SlideShare a Scribd company logo

Blackhat USA 2016 - What's the DFIRence for ICS?

Download as PPTX, PDF
Chris Sistrunk, profile picture
Chris Sistrunk

The document provides an overview of digital forensics and incident response (DFIR) for industrial control systems (ICS), detailing tools, techniques, and processes for collecting and analyzing data from embedded devices like RTUs. It emphasizes the importance of evidence collection, anomaly detection, and the unique challenges presented by ICS, including the lack of specific DFIR tools. Additionally, it discusses manual data collection methods and the use of various software for effective incident response in ICS environments.

Education
Related topics:
Digital Forensics
1 of 38
Downloaded 63 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
What’s the DFIRence for ICS? Chris Sistrunk, PE Senior Consultant, FireEye @chrissistrunk Josh Triplett Senior Reverse Engineer, FireEye 1
Agenda • Digital Forensics and Incident Response Overview • DFIR for ICS • What’s the DFIRence? • Embedded Devices • What to Collect • What to Analyze • RTU Examples • GE D20MX • VxWorks DFIR Tool • SEL-3530 RTAC 2
Incident Response Overview “Find Evil” • Assess the situation • Define objectives • Collect evidence • Perform analysis • Communicate • Develop remediation plan • Document findings http://www.cumbriafire.gov.uk/about/photo/engines/incident-response.asp 3
Digital Forensics Overview • Data Collection • Data Files • OS (volatile and non-volatile) • Network Traffic • Applications • Examination • Analysis • Reporting NIST SP 800-86 4
Traditional DFIR tools Mature • Tools • Redline • Volatility • Websites • Cheatsheets • Books 5
What’s the DFIRence for ICS? 6
ICS anomaly  incident? • An anomaly of some kind has occurred • Increased network activity, strange behavior, failure • Now we need to investigate the anomaly • Is it known bad? • Is it unknown bad? • Do we escalate this to a security incident? • Who do we call? • Engineers, Admins, PR, Safety • Vendors 7
Don’t! 8
ICS forensics collection tools • No ICS-specific DFIR tools…especially embedded devices • But, we can collect data manually using other tools 9
Embedded devices: What to collect? Physical data • Exact location of device • Device description • Identifying info (manufacturer, S/N, P/N, name) • Connections (serial, ethernet, USB) • Front/back panel LED status • Power consumption • Temperature (if running hot) • Evidence of tampering Digital data • Running configuration (including user accounts) • Last-known good configuration • Running firmware, approved firmware • CPU usage %, Memory usage % (RAM, Storage) • Running processes • Active ports (serial, ethernet, USB, etc) • Logs (security, events) • Memory dump (if possible) 10
Embedded devices: What to analyze? Find Evil…or ways for evil to do evil First Responders: ICS Engineer or Technician, Network Engineer, Vendor • What do the user and event logs reveal? (these need to be viewed first as they may rollover) • Does the configuration match the firmware? Is the firmware approved from FAT/SAT? • Running config / last known good config / standard config • Is the configuration and logic correct for the process? • Are communications (serial, ethernet, USB, wireless) normal as compared with known good? Vendor, Digital Forensics Specialist, Embedded Systems Analyst • Analyze embedded OS files, captured data at rest, captured data in transit • Volatile memory if possible (to look for code injection and potential rootkits) Fast Slower Time 11
Let’s do DFIR on two substation RTUs 12
Time to…RTFM 13
Data Collection: D20MX Specs • 667 MHz embedded PowerQUICC II Pro • 1024 MB of 266 MHz DDR2 RAM with ECC • 16 MB NVRAM for persistent event storage • 8 MB boot flash, 256 MB firmware flash • VxWorks RTOS Tools to use • D20MX Product Documentation Binder.pdf • GE SGconfig software • Terminal (Tera Term, PuTTY) • WinSCP 14
Data Collection: D20MX You will need three manuals from the binder pdf: 1. 994-0140 D20MX Substation Controller Instruction Manual • Chapter 11: Troubleshooting 2. B014-1NUG Westmaint II+ for D20MX User’s Guide • Shows how to use the D20 console interface, menus, error and user logs 3. SWM0080 D20MX Shells User’s Guide 15
Data Collection: D20MX Error Log and User Log The error log tells what’s wrong with the configuration. The user log shows logins, logouts, and all user activity. Can be exported to CSV. This data also gets put into the syslog. 16
The power of the 3 Shells • You can access the shell remotely with SSH, but the most powerful access is through the front serial port. • Some of these commands require assistance from GE unless you really know what you are doing. 17
The main shell • D20M Shell is the main shell • Very similar to 68k monitor shell in older D20s • Incident Responders will want to collect data from this shell • All of the commands are explained in detail in the D20MX Shells UG 18
Data Collection: D20MX • Running configuration  Use SGConfig, ConfigPro, or TeraTerm  Very common task • Last-known good configuration  Look in email, config database, engineer’s laptop, or it may be on a USB in the cabinet • Running firmware - img • CPU usage %, Memory usage %  pr – performance monitor  qr – query ram (volatile and nvram) • Running processes - qp 19
Data Collection: D20MX Serial analyzer • Very popular shell command (what’s Wireshark?) • In the D20M shell, use  sa com# where # is the port number  Turn on logging in TeraTerm beforehand to save the traffic  This example is DNP3 20
Data Collection: D20MX • Dump memory  si – shows system information including the memory base addresses  d – dumps memory, but you have to tell it where to start and stop (only available over serial connection) • Hand the output to someone who understands VxWorks for analysis • Look for strings, injected code, or rootkits 21
Data Collection: D20MX VxWorks C Shell • OS level shell only accessible from the RS-232 port (access is denied from SSH) • Mainly used by GE customer support for troubleshooting VxWorks CMD Shell • OS 2nd level shell, accessed by typing cmd • VxWorks Kernel Shell Command Reference 6.9 • We can use some commands for forensics  d (dump), netstat, ipf (firewall), syslog, show devices, show drivers, show history, ifconfig, route, and even pcap! 22
Example of live memory code injection & mem dump on the D20MX • Inject code via VxWorks C shell memory edit command m to simulate a rootkit [SCREENSHOTS OR VIDEO RECORDING HERE] • Collect volatile memory using the dump memory command d [SCREENSHOTS OR VIDEO RECORDING HERE] 23
Data Collection: VxWorks DFIR Tool – Problem 24 • We need tools that enable us to perform DFIR on ICS and embedded devices.
Data Collection: VxWorks DFIR Tool - Solution A collection of utilities that enable us to: • Read (and write) to memory on the device programmatically • We don’t want to have do dump memory manually • Cache the live memory locally • We shouldn’t need to fetch the same memory twice to check for different issues. • Compare the system image • Knowing the image is good is the first step toward looking somewhere else. • Provide the ability to read/write and cache device data to other tools • Tools can be written more generically when they don’t need to worry about how to get the data 25
Data Collection: VxWorks DFIR Tool - Cool Features • Can easily accommodate different transport mechanisms • Serial • TCP/Serial bridges • Protocols specific to other dumping utilities • Supports caching • Allows resuming if connectivity is lost • Sparse memory dumping • Comparative analysis works on • Anything that looks like a seek-able Python File Object • Cache Files • Memory Dumps • Sparse Memory Maps • Special Objects that request live memory 26
Data Collection: VxWorks DFIR Tool – Validating the host image 27
Data Collection: VxWorks DFIR Tool - Cool Projects We Used • CLE Loads Everything – (angr/CLE) • Loads our system image and provides an abstraction to a process memory space • Identifies architecture, endianness, etc. • Will soon support relocatable images (important for modules like appl.out) • Capstone - Nguyen Anh Quynh • Easy access to disassemble exactly what we needed 28
Data Collection: VxWorks DFIR Tool – Plans for the Future • Documentation • Expand the tool to work on other devices • Refine the scripts into easy-to-use modules • Moving the code to GitHub • Allow for feedback / feature requests / bug submissions 29
Data Collection: SEL-3530 RTAC Specs • 533 MHz Power PC • 1024 MB DDR2 ECC RAM • 2GB Storage • Embedded SEL Linux Tools to use • SEL-3530 RTAC Instruction Manual • SEL-5033 Instruction Manual • SEL-5033 software • Web Browser (Chrome, FireFox, etc) • Terminal for SSH (Tera Term, PuTTY) 30
Data Collection: SEL-3530 Digital data • Running configuration • User Accounts • Running firmware • CPU usage % • Memory usage % • POST checks • Reports (several) Physical Data • Password jumper 31
Data Collection: SEL-3530 These are the screenshots from when I sent a malformed DNP3 message that caused the RTAC to lose the configuration. https://ics-cert.us-cert.gov/advisories/ICSA-13-219-01 32
Data Collection: SEL-3530 • Section 3: Testing and Troubleshooting • Section 5: Web HMI and Logging • Section 6: Security • There are tags in the RTAC database that are assigned to help troubleshoot but are also useful for forensics as well. • Several log types • SOE report • IED report • syslog 33
Data Collection: SEL-3530 • Example of IED Report • Can be accessed via web or ODBC (MS Access) • No Linux Shell • Pros & cons • No SSH Interface with RTAC • SSH used for engineering remote access to relays 34
Data Collection: SEL-3530 • The RTAC can capture ethernet and serial traffic  SEL-5033 software and the Comm Monitor • AG2012-15 Using Wireshark® to Troubleshoot Protocol Communications Issues on an RTAC  DNP3 example • AG2015-15 Using Wireshark® to Decode RTAC Serial Line Messages and SEL Protocols  SEL Fast Messaging example • SEL published several serial Wireshark dissectors  SELFM, Telegyr 8979 35
For Further Reading… • HD Moore’s blogpost on VxWorks from 2010. • https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks- vulnerabilities • Metasploit module for VxWorks remote memory dump (wdbrpc_memory_dump) • David Odell’s blogpost on QNX from 2012. • https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos • ICS-CERT recommended practices for ICS forensics • https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Forensics_RP.pdf 36
For Further Reading… • Travis Goodspeed’s embedded device work on the MSP430 family • http://travisgoodspeed.blogspot.com/2007/11/ti-ez430-in-linux-with-iar-kickstart.html • http://travisgoodspeed.blogspot.com/2008/08/repurposing-ti-ez430u-part-3.html • Ralph Langner’s forensics work on Stuxnet payloads for Siemens PLCs • http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf • The Dec 23, 2015 Ukrainian Power Grid attack included writing over firmware of embedded Ethernet-serial converters. • https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf 37
QUESTIONS? 38

More Related Content

PPTX
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
PDF
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
PDF
Supply chain-attack
vikram vashisth
 
PDF
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
PPT
CCNA Security - Chapter 2
Irsandi Hasan
 
PPTX
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
PPTX
securityawareness.pptx
binowe
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Supply chain-attack
vikram vashisth
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
CCNA Security - Chapter 2
Irsandi Hasan
 
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
securityawareness.pptx
binowe
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 

What's hot (20)

PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
PRISMA CSI
 
PDF
BGA CTF Ethical Hacking Yarışması Çözümleri
BGA Cyber Security
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
PDF
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
BGA Cyber Security
 
PPTX
Software Security Metrics
Cigital
 
PDF
Open Source Soc Araçları Eğitimi 2020-II
BGA Cyber Security
 
PPTX
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
BGA Cyber Security
 
PDF
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
BGA Cyber Security
 
PPTX
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
Chris Sistrunk
 
PDF
OT Security - h-c0n 2020
Jose Palanco
 
PPTX
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
BGA Cyber Security
 
PDF
Supply Chain Attacks
Lionel Faleiro
 
PDF
Sandbox Atlatma Teknikleri ve Öneriler
BGA Cyber Security
 
PPT
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
PPTX
Mod security
Shruthi Kamath
 
PDF
STRIDE: Digging Vulnerability by Threat Modelling
Mohammad Febri
 
PDF
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
PPTX
Les 5 risques les plus critiques des applications Web selon l'OWASP
yaboukir
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PPTX
Log Yönetimi ve Saldırı Analizi Eğitimi -1
BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
PRISMA CSI
 
