Protect Against USB-Borne Cyber-Attacks - Secure Media Exchange (SMX) Eric D Knapp - Honeywell Process
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Eric D Knapp Protect Against USB-Borne Cyber-Attacks June 18, 2018 Secure Media Exchange (SMX)
1
Eric D. Knapp
Chief Engineer, Fellow,
Director of Strategic Innovation Group
Honeywell Process Solutions
Industrial Cyber Security
@EricDKnapp @CyberGridBook
© 2018 by Honeywell International Inc. All rights reserved.
2
We Know Than USBs Are a Threat
WHAT THE Only 7% feel they face a threat 55% believe the threat is 68% of industrial 38% believe 56% believe that USB
from nation-states or sponsored purely accidental, and only customers feel they are they've never
INDUSTRY well prepared for an had an incident.
drives are a primary
THINKS attackers, and only 34% feel the 12% believe the threat is threat vector
attack.
threat is ‘advanced’. intentional.
66% of industrial sectors face 35% of incidents Only 38% of facilities Only 18% Only 21%
WHAT WE’VE SEEN either a high or medium can be attributed to are using network are using are planning to
capability threat, typically malware, while another based application implement further 39% of malware
associated with nation-states 36% are unknown. threat detection or whitelisting. controls within the enters the ICS via a
or sponsored attackers. advanced monitoring. next 18 months. USB device
The Threat is Worse Than it Seems The Threat is Real
WHAT THE
Highly advanced threats Direct access to 28% of exploits from a recent 58% of exploits provided Once in the ICS,
EXPERTS SAY can be bought. Access to control systems can
campaign used exploits known to remote access & visibility to malware can morph into
cybercrime infrastructure is be purchased from highly targeted attacks
be used in targeted attacks against criminal subscribers.
available by subscription. cybercrime organizations.
industrial systems.
(Source: Intel Security) (Source: Intel Security)
© 2017 by Honeywell International Inc. All rights reserved.
@ Er i cDKnapp
56% believe that USB 3
We Know Than USBsdrives
Are aareThreat
a primary threat
vector
WHAT THE Only 7% feel they face a threat 55% believe the threat is 68% of industrial 38% believe
from nation-states or sponsored purely accidental, and only customers feel they are they've never
INDUSTRY well prepared for an had an incident.
THINKS attackers, and only 34% feel the 12% believe the threat is
attack.
threat is ‘advanced’. intentional.
66% of industrial sectors face 35% of incidents Only 38% of facilities Only 18% Only 21%
WHAT WE’VE SEEN either a high or medium can be attributed to are using network are using are planning to
capability threat, typically malware, while another based application implement further
associated with nation-states
or sponsored attackers. 39%
36% of malware enters
are unknown. threat detection or
advanced monitoring.
whitelisting. controls within the
next 18 months.
the ICS via a USB device
The Threat is Worse Than it Seems The Threat is Real
WHAT THE
Highly advanced threats Direct access to 28% of exploits from a recent 58% of exploits provided
EXPERTS SAY can be bought. Access to control systems can
campaign used exploits known to remote access & visibility to
cybercrime infrastructure is be purchased from
be used in targeted attacks against criminal subscribers.
available by subscription. cybercrime organizations.
industrial systems.
(Source: Intel Security) (Source: Intel Security)
© 2017 by Honeywell International Inc. All rights reserved.
@ Er i cDKnapp
4
Why Does It Work?
© 2018 by Honeywell International Inc. All rights reserved.
5
We’re Not Keeping Up
New Malware:
4 / second
14,000 / hour
345,600 / day
© 2018 by Honeywell International Inc. All rights reserved.
6
Understanding Doesn't Seem to Help
“45%–98% OF DROPPED DRIVES CONNECTED …
… THE FIRST DRIVE CONNECTED IN UNDER SIX MINUTES.”
Source: Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Bailey. Users
Really Do Plug in USB Drives They Find. University of Illinois, University of Michigan, Google, Inc. 2016”
© 2018 by Honeywell International Inc. All rights reserved.
7
What Can You Do About USB-Borne Malware?
•Local Anti-Virus scans
•Anti-Virus scanning station
•Encrypted USB drives
•Application Whitelisting
Secure Media Exchange (SMX)
© 2018 by Honeywell International Inc. All rights reserved.
8
Introducing SMX
SMX stands for “Secure Media Exchange”
SMX reduces cyber security risk and limits operational
disruptions by monitoring, protecting, and logging use of
removable media throughout customer facilities.
Malware and other security threats are detected before
they can be transmitted by USBs to critical infrastructure
in the facility.
© 2018 by Honeywell International Inc. All rights reserved.
9
SMX Powered by ATIX – Advanced Threat Intelligence Exchange
ATIX Today:
Private cloud, subscription based
Detection
Leveraged by SMX to evaluate files Engines
Multiple best-in-class threat intelligence feeds Master Threat
Repository
Multiple malware detection methods 3rd Party
Threat Intel
Reporting
Machine
New! Learning
Analytics
Customer Portal for operational insight Reputation
ATIX Future:
Machine Learning to assess emerging threats and detect/alert for anomalies
Advanced analysis techniques for greater threat detection
© 2018 by Honeywell International Inc. All rights reserved.10
N
Now
OW LETS
Lets Add Some SOME DECEPTION…
ADDDeception…
© 2018 by Honeywell International Inc. All rights reserved.11
Bad USB, Whatcha Gonna Do?
