Date post: | 19-Feb-2017 |
Category: |
Technology |
Upload: | jan-seidl |
View: | 934 times |
Download: | 2 times |
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
Who?
Jan Seidl @jseidlSecurity Researcher
Brazilian, despite Dutch name and German surname
And that's my full name.
Rio de Janeiro
Who? (cont)
Speaker at: Hackers 2 Hackers Conference, CeBIT Hannover, Defcon Bangalore, Brazil Automation, FISL (Intl. Free Software Forum) & more
Co-author of “Seguranca de Automacao Industrial e SCADA”(SCADA & Industrial Automation Security)
first book on this subject in Brazilian Portuguese
Who? (cont)
Certifications:
Birth Certificate
Yellow Fever Vaccination (As useful as a CISSP on proving infosec expertise)
Local Pub Contest Winner “Speed Tequila Shots”
Who? (cont)Features:
*NIX/BSD freak
Digital tools blacksmith / python & C lover
Lousy guitar player
Coffee dependent
Hates printers, doesn't likes social networks anything
Selectively-social
A huge number of ICS/SCADA systems runs on Windows OS
DEC VAX & other *NIXes → Windows Family (XP mostly)
Standard axioms
Once installed, not much changes on machine (not even patches)
Clear (?) network connection matrix
Custom scripts (bat/vbs) might be used
Terminal Services probably will be used for remoting if needed
Let's make those Windows harder
Steps for lockdown – The Hardening 101The things you may already know
Start with all the basic steps for your everyday hardening:
Remove software (Games, Word, Windows Messaging)
Disable services
Restrict/tune file-system access
Perform service-user/account separation + least privilege
You know Windows has a native host-based firewall, right?
Firewall adds up:
Prevents backdoors from listening for connections
Prevents malware/shell from communicating with attacker machine (if egress filtering is done properly)
Separates local interface services (which sometimes listens globally) from external world
Firewall doesn't solves:
Abusing existing allowed portsShut down original service, listen on its port
Abusing existing connectionshttp://www.slideshare.net/bz98/defcon-22-bypass-firewalls-application-white-lists-secure-remote-desktops-in-20-seconds
White-listingExplicitly allowing programs and scripts
Problem:
Employees intentionally installs unauthorized softwareand/orEmployees are foiled and runs unauthorized software
Software has/is a malware which compromises the machine
Attackers can deploy tools locally for lateral movement
Software Restriction Policies
Windows 7/2008 R2 and above
App Locker
Windows XP / Vista
Restriction strategies:
Path-based (support env. vars., registry keys)
Certificate-based
Hash-based (md5 or sha1)
Zone-based (irrelevant for now, just mentioning)
About scripting:
AppLocker/SRP cannot restrict code running within environments (Office VBS, Perl, Python interpreters etc)
CMD, BAT, VBS and PowerShell scripts can be individually signed
Whitelisting adds up:
Prevents unauthorized software from running (hacker tools, misbehaving employees)
Allows controlled use of scripts
Flexibility enables security with minor (yeah, I know) business/operation hog
Whitelisting doesn't solves:
In-memory code execution (e.g. DLL injection)http://leastprivilege.blogspot.com.br/2013/04/bypass-applocker-by-loading-dlls-from.html
Allowed application exploitation
OS or enforcement application vulns/0days
Running DLLs from rundll32.exehttps://www.attackdebris.com/?p=143
Keep a close eye on rundll32
EMETEnhanced Mitigation
Experience Toolkit
Plugging up applications' holes
Problem (example scenario):
All software on Machine M001is unpatched
ICS software was coded by peoplewithout secure SDLC mindset
Lots of software vulns. are present and won't be fixed soon
EMET – System-wide protections
EMET – Application-specific protections
EMET adds up:
Reduces impact/likelihood of 0day exploitation
Adds complexity to attacks
Foils most off-the-shelf exploits
Bypassing EMET is not impossible, but it's tricky:
“We started looking at EMET since version 4.0 and it’s come a long
way since. There's no doubt that Microsoft are stepping up their efforts
at making EMET ever more effective. This sort of layered defense goes
a long way in disrupting commodity attacks and increasing the level of
effort required for successful exploitation.”
https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
Bypassing EMET is not impossible, but it's tricky:
“We found that EMET was very good at stopping pre-existing
memory corruption attacks (a type of hacker exploit). But we
wondered: is it possible for a slightly more technical attacker to bypass
the protections offered in EMET? And yes, we found ways to bypass all
of the protections in EMET.”
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
Bypassing EMET is not impossible, but it's tricky:
“(…) But truth be told EMET has tons of good protections which
render a lot of methods useless (…) EMET fights tough, more than any
public exploit mitigation solution out there. A lot tougher than MBAE
and enterprise exploit detection products.
But if we get to study the system, its only a matter of time.”
http://casual-scrutiny.blogspot.com.br/2015/03/defeating-emet-52.html
EMET caveats:
Application might still be exploitable by other means
EMET can be bypassed within a good effort
Some applications might not go well with EMET
Windows XP has very limited support
PowerShell Remoting and JEA
Because most of the times you don't really need Terminal Service
Problem (example scenario):
Machine M001 runs Software XYZ
Software XYZ runs as Administrator
User ABC needs to restart Software XYZ
User ABC ends up with Administrator account on Machine M001
PS Remoting and JEA adds up:
Enables remote operation without Terminal Service
Enables restricted operation environment
Works cross-domains
PS Remoting and JEA caveats:
Requires Windows Management Framework (WMF) 5.0
Requires some coding knowledge
Requires some more attention to PS traffic on your wires
Implementation techniques for the goodiesStandalone or centralized deployments
Deploy from your domain or configure locally:
Firewall rules
EMET install / updates / configuration
Software Restriction Policies (Win XP / Vista)
App Locker policies (Win 7+)
Suitable for mixed environments:
Software Restriction Policies & App Locker can coexist
Basic firewall rules applies to whole Windows XP/Vista/7/8
Appropriate version of EMET can be deployed to specific hosts
Summing up:
Unauthorized code execution (Whitelisting, AppLocker/SRP)
Unauthorized network communication (Native host-based firewall)
Exploitation mitigation (EMET)
Attackers' face upon realizing you've implemented all those stuff
If ICS world allowed us to have nice thingsLike last-generation tech at least...
Configuration management is the word
Windows PowerShell Desired State Configuration (DSC)
DSC provides a set of Windows PowerShell language extensions, new
Windows PowerShell cmdlets, and resources that you can use to
declaratively specify how you want your software environment to be
configured.
https://technet.microsoft.com/en-us/library/dn249912.aspx
Questions?
Thanks for your time!
[email protected] // @jseidl // wroot.org
Slides: http://slideshare.net/jseidl Codes http://github.com/jseidl