BGA CTF Ethical Hacking Yarışması Çözümleri
BGA Cyber Security
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
BGA Cyber Security
 
Software Security Metrics
Cigital
 
Open Source Soc Araçları Eğitimi 2020-II
BGA Cyber Security
 
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
BGA Cyber Security
 
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
BGA Cyber Security
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
Chris Sistrunk
 
OT Security - h-c0n 2020
Jose Palanco
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
BGA Cyber Security
 
Supply Chain Attacks
Lionel Faleiro
 
Sandbox Atlatma Teknikleri ve Öneriler
BGA Cyber Security
 
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Mod security
Shruthi Kamath
 
STRIDE: Digging Vulnerability by Threat Modelling
Mohammad Febri
 
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Les 5 risques les plus critiques des applications Web selon l'OWASP
yaboukir
 
Windows Threat Hunting
GIBIN JOHN
 
Log Yönetimi ve Saldırı Analizi Eğitimi -1
BGA Cyber Security
 
Ad

Viewers also liked (6)

PPTX
Dolla Dolla Bump Key
Chris Sistrunk
 
PPTX
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
PPTX
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
PPT
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
PPTX
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
PPT
Developing Analytic Technique and Defeating Cognitive Bias in Security
chrissanders88
 
Dolla Dolla Bump Key
Chris Sistrunk
 
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
chrissanders88
 
Ad

Similar to Blackhat USA 2016 - What's the DFIRence for ICS? (20)

PDF
Intro to sysdig in 15 minutes
Sysdig
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PDF
amrapali builders @@ hacking challenges.pdf
amrapalibuildersreviews
 
PDF
Software is Eating The Data center
Matthias Grawinkel
 
PPTX
10 Tips for AIX Security
HelpSystems
 
PPTX
Easily emulating full systems on amazon fpg as
RISC-V International
 
PDF
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PDF
.NET Cloud-Native Bootcamp Minneapolis
VMware Tanzu
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
PPTX
Performance analysis and troubleshooting using DTrace
Graeme Jenkinson
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPTX
The power of linux advanced tracer [POUG18]
Mahmoud Hatem
 
PDF
Securing Applications and Pipelines on a Container Platform
All Things Open
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
Using VPP and SRIO-V with Clear Containers
Michelle Holley
 
PPTX
Lec 10-linux-review
abinaya m
 
PPTX
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 121: 9 Network Evidence
Sam Bowne
 
Intro to sysdig in 15 minutes
Sysdig
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
amrapali builders @@ hacking challenges.pdf
amrapalibuildersreviews
 
Software is Eating The Data center
Matthias Grawinkel
 
10 Tips for AIX Security
HelpSystems
 
Easily emulating full systems on amazon fpg as
RISC-V International
 
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
.NET Cloud-Native Bootcamp Minneapolis
VMware Tanzu
 
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Performance analysis and troubleshooting using DTrace
Graeme Jenkinson
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
The power of linux advanced tracer [POUG18]
Mahmoud Hatem
 
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Security research over Windows #defcon china
Peter Hlavaty
 
Using VPP and SRIO-V with Clear Containers
Michelle Holley
 
Lec 10-linux-review
abinaya m
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 121: 9 Network Evidence
Sam Bowne
 

More from Chris Sistrunk (11)

PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
BSidesAugusta 2022 - The Power of the OT Security Playbook
Chris Sistrunk
 
PPTX
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
PPTX
BSidesHSV 2020 - Keynote - 2030: The Next Decade
Chris Sistrunk
 
PPTX
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Chris Sistrunk
 
PPTX
BSidesJackson 2017 - Chris Sistrunk - Keynote
Chris Sistrunk
 
PPTX
Advanced Persistent Dads - Threat Analysis
Chris Sistrunk
 
PDF
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
PPTX
BSidesAugusta 2015 - How to get into ICS security
Chris Sistrunk
 
PPTX
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
PPTX
Protecting Your DNP3 Networks
Chris Sistrunk
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
Chris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
Chris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Chris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
Chris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Chris Sistrunk
 
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
Chris Sistrunk
 
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
Protecting Your DNP3 Networks
Chris Sistrunk
 

Recently uploaded (20)

PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PPTX
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
PPTX
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PPTX
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PPTX
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
PDF
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PDF
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PPTX
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
PDF
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 

Blackhat USA 2016 - What's the DFIRence for ICS?

  • 1. What’s the DFIRence for ICS? Chris Sistrunk, PE Senior Consultant, FireEye @chrissistrunk Josh Triplett Senior Reverse Engineer, FireEye 1
  • 2. Agenda • Digital Forensics and Incident Response Overview • DFIR for ICS • What’s the DFIRence? • Embedded Devices • What to Collect • What to Analyze • RTU Examples • GE D20MX • VxWorks DFIR Tool • SEL-3530 RTAC 2
  • 3. Incident Response Overview “Find Evil” • Assess the situation • Define objectives • Collect evidence • Perform analysis • Communicate • Develop remediation plan • Document findings http://www.cumbriafire.gov.uk/about/photo/engines/incident-response.asp 3
  • 4. Digital Forensics Overview • Data Collection • Data Files • OS (volatile and non-volatile) • Network Traffic • Applications • Examination • Analysis • Reporting NIST SP 800-86 4
  • 5. Traditional DFIR tools Mature • Tools • Redline • Volatility • Websites • Cheatsheets • Books 5
  • 7. ICS anomaly  incident? • An anomaly of some kind has occurred • Increased network activity, strange behavior, failure • Now we need to investigate the anomaly • Is it known bad? • Is it unknown bad? • Do we escalate this to a security incident? • Who do we call? • Engineers, Admins, PR, Safety • Vendors 7
  • 9. ICS forensics collection tools • No ICS-specific DFIR tools…especially embedded devices • But, we can collect data manually using other tools 9
  • 10. Embedded devices: What to collect? Physical data • Exact location of device • Device description • Identifying info (manufacturer, S/N, P/N, name) • Connections (serial, ethernet, USB) • Front/back panel LED status • Power consumption • Temperature (if running hot) • Evidence of tampering Digital data • Running configuration (including user accounts) • Last-known good configuration • Running firmware, approved firmware • CPU usage %, Memory usage % (RAM, Storage) • Running processes • Active ports (serial, ethernet, USB, etc) • Logs (security, events) • Memory dump (if possible) 10
  • 11. Embedded devices: What to analyze? Find Evil…or ways for evil to do evil First Responders: ICS Engineer or Technician, Network Engineer, Vendor • What do the user and event logs reveal? (these need to be viewed first as they may rollover) • Does the configuration match the firmware? Is the firmware approved from FAT/SAT? • Running config / last known good config / standard config • Is the configuration and logic correct for the process? • Are communications (serial, ethernet, USB, wireless) normal as compared with known good? Vendor, Digital Forensics Specialist, Embedded Systems Analyst • Analyze embedded OS files, captured data at rest, captured data in transit • Volatile memory if possible (to look for code injection and potential rootkits) Fast Slower Time 11
  • 12. Let’s do DFIR on two substation RTUs 12
  • 14. Data Collection: D20MX Specs • 667 MHz embedded PowerQUICC II Pro • 1024 MB of 266 MHz DDR2 RAM with ECC • 16 MB NVRAM for persistent event storage • 8 MB boot flash, 256 MB firmware flash • VxWorks RTOS Tools to use • D20MX Product Documentation Binder.pdf • GE SGconfig software • Terminal (Tera Term, PuTTY) • WinSCP 14
  • 15. Data Collection: D20MX You will need three manuals from the binder pdf: 1. 994-0140 D20MX Substation Controller Instruction Manual • Chapter 11: Troubleshooting 2. B014-1NUG Westmaint II+ for D20MX User’s Guide • Shows how to use the D20 console interface, menus, error and user logs 3. SWM0080 D20MX Shells User’s Guide 15
  • 16. Data Collection: D20MX Error Log and User Log The error log tells what’s wrong with the configuration. The user log shows logins, logouts, and all user activity. Can be exported to CSV. This data also gets put into the syslog. 16
  • 17. The power of the 3 Shells • You can access the shell remotely with SSH, but the most powerful access is through the front serial port. • Some of these commands require assistance from GE unless you really know what you are doing. 17
  • 18. The main shell • D20M Shell is the main shell • Very similar to 68k monitor shell in older D20s • Incident Responders will want to collect data from this shell • All of the commands are explained in detail in the D20MX Shells UG 18
  • 19. Data Collection: D20MX • Running configuration  Use SGConfig, ConfigPro, or TeraTerm  Very common task • Last-known good configuration  Look in email, config database, engineer’s laptop, or it may be on a USB in the cabinet • Running firmware - img • CPU usage %, Memory usage %  pr – performance monitor  qr – query ram (volatile and nvram) • Running processes - qp 19
  • 20. Data Collection: D20MX Serial analyzer • Very popular shell command (what’s Wireshark?) • In the D20M shell, use  sa com# where # is the port number  Turn on logging in TeraTerm beforehand to save the traffic  This example is DNP3 20
  • 21. Data Collection: D20MX • Dump memory  si – shows system information including the memory base addresses  d – dumps memory, but you have to tell it where to start and stop (only available over serial connection) • Hand the output to someone who understands VxWorks for analysis • Look for strings, injected code, or rootkits 21
