4SICS: making cyber-threat intel work better for ICS pros

News by Roi Perez

Thomas Schreck, principal engineer of Simenes' CERT, alongside Margrete Raaum, leader of the KraftCERT from Norway told an audience at 4SICS 2016 on why cyber-threat intelligence plays an important part in information sharing in the energy industry.

Thomas Schreck, principal engineer of Simenes' CERT, alongside Margrete Raaum, leader of the KraftCERT from Norway told an audience at 4SICS 2016 today why information sharing is incredibly important in the energy sector, where it's currently failing and how it could be improved.

Both started by giving their definition of threat intelligence: a vital part of network defence and incident response including information about threats, TTPs and devices that adversaries employ, the systems and information that they target and any other threat related information that provides greater situational awareness.

And then went on to give a quick history of how they have seen information sharing developed to what it is today, which they say began with the Morris worm in 1988. In response to this, one of the first CERTs was established. That was followed by the WANK worm from 1990, after which FIRST was established as people realised teams were simply not talking to each other when combatting threats.

Schreck said, “Geeks got together and made a network of security teams, throughout the years we have together fought all sorts of malware and there isn't much we haven't encountered through the years, and we're still discussing how to share information for roughly 26 years.”

Schreck went on to give some examples of where he thinks instances of information sharing have gone well, where teams managed to work together successfully.

He said that the FIRST group has been working from 2008 - 2010 to beat Conficker. Obviously this has been a huge worm, called a superworm by the press, and is still in the wild today. A lot of people have been working on it, to reverse engineer it and understand it, and there has been a huge effort to remedy it.

Despite researchers spending lots of time trying to fight it, they struggled to keep up due to new versions which come out quite quickly and this has meant that it is still around. But working groups from different organisations and countries established a group to fight it further.

Schreck then told the story of a research paper named, “Amplification hell: revisiting network protocols for DDoS abuse” which is about a malware named ShadowServer. The researcher in question was not sure when/where to release the paper and its accompanying data, however with the help of FIRST, there are loads of initiatives out there who are helping beat it, over ten initiatives are working with data from the researcher.

The attack it conducts is where you send small packets of information to a server, and loads of data comes back which obviously floods the receiving servers and is a DDoS attack. Schreck highlights that this can take down big targets, much like the Mirai botnet, and unfortunately lots of servers are still vulnerable to the attack.

“This is a positive way in which the community is working together to defeat targets,” said Schreck.

The one event which Schreck highlighted as one where information sharing should have worked a lot quicker and together, is the discovery of the bug in OpenSSL titled, Heartbleed, which he claimed was not announced for a long while before being discovered, and when it was, “people were running around not sure what to do”.

Luckily, said Schreck, “FIRST brought focus and helped bring the patched version to life over the course of a number of months with lots of hard work.” Schreck said, “People weren't notified of the heartbleed attack, and it meant that national CERT's were failing to talk to each other.”

Schreck said, “People often haven't ever shared data once, which means they literally don't know how. The recent DDoS attacks using the Mirai botnet are good examples of how info sharing works well, there is lots of sharing now, this is helpful because when you're being attacked you need help from anyone that can help.”

Schreck asked, “So what is important in information sharing?”

Cooperations are important but must be established before an incident is happening - if it's established mitigation happens quicker.

Building trust is key - with whom do you share? Expose yourself, show your weak sides and those on the other side might spot your vulnerabilities, also sharing without expecting to get things back will mean you will eventually get something back.  

Speak the same language by using open standards, closed solutions and black boxes work against trust, and you can't connect and understand the full process of the other system.

Automate tasks and concentrate on the important work, everything that can be automated should be automated, and make sure you have the same standards in automation.

Schreck said that one of the biggest problems with cyber-threat intelligence is that management think it's like something Tom Cruise would have used in the film Minority Report.

But the reality is very different, when you get the data is looks entirely different, and can even come in image based PDF reports, some needing OCR to be turned into actual data. Those indicators then need to be fed into a database, and a broken indicator in database, thanks to human error mistakes, Schreck said, “this takes away from the minority report magic.”

Raaum then spoke of the challenges of cyber-threat intelligence within the energy sector. She said that one of the biggest is a combination of complex environments, which information security experts often might not understand.

Other issues include legacy systems, which were developed without information security in mind, applying our current IT security toolsets and processes is not easily doable, and lots of vendors do not have vulnerability response capabilities or understand the need for them. Re-sellers of energy in the sector share as little as possible, so they don't step onto the supplier's toes, meaning it's difficult to get a full view of all vulnerabilities out there.

Finally, Raaum said that security toolsets do exist, but are not always a given they will exist for that particular system. Also for them to be used, they require a certain maturity on the security side and this doesn't come overnight. Raaum described reaching a security maturity as a continuing process.  

But it's not all doom and gloom, “the processes of using threat intelligence in the industry is maturing, and the CERT community is doing its part to help this happen more quickly.”

To address these problems, both Raaum and Schreck say that information sharing is not only about indicator sharing – they think people should be sharing best practices and processes.  

Information about old incidents is not really helpful – share information in a timely manner – share it as soon as possible and make sure you get feedback.  

It is not about how much is shared, people will stop reading your data if they feel overwhelmed – share only relevant information. Schreck said, “everyone likes honeypots – you get lots of data, but getting helpful data out of them is very difficult.”

And finally, understanding your peers is important – you may end up sharing data no one can use – share actionable data which means something to other people.  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews