03. x33fcon 2019 – Offensive Testing of ICS Security by Joe Slowik
iSpeech
Much recent discussion on penetration testing and red teaming focuses on purple teaming approaches emphasizing adversary emulation. This typically occurs through combining incident data with threat intelligence information, then mapping observed tactics, techniques, and procedures (TTPs) onto a framework (such as MITRE ATT&CK) to model execution. While work in this direction continues in enterprise IT environments, industrial control system (ICS) penetrating testing and red teaming remains immature and lags in this process. One primary reason for this discrepancy is a continued misunderstanding of what constitutes and is required to execute an ICS-centric attack - rather than focus solely on final-stage, ICS-specific disruptive events, this talk will first emphasize a more useful "whole of kill chain" approach to ICS network intrusions. Given this expanded scope of covering intrusions from initial access to final effect, tailored purple team exercises responsive to the special needs and requirements of ICS environments become actionable and significantly more useful.
Once adopting an expanded "whole of kill chain" perspective to events, two items become clear: first, red teamers have significant scope for planning exercises and tests for all stages "just prior to" ICS-centric disruption, while blue teamers can take a holistic approach to defense and monitoring across multiple phases of an attack sequence. At this stage, true purple team planning and exercise execution can take place as ICS attacks do not represent a single, "bolt from the blue" attack but rather multiple actions often beginning in enterprise IT networks and extending into final ICS attack deployment. To illustrate this and provide examples for purple team exercise planning, this talk will briefly review the CRASHOVERRIDE and TRISIS events to emphasize the multiple actions prior to the headline-grabbing disruptive event where defenders could have identified and stopped the intrusion scenario. From this, attendees will receive a background in the latest observe trends in ICS attack tradecraft and its implications for existing ICS defenses to provide both blue and red teams with insights into how to effectively and meaningfully test ICS security operations.
From this discussion, attendees will emerge with enhanced knowledge on three interrelated concepts: first, the need to orient attack identification and red team testing to cover all phases of intrusion scenarios, especially when considering ICS environments; second, an overview of the latest trends in ICS attack tradecraft based on bleeding edge threat intelligence research; and third, the prerequisites for planning and executing a true purple team exercise in ICS environments. Overall, attendees will be able to meaningfully plan an ICS security test and engagement after this discussion, with red team practitioners gaining greater insights into real-life ICS attack trends while blue team champions will learn more about the necessity of viewing ICS network defense as a true defense-in-depth exercise.
----
The idea behind x33fcon (pronounced /'zi:f-kɒn/) is to focus on a very specific need of the security industry: collaboration between blue and red teams (sometimes referred to as purple teaming) It is an event that brings both groups together, and everyone from both sides of the fence are invited to gather, share ideas and discuss thoughts on security.
video, sharing, camera phone, video phone, free, upload
2019-11-16 17:54:25
source
Gloss