  • 22. Data Collection: D20MX VxWorks C Shell • OS level shell only accessible from the RS-232 port (access is denied from SSH) • Mainly used by GE customer support for troubleshooting VxWorks CMD Shell • OS 2nd level shell, accessed by typing cmd • VxWorks Kernel Shell Command Reference 6.9 • We can use some commands for forensics  d (dump), netstat, ipf (firewall), syslog, show devices, show drivers, show history, ifconfig, route, and even pcap! 22
  • 23. Example of live memory code injection & mem dump on the D20MX • Inject code via VxWorks C shell memory edit command m to simulate a rootkit [SCREENSHOTS OR VIDEO RECORDING HERE] • Collect volatile memory using the dump memory command d [SCREENSHOTS OR VIDEO RECORDING HERE] 23
  • 24. Data Collection: VxWorks DFIR Tool – Problem 24 • We need tools that enable us to perform DFIR on ICS and embedded devices.
  • 25. Data Collection: VxWorks DFIR Tool - Solution A collection of utilities that enable us to: • Read (and write) to memory on the device programmatically • We don’t want to have do dump memory manually • Cache the live memory locally • We shouldn’t need to fetch the same memory twice to check for different issues. • Compare the system image • Knowing the image is good is the first step toward looking somewhere else. • Provide the ability to read/write and cache device data to other tools • Tools can be written more generically when they don’t need to worry about how to get the data 25
  • 26. Data Collection: VxWorks DFIR Tool - Cool Features • Can easily accommodate different transport mechanisms • Serial • TCP/Serial bridges • Protocols specific to other dumping utilities • Supports caching • Allows resuming if connectivity is lost • Sparse memory dumping • Comparative analysis works on • Anything that looks like a seek-able Python File Object • Cache Files • Memory Dumps • Sparse Memory Maps • Special Objects that request live memory 26
  • 27. Data Collection: VxWorks DFIR Tool – Validating the host image 27
  • 28. Data Collection: VxWorks DFIR Tool - Cool Projects We Used • CLE Loads Everything – (angr/CLE) • Loads our system image and provides an abstraction to a process memory space • Identifies architecture, endianness, etc. • Will soon support relocatable images (important for modules like appl.out) • Capstone - Nguyen Anh Quynh • Easy access to disassemble exactly what we needed 28
  • 29. Data Collection: VxWorks DFIR Tool – Plans for the Future • Documentation • Expand the tool to work on other devices • Refine the scripts into easy-to-use modules • Moving the code to GitHub • Allow for feedback / feature requests / bug submissions 29
  • 30. Data Collection: SEL-3530 RTAC Specs • 533 MHz Power PC • 1024 MB DDR2 ECC RAM • 2GB Storage • Embedded SEL Linux Tools to use • SEL-3530 RTAC Instruction Manual • SEL-5033 Instruction Manual • SEL-5033 software • Web Browser (Chrome, FireFox, etc) • Terminal for SSH (Tera Term, PuTTY) 30
  • 31. Data Collection: SEL-3530 Digital data • Running configuration • User Accounts • Running firmware • CPU usage % • Memory usage % • POST checks • Reports (several) Physical Data • Password jumper 31
  • 32. Data Collection: SEL-3530 These are the screenshots from when I sent a malformed DNP3 message that caused the RTAC to lose the configuration. https://ics-cert.us-cert.gov/advisories/ICSA-13-219-01 32
  • 33. Data Collection: SEL-3530 • Section 3: Testing and Troubleshooting • Section 5: Web HMI and Logging • Section 6: Security • There are tags in the RTAC database that are assigned to help troubleshoot but are also useful for forensics as well. • Several log types • SOE report • IED report • syslog 33
  • 34. Data Collection: SEL-3530 • Example of IED Report • Can be accessed via web or ODBC (MS Access) • No Linux Shell • Pros & cons • No SSH Interface with RTAC • SSH used for engineering remote access to relays 34
  • 35. Data Collection: SEL-3530 • The RTAC can capture ethernet and serial traffic  SEL-5033 software and the Comm Monitor • AG2012-15 Using Wireshark® to Troubleshoot Protocol Communications Issues on an RTAC  DNP3 example • AG2015-15 Using Wireshark® to Decode RTAC Serial Line Messages and SEL Protocols  SEL Fast Messaging example • SEL published several serial Wireshark dissectors  SELFM, Telegyr 8979 35
  • 36. For Further Reading… • HD Moore’s blogpost on VxWorks from 2010. • https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks- vulnerabilities • Metasploit module for VxWorks remote memory dump (wdbrpc_memory_dump) • David Odell’s blogpost on QNX from 2012. • https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos • ICS-CERT recommended practices for ICS forensics • https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Forensics_RP.pdf 36
  • 37. For Further Reading… • Travis Goodspeed’s embedded device work on the MSP430 family • http://travisgoodspeed.blogspot.com/2007/11/ti-ez430-in-linux-with-iar-kickstart.html • http://travisgoodspeed.blogspot.com/2008/08/repurposing-ti-ez430u-part-3.html • Ralph Langner’s forensics work on Stuxnet payloads for Siemens PLCs • http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf • The Dec 23, 2015 Ukrainian Power Grid attack included writing over firmware of embedded Ethernet-serial converters. • https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf 37

