Reducing attack surface on ICS with Windows native solutions

Jan Seidl

Who?

Jan Seidl @jseidlSecurity Researcher

Brazilian, despite Dutch name and German surname

And that's my full name.

Rio de Janeiro

Who? (cont)

Speaker at: Hackers 2 Hackers Conference, CeBIT Hannover, Defcon Bangalore, Brazil Automation, FISL (Intl. Free Software Forum) & more

Co-author of “Seguranca de Automacao Industrial e SCADA”(SCADA & Industrial Automation Security)

first book on this subject in Brazilian Portuguese

Who? (cont)

Certifications:

Birth Certificate

Yellow Fever Vaccination (As useful as a CISSP on proving infosec expertise)

Local Pub Contest Winner “Speed Tequila Shots”

Who? (cont)Features:

*NIX/BSD freak

Digital tools blacksmith / python & C lover

Lousy guitar player

Coffee dependent

Hates printers, doesn't likes social networks anything

Selectively-social

A huge number of ICS/SCADA systems runs on Windows OS

DEC VAX & other *NIXes → Windows Family (XP mostly)

Standard axioms

Once installed, not much changes on machine (not even patches)

Clear (?) network connection matrix

Custom scripts (bat/vbs) might be used

Terminal Services probably will be used for remoting if needed

Let's make those Windows harder

Steps for lockdown – The Hardening 101The things you may already know

Start with all the basic steps for your everyday hardening:

Remove software (Games, Word, Windows Messaging)

Disable services

Restrict/tune file-system access

Perform service-user/account separation + least privilege

You know Windows has a native host-based firewall, right?

Firewall adds up:

Prevents backdoors from listening for connections

Prevents malware/shell from communicating with attacker machine (if egress filtering is done properly)

Separates local interface services (which sometimes listens globally) from external world

Firewall doesn't solves:

Abusing existing allowed portsShut down original service, listen on its port

Abusing existing connectionshttp://www.slideshare.net/bz98/defcon-22-bypass-firewalls-application-white-lists-secure-remote-desktops-in-20-seconds

White-listingExplicitly allowing programs and scripts

Problem:

Employees intentionally installs unauthorized softwareand/orEmployees are foiled and runs unauthorized software

Software has/is a malware which compromises the machine

Attackers can deploy tools locally for lateral movement

Software Restriction Policies

Windows 7/2008 R2 and above

App Locker

Windows XP / Vista

Restriction strategies:

Path-based (support env. vars., registry keys)

Certificate-based

Hash-based (md5 or sha1)

Zone-based (irrelevant for now, just mentioning)

About scripting:

AppLocker/SRP cannot restrict code running within environments (Office VBS, Perl, Python interpreters etc)

CMD, BAT, VBS and PowerShell scripts can be individually signed

Whitelisting adds up:

Prevents unauthorized software from running (hacker tools, misbehaving employees)

Allows controlled use of scripts

Flexibility enables security with minor (yeah, I know) business/operation hog

Whitelisting doesn't solves:

In-memory code execution (e.g. DLL injection)http://leastprivilege.blogspot.com.br/2013/04/bypass-applocker-by-loading-dlls-from.html

Allowed application exploitation

OS or enforcement application vulns/0days

Running DLLs from rundll32.exehttps://www.attackdebris.com/?p=143

Keep a close eye on rundll32

EMETEnhanced Mitigation

Experience Toolkit

Plugging up applications' holes

Problem (example scenario):

All software on Machine M001is unpatched

ICS software was coded by peoplewithout secure SDLC mindset

Lots of software vulns. are present and won't be fixed soon

EMET – System-wide protections

EMET – Application-specific protections

EMET adds up:

Reduces impact/likelihood of 0day exploitation

Adds complexity to attacks

Foils most off-the-shelf exploits

Bypassing EMET is not impossible, but it's tricky:

“We started looking at EMET since version 4.0 and it’s come a long

way since. There's no doubt that Microsoft are stepping up their efforts

at making EMET ever more effective. This sort of layered defense goes

a long way in disrupting commodity attacks and increasing the level of

effort required for successful exploitation.”

https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/

Bypassing EMET is not impossible, but it's tricky:

“We found that EMET was very good at stopping pre-existing

memory corruption attacks (a type of hacker exploit). But we

wondered: is it possible for a slightly more technical attacker to bypass

the protections offered in EMET? And yes, we found ways to bypass all

of the protections in EMET.”

http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/

Bypassing EMET is not impossible, but it's tricky:

“(…) But truth be told EMET has tons of good protections which

render a lot of methods useless (…) EMET fights tough, more than any

public exploit mitigation solution out there. A lot tougher than MBAE

and enterprise exploit detection products.

But if we get to study the system, its only a matter of time.”

http://casual-scrutiny.blogspot.com.br/2015/03/defeating-emet-52.html

EMET caveats:

Application might still be exploitable by other means

EMET can be bypassed within a good effort

Some applications might not go well with EMET

Windows XP has very limited support

PowerShell Remoting and JEA

Because most of the times you don't really need Terminal Service

Problem (example scenario):

Machine M001 runs Software XYZ

Software XYZ runs as Administrator

User ABC needs to restart Software XYZ

User ABC ends up with Administrator account on Machine M001

PS Remoting and JEA adds up:

Enables remote operation without Terminal Service

Enables restricted operation environment

Works cross-domains

PS Remoting and JEA caveats:

Requires Windows Management Framework (WMF) 5.0

Requires some coding knowledge

Requires some more attention to PS traffic on your wires

Implementation techniques for the goodiesStandalone or centralized deployments

Deploy from your domain or configure locally:

Firewall rules

EMET install / updates / configuration

Software Restriction Policies (Win XP / Vista)

App Locker policies (Win 7+)

Suitable for mixed environments:

Software Restriction Policies & App Locker can coexist

Basic firewall rules applies to whole Windows XP/Vista/7/8

Appropriate version of EMET can be deployed to specific hosts

Summing up:

Unauthorized code execution (Whitelisting, AppLocker/SRP)

Unauthorized network communication (Native host-based firewall)

Exploitation mitigation (EMET)

Attackers' face upon realizing you've implemented all those stuff

If ICS world allowed us to have nice thingsLike last-generation tech at least...

Configuration management is the word

Windows PowerShell Desired State Configuration (DSC)

DSC provides a set of Windows PowerShell language extensions, new

Windows PowerShell cmdlets, and resources that you can use to

declaratively specify how you want your software environment to be

configured.

https://technet.microsoft.com/en-us/library/dn249912.aspx

Questions?

Thanks for your time!

jseidl@wroot.org // @jseidl // wroot.org

Slides: http://slideshare.net/jseidl Codes http://github.com/jseidl