Last Line of Defense Reliability Through Inducing Cyber Threat Hunting

[Music] thank you everyone and uh our next talk uh abdul bastian as well he will be leaving talk on the scada networks uh very close to the talk which i was discussing with the cfp panel as well like the it ot detection and you know hunting threat hunting with the deception in scada network so head over to you abdul vasit yeah thanks uh hello islamikum and welcome to my presentation so the topic of my uh presentation is regarding scarda networks how to do threat hunting uh using uh deception in skarda networks so this is actually a journal article so i'm presenting it uh here let's start with my brief introduction regarding me who i am

uh so currently i'm working as a cyber security analyst at dawn gamers and um css so i have done my master's in information security and my thesis domain was adversary emulation so it was all funded by hcc it was regarding how to bypass securities firewalls anti-viruses edrs so i have also worked for two years at cyber security research lab at concerts islamabad so i have three journal uh publications and one conference publication i've also worked on research security research project with htc pakistan and ellen during research lab uk uh so here is the quick agenda of uh today's presentation first i will go through the brief introduction uh then i will come into problems and threats

associated with scada after that i will uh briefly uh investigate how threat hunting can be done with deception in scada networks uh next coming to some experimentation that we have already done some results and after we will conclude the presentation uh so here's the introduction so scada network so scada network uh consists of uh plcs plc get data from sensors actuators and they just forward the data to remote terminal units and they just connects to the master terminals units and they just get send data to historians and hmis so uh the details

detection for example uh antivirus is firewalled they are looking they are working on specific gateway looking for some specific malicious instincts signatures and strings agardo

still they are causing delay in threat detection because they have a limited scope eventually this is causing increase in dual time uh threat detecting yoga response still it will cause uh damage or is your time and dual time uh between detection and between the response yeah both matter so there are two different approaches uh like proactive approaches first one is threat hunting and second one is cyber deception so these both things are closely related because these both are proactive approaches uh in threat hunting we are proactively looking for threats that are lurking inside our network stealthily in cyber deception we have a same goal uh to learn adversary adversarial techniques together iocs together the two links

that adversary is using so these both things are closely related so we came up with an approach why not to use both together to prevent the uh to prevent the attack to disrupt the attack to record the attacker's activities to record ttps together iocs so in below tables there are some of the threads regarding scada the tools that can be used and some mitigations like mass scanning banner grabbing like showdown once showdown there are a lot of uh modbus coils exposed to internet like modbus register calls modify process and command injection so these are just very few threats there are a lot of threads besides this so let's look at some of the main problems associated with scada so

typically network have different layers of defense such as at the network level they use ids and at end points they use edrs for advanced detection and prevention and all logs are fair to see

or different scenarios source rules like covenant yes of use here just me we were able to bypass edrs uh all sort of ideas and all these things so in that case attack could detect any like attack

so we came up with the solution in our approach we have focused on early threat detection as well as engaging attackers in sdn decoy form isolate attacker from the actual network where threat hunters can learn ttps

so the main uh idea behind the approach is to build a simulated sky scada network which can be used as a target environment to divert and record attacker activities in an isolated environment moreover integrating cyber deception kill chain and threat hunting in decoy networks so what are the objectives of this approach the first objective is to keep the attacker engaged and delay malicious activities

towards

third objective is to prevent attack keep attacker isolated in a simulated environment so right now these are the

here second one is uh third one is cuckoo box for malware analysis fourth one is zeke uh it's a very amazing tool zeke bro to uh analyze some traffic mal trail to find the malicious uh trails in the traffic canary token yeah clear it can be in the form of uh word file pdf it can be anything con port uh this is the main uh honeypot that we are using in our approach

so these are the some key elements of our approach first one is threat hunt model so the sans is the first one who introduced the s threat hunting model uh second one is calcium analysis like here we will see in coming slides for this scada simulation and attack simulation so actually researchers could detail explain a similar section so exactly we are using the same method to simulate the scada in software defined network software defined network and decoys so in software defined networking exactly what we are doing we have different decoys connected uh using the open virtual switch and all traffic is uh controlled by rio controller last one is attack analysis so here we are using intrusion analysis

like diamond model for attack analysis or different approaches uh we are using it are in attack analysis so

in that case we have used makeup scada network in sdn in weaponization weaponization we can misdirect coupling of exploits back doors in payload payload delivery

right now we have three nodes uh first one is attack engagement uh node second is need base decoy and node three is orchestrating analysis attacker subsequently

environment

ftp logs modbus server logs

due to change of threat landscape reactive approaches are ineffective in detecting and reacting in time resulting in no detection or increasing dual time between incident response and attack proactive approaches in conjunction with our deception and threat intelligence are an effective way of detecting and preventing threats quickly and using scada decoys form to engage in attack and record its activity by providing iocs to threat hunters

automatic automation of like a journey so that's all from my site thanks uh if you have any questions right now you may ask thank you uh i would say one thing very interesting talk or ot security uh ics security scada security definitely is the topic where every everyone is discussing the reason is colonial pipeline you know jbs and these are all the incidents you know you just talk about that and you know now you're listening about power sector attacks you know the last year what was in

pakistan like a threat detection

[Music]

everyone is using that but sometimes there are schneider electric uh ge they are using proprietary protocols where no one understands you know what are the protocols they can't decode

you know the solution or devices applied because the level zero is the physical you know equitable your processors and physical appliances while you go to level one level two level three job plcs one of the production challenges the operator who are actually working in the plant side they don't want you to install any equipment in their environment so i have a passive sensors no reactive sensors definitely active sensor companies but passive sensors they are reluctant to install anything in their legacy systems

right now uh controllers configurable

security because that is a very hot topic nowadays in the cyber world characters

next year as well uh you're welcome thank you so much [Music]