Editor's Notes

  • #4: Modified from the Mandiant IR services datasheet
  • #5: 1. “During collection, data related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved. In the second phase, examination, forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes. The next phase, analysis, involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination. The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.” From NIST SP 800-86
  • #9: You need to preserve the data if possible…even on embedded devices. There may be manual ways to dump the running configuration and maybe the volatile memory.
  • #11: Physical data is important no matter if you have an equipment database or not.
  • #14: When in doubt, read the manual! There usually is a section on troubleshooting, configuration or file transfer, and even shell commands.
  • #25: Current Issues: Slow data Collection - We averaged 2300 bytes per second over serial - This would take us about 5 days to dump the full 1GB memory space Unknown protocol availability - Dumping data to our serial-connected RPi was not conducive to actually getting work done
  • #26: I don’t need to know what you need to know in order to help. I can provide abstracted memory objects that simply let you read
  • #27: We utilize the Special Objects that request live memory and Cache Files.
  • #28: Here we see differences in the .text, .data, and .sdata sections. An attacker has injected code into the ipfirewall_start function that prevents the firewall from starting. Note: This is simply a “return 0;” The .data and .sdata were flagged as not matching the disk due to runtime data. Note: These were omitted to simplify the slide, not by some magical filtering that deemed the changes sane or safe.
  • #29: Appl.out is a relocatable image which poses a problem due to absolute-address instructions that reference a relocatable section. These are the only two projects I ended up sticking with.
  • #30: We need to check to see if there are any stops in place that prevent us from doing this or even saying we plan on doing this.
  • #32: Most of these can be collected from the RTAC webpage or through the SEL-5033 software