© 2018 by Honeywell International Inc. All rights reserved.12
SMX Protects Against Advanced USB Threats
• A keystroke injection tool disguised as generic USB drive.
• Computer recognizes the USB as a “normal” keyboard and automatically executes Rubber
the preprogrammed rubber ducky scripts. Ducky
• Execution speed around 1000 words per minute!
• A fully featured Linux computer with the ability to execute all Rubber ducky scripts, as well
Bash as more complex attacks leveraging data connections (e.g. Ethernet over USB or
Ethernet control model - ECM).
Bunny
• Can also impersonate mass storage or serial devices.
• Manipulation of USB firmware.
• USB device will act as a HID - Human Interface Device (e.g. a keyboard), BadUSB
and can execute scripts.
SMX Provides Protection from Attacks Others in the Industry Cannot
© 2018 by Honeywell International Inc. All rights reserved.13
A $45 Time Bomb for ICS?
© 2018 by Honeywell International Inc. All rights reserved.14
AMT/IME Vulnerability
© 2018 by Honeywell International Inc. All rights reserved.15
SMX – Now with TRUST Built-in
Is that REALLY a USB drive you just plugged in?!?
SMX protected computers can be configured to explicitly require the user to
confirm the identity and use of an inserted USB device
Check.
Trusted
Response
User
Substantiation
Technology
© 2018 by Honeywell International Inc. All rights reserved.16
How Hard Is This?
DELAY 3000 THIS IS NOT A
1 VULNERABILITY!
2 GUI r
The examples provided
3 DELAY 1000 are simply a series of
STRING [REDACTED] legitimate key-presses,
4 evoking known features of
5 ENTER an application, by a user
with administrator
6 DELAY 10000
privileges.
7 STRING C
8 ENTER
9 DELAY 3000
10 ALT r
11 DELAY 2000
12 STRING [REDACTED]
13 ENTER
14 STRING Y
15 DELAY 5000
© 2018 by Honeywell International Inc. All rights reserved.17
How Serious Is This?
(it’s almost this serious)
© 2018 by Honeywell International Inc. All rights reserved.18
How Serious Is This?
ADMIN
+ KEYBOARD
=
• Uninstall operator software - Disable replication (faulty redundancy)
- … etc
• Uninstall FTE MUX-IM drivers
• Modifications from Operator Station
• Shutdown a Server - Change set points
• Perform Engineering Operations - Modify or delete displays
- Deactivate controller - Change server redundancy
- Delete process points - … etc
- Modify process points • Modify the registry:
- Remove checkpoints
- Change installation paths
- Modify version control
- Delete software license keys
• Modify engineering database: - … etc
- Initialize database
© 2018 by Honeywell International Inc. All rights reserved.19
How Serious Is This? … Really?
THIS IS NOT A
VULNERABILITY!
The examples provided
are simply a series of
legitimate key-presses,
evoking known features of
an application, by a user
with administrator
VIDEO privileges.
© 2018 by Honeywell International Inc. All rights reserved.20
What Can You Do About It?
•Modify Group Policy (GPO)
•Industrial Firewall
•Zone Segmentation
•Endpoint Anti-Virus
•Endpoint Anti-Malware
•On-Access USB Scanning
•Strong USB Policies
•Application Whitelisting
•TRUST
© 2018 by Honeywell International Inc. All rights reserved.21
T.R.U.S.T.
• Trusted Response User Substantiation Technology
© 2018 by Honeywell International Inc. All rights reserved.22
For GPO skeptics
THIS IS NOT A
VULNERABILITY!
The examples provided
are simply a series of
legitimate key-presses,
evoking known features of
an application, by a user
with administrator
VIDEO privileges.
© 2018 by Honeywell International Inc. All rights reserved.23
Special Thanks To:
Ganesh Gadhe, Lead Researcher, Honeywell Cyber Security SIG
The Honeywell legal and media teams
(for keeping an open mind about security presentations like this)
The valuable research of:
Karsten Nohl and Jakob Lell (BadUSB)
@SamyKamkar (PosionTap)
@hak5darren and all at Hak5 (Rubber Duckies, Bash Bunnies & more)
Our partners at Open Systems Resources (T.R.U.S.T.)
© 2018 by Honeywell International Inc. All rights reserved.24
Get this Hot Deal at Americas HUG
Secure Media Exchange systems for $9,999 each and
SMX ATIX subscriptions for:
- $7K/year per SMX System – on 1 year agreements
- $5K/year per SMX System – on 5 year agreements
Visit the Promotions Center to learn more.
Get details at the Promotions Center or www.hwll.co/HUG18offers. These
limited-time discounts and offerings are only available and valid for new
inquiries and commitments made at 2018 Americas HUG in San Antonio, TX,
June 18-23. Orders must be placed within 90 days of receiving an estimate.
© 2018 by Honeywell International Inc. All rights reserved.25
Thank You!
Please make me look
good by asking easy
questions
© 2018 by Honeywell International Inc. All rights reserved.www.becybersecure.com Honeywell Confidential - © 2018 by Honeywell International Inc. All rights reserved.
You can also read
