, April 2016, copyright aizoOn USA, inc.
Goal of rapid response and detection, accomplished
17Rob Dolci, April 2016, copyright aizoOn USA, inc.
Consistency of the model
18Rob Dolci, April 2016, copyright aizoOn USA, inc.
Between 0% (complete inconsistency) and 100%. The algorithm evaluates
how closely the behavior represents the real data flow when compared to
history. The portion of data that seems not consistent, will be segregated and
presented to the operator for further inspection to determine if there is a
threat or a simple anomaly.
After the initial period of self-learning, Aramis can be configured with a view
to define «used» variables as the real independent ones, and «evaluated»
variables as the ones that are dependent.
Consistency with Aramis
19Rob Dolci, April 2016, copyright aizoOn USA, inc.
Choice of dependent and
independent variables is
based on the feedback from
the initial learning period on
the network and its real
behavior. Learning has the
following time function.
L
time
25 July 2015, 10:00-11:00: TCP scan with active SYN
20Rob Dolci, April 2016, copyright aizoOn USA, inc.
200 clients, servers,
printers, laptops,
and smartphones
were present on the
network at that
time.
Notice how PC1
shows low
consistency across
Port & Machine
25 July 2015, 10:00-11:00: we dig in PC1 and…
21Rob Dolci, April 2016, copyright aizoOn USA, inc.
Comparing Duration
and Probability we
immediately see
incoherent behavior in
connections <110
milliseconds.
TCP is not highlighted
confirming port scan,
since TCP is ok.
Duration Probability
0 - 110.5 0.00020453
110.5 - 392.2 0.34148236
392.2 - 977.8 0.33416102
977.8 - Inf 0.32415209
Protocol Probability
icmp 0.44343171
tcp 0.11313658
udp 0.44343171
Conclusion
22Rob Dolci, April 2016, copyright aizoOn USA, inc.
• Risk from Malware is a function of: cost to develop, volume, speed
• Near impossible to analyze new Malware, develop protection AND
avoid infection. 205 days dwell time = huge risk for business
• Self-learning automated system only way if it can catch symptoms
and unexpected behaviors
• Aramis and Aizoon’s SOC represent effective risk management
and remediation