Guest author Jason Holcomb is a Digital Bond alumnus who is now a Senior Security Consultant for Lockheed Martin’s Energy and Cyber Services group where he is responsible for providing critical infrastructure security consulting services and integrating ICS security intelligence into the Palisade TM product line.
In Part 1 of this series we introduced the Lockheed Martin CIRT Cyber Kill Chain and examined whether there was something useful to be learned from it for ICS networks. In that post we concluded that there was applicability but questioned how the phases may be different in ICS. This post goes step-by-step through the first three phases (Reconnaissance, Weaponization, and Delivery) and attempts to answer that question. For each phase we’ll provide the definition taken from the Hutchins-Cloppert-Amin paper and then examine it in the context of an ICS attack.
Reconnaissance – Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
The sources of information may differ slightly for ICS but the concepts still apply. This step is invisible most of the time but here are two potential detection mechanisms for the reconnaissance phase related to ICS:
1.) Web Analytics – How aware are you of search engine referrals that land at your company’s public-facing web site? How about searches on the site itself? And to take it even a step further – what about searches on your intranet? If you see terms related to SCADA, your vendors, or system information, it may be worth taking that data (IP, user agent strings, etc) and correlating across other Cyber Kill Chain steps. This is information that most corporate IT teams can easily extract.
2.) SCADA Honeynet – The SCADA Honeynet Project can function as a “canary”, an early warning that an attacker is conducting online reconnaissance activities. The SCADA Honeynet simulates ICS protocols and interfaces and can be used to detect attempted attacks beyond the reconnaissance phase as well.
Weaponization – Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly in IT environments, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.