Guest author Robert Huber is a co-founder of Critical Intelligence, a for profit ICS Cyber Situational Awareness and Threat Intelligence provider.
If you look closely at all the banter of information sharing, especially with a focus on the electric sector, you have to be perplexed. ES-ISAC, ICS-CERT, ICS-ISAC, NESCO/EnergySec and some other sector specific information sharing groups that I won’t name. Where do you as an owner/operator turn?
ICS-CERT is definitely in the information sharing business across many sectors. They host public and private information sharing portals. They would also like asset owner/operators to report information to them directly. If you listen to, or read any ICS-CERT reports, they always add the following statement:
Organizations that detect any of the indicators of compromise in business or control system networks are encouraged to contact ICS-CERT …
So why report to them instead of your sector specific organization? I know not all sectors have ISAC’s, but the electric does. Weird considering PDD-63, created in 1998, directed the National Coordinator to work with private industry to create the necessary ISACs across all sectors.
ES-ISAC has grown and improved their information sharing role, encouraging asset owners and operators to share. They have a specific section on their portal dedicated to this, which seems to work quite well. They also host the monthly ES-ISAC call to share relevant information, which DHS and ICS-CERT also attend and brief (as well as my company).
NESCO/EnergySec maintains the TAC (Tactical Analysis Center), a community driven information sharing capability.
ISC-ISAC, from their own description “[t]he ICS-ISAC is a non-profit Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security”. Nothing against these guys, I as I know they are out to do good, but to my knowledge, they seem to be the only ISAC dedicated to a specific type of technology versus a sector.
Oh, lest I forget, that FBI just announced its information sharing initiative – http://fcw.com/articles/2013/07/30/fbi-information-sharing.aspx . Certainly from the government side with all the push for information sharing everyone wants a piece of the pie.
If I were an asset owner or operator I’d feel overwhelmed. Much of the information is the same across the above sources. In fact, many of them share information from the other sources to their constituents. Most of them do work together to some extent, but there are certainly some very evident turf battles. Add to all this, Presidential Decision Directives, Executive Orders, and potential legislative bills for information sharing and the space only gets muddier. Maybe if they actually implemented what they envisioned in PDD-63, we wouldn’t even need all of these other government efforts.
If you were at Black Hat this year, you will note that one of the hot terms was threat intelligence. We have it, we produce it, we help you ingest it. Seriously? In the past 6 months Accuvant, IOActive and Mandiant have joined the commercial threat intel/situational awareness bandwagon. They join the existing mix of: CrowdStrike, Verisign iDefense, Cyveillance, Symantec DeepSight, Cisco Intellisheild, Dell SecureWorks, McAfee Global Threat Intelligence, Lookingglass, Booz Allen Cyber4Sight, IBM X-Force, iSIGHT Partners, Lockheed Palisade and Critical Intelligence.
I’m sure there are several more that I either forgot, or they are announcing soon and I can’t mention them yet. Quite honestly, most of them focus on the IT side of things versus ICS, although some are targeting ICS, mainly through their vulnerability research and penetration testing. I almost forget the commercial information sharing organizations, RedSky Alliance and ThreatConnect.
Threat Intelligence and Information Sharing is the sign of a mature organization, and quite frankly FEW companies are there. Large defense contractors and financials? Sure. And yet they still get compromised on a regular basis. In fact, most large DIB and financials have threat intelligence TEAMS in place. It’s not some person’s part time job to read DarkReading, the CSSP Private Portal, Full Disclosure and BugTraq every couple of days for a few minutes to track the threat. That’s an argument we get a lot from potential customers. “Hey, I can get cyber security feeds to! Why do I need you guys?” To which I say, “great, we track several thousand sources constantly, provide detailed analysis in a context that is meaningful to our clients.” If you think you can protect your organization’s crown jewels with 1/10 of some person’s time, more power to you. Here’s Mandiant’s contact info, keep it handy, you’ll need it.
It’s interesting that in the military, intelligence is used to prepare the battlespace, yet, in the commercial world, it’s usually a luxury or afterthought.
How about we get some basic defense in depth: policies, procedures and technology in place first? Or at the least, identify your crown jewels and high value targets (HVTs). Wouldn’t it be easier to defend, if you know exactly what you should be defending? In essence, this is how you draft your intelligence collection requirements. Do you really want information from all the sources I mentioned, or would you rather worry about the stuff that affects your organization? Do you really want to sift through 5 or more feeds for your intelligence and situational awareness, or would you prefer a team to correlate, aggregate and analyze it?
I have to laugh when I hear the constant calls for information sharing. Here you go:
Domain: pb.qocp[.]net
C2 IP: 64.32.14.197
Dropped Filename: cyslog.dat
Dropped File Hash: 3b98c9c3879f4846967c4e93fa10c934
Incoming Filename: Nuclearpowerplants.doc
Incoming File Hash: 6e79167bad3dd115086567226325cbf8
The original file was likely taken from here, although I found several similar versions.
The original file is 2 years old. Recently someone grabbed it and added their malware.
It’s from the PLA of China (Bob’s speculation, I’m not in the business of attribution). Does that matter to you? If so, why or why not? Are you bidding on any projects that the Chinese may also be bidding on? Do you have access to key fracking or some other technology that the Chinese would like to have? Are you operating ventures in China?
How many organizations can action that? Yes, it’s real. Yes, it’s APT.
What should you do with these indicators?
First, search all available sources of information to identify any past activity related to these indicators (firewall logs, network flow logs, IDS/IPS alerts, SIEM tools, web proxy logs, DNS logs etc).
For the file based indicators, if you are running Microsoft SMS, Encase Enterprise, HB Gary, AccessData FTK, Mandiant MIR, Tenable Nessus or similar, you can search on the filenames and/or file hashes. Heck, just grab the free hashdeep or md5deep, or roll your own.
You should also consider implementing network intrusion detection/protection signatures, web proxy blocks, DNS blackholes, and firewall blocks on the above indicators. [I’m not giving advice on the above indicators, I’m just providing examples of what you could do].
From DHS ICS-CERT reporting, we know most organizations don’t have any of these capabilities in place. If that’s you, refer to my previous statement and pull out Mandiant’s contact information.
If you really want information sharing and threat intelligence, build a program, assign resources and action the data. Don’t make it someone’s part time job.
Flame away……
Image by Gavin Kealy