Home / Blog / Hunting shadows in Industry

Hunting shadows in Industry

Posted on 11/03/2016, by INCIBE
Atrapando sombras en la industria

Since the appearance of Stuxnet, advanced persistent threats (APTs) have grown considerably not only in industrial environments but in many different environments. Accessing systems that contain sensitive information or that are used by the government for critical and important processes for business; such as control of centrifuges for the enrichment of uranium or the management of opening and closing of circuit breakers, attract special interest from potential users with malicious intentions.

Luckily, with the technology that exists today it is possible to detect some APTs. However, the complexity of technology also evolves in the development of malware and persistent threats, making detection of these threats practically impossible if the development and techniques used to exploit vulnerabilities in the system are complex.

Tools on the market that take advantage of Big Data

One of the possible solutions for detecting APTs is the use of Big Data, which we have already spoken about in a previous article. Some of the tools for collecting and treating large quantities of data like Splunk, DataManager Pro and Lookwise, use the concept of Big Data in industrial systems. It is important to bear in mind that Big Data is a concept and therefore does not have exclusive tools for its practice. Given the tasks that these tools allow us to execute, it is still possible to achieve the desired objectives of the concept. Some of the tasks that share the aforementioned tools and can therefore be related to Big Data are the following:

  • Log collection sensors, firewalls, critical system components, IDS/IPS, etc., for its analysis.
  • Detection of anomalies after the treatment of logs based on detected patterns, poor functioning in the industrial process, misalignment of machinery, etc.
  • Inventory of the network assets present and those which are functioning.

Many industrial organisations already have these or other solutions for improving the analysis of traffic that passes through their networks. We cannot forget that Big Data also has its disadvantages; in certain industrial areas it is limited because of the format of certain data that is difficult to treat.

Big Data vs. Malware

The employment of Big Data can prove useful for strengthening detection and analysis components. This technology allows for the extraction of useful information from large volumes of data and, if used adequately, can be a powerful tool for fighting malware and APTs if it can identify certain patterns in suspicious activities.

Although the in-depth analysis of traffic already captured is necessary given the large volume of data, it is important to keep a characteristic of APTs in mind, which is the quantity of time that attackers invest in their specific objective (for example, exfiltration of sensitive data).

Possible APT actions

- Possible APT actions -

With the tools previously presented it is possible to detect a large number of actions carried out by APTs. For example, in the case of a malware communication with their C&C, the following must be taken into account:

  • What does it focus on? Traffic with origin or end servers not identified by the organisation. Servers can be validated later against black lists.
  • Why? Advanced threats/malware requires continuous communication with the control centre to achieve their objective.
  • Data sources required: Any data log with IP addresses or domain names, data sources (log/archives) from IP black lists or domains.
  • How to detect them? By applying filtration rules that allow or block traffic.

In practice, Big Data tools recover the logs of blocked addresses from firewalls, from the specific IPS information of transmitted data and especially from data recovered by the industrial IPS located within the industrial network and the DMZ, because these are the most sensitive networks for industrial companies

The information to be sought in the logs relates to patterns in external connections that seem out of place (the company is Spanish with no headquarters or branch in country X yet there are connection attempts from this country). Once an anomaly is detected, the person responsible for cybersecurity in the company would consult trusted sources to determine if the connections are reliable and assess whether a connection already stopped by the IPS should be re-permitted (prevention is better than cure).

Example of architecture

- Example of architecture -

The use of Big Data would provide reliable data sources which would have already been analysed for anomalies by applying filtration rules on time. Furthermore, with data collection it is possible to classify the IP according to its network reputation and by allowing it to create internal black lists for the company. Within these black lists it is also possible and recommendable to incorporate the information known about attacks that happened in the same sector. Big Data technology makes the most of analysis and data treatment. It is an option that would not affect the industrial processes and would therefore not have any impact on its availability. Knowing that availability is a factor of great importance in the industry makes this technology an excellent option for use in these environments.

Case Study: Operation Ghoul

An example that illustrates the practical application of data analysis provided by Big Data and the information of which is publicly available on the Internet is Operation Ghoul. Discovered by Kaspersky Lab, it is known to have affected 130 organisations, mostly in the industrial and engineering sectors and distributed across 30 countries, including Spain.

The infection of this operation comes from a social engineering phase through the use of spear phishing: impersonation of an email coming from a bank in the United Arab Emirates aimed at imitating a payment notification with an attached SWIFT document. The real content of the attached document was malware based on spy software (HawkEye).

As can be seen in the diagram, Operation Ghoul assigned unusual names to the infected files. This problem could have been identified with a Big Data solution that considers the factors already described and by following the process:

  • What does it focus on? Name and size of the unusual files
  • Why? The aim is to execute actions in the system through malicious programmes evading the detection of antivirus, IDS, etc.
  • Source of required data: System log or end devices, name and size of the files, etc.
  • How to detect them? Monitoring of file names, their extension and the size of each one.

Information to keep in mind in the face of an APT (Example based on Operation Ghoul)

- Information to keep in mind in the face of an APT (Example based on Operation Ghoul) -

When put into practice, the SCI operator units contain sensors that could send the relevant cybersecurity information to the Big Data tools. It is these tools that analyse events with the aim of detecting anomalies such as those described. Once the anomaly is detected, the head of cybersecurity within the company must contact the person to whom the affected unit belongs, isolating it until the case has been analysed.

Having a well-configured tool to analyse data in real time, or over a short period of time, brings great benefits in relation to an organisation's cybersecurity, especially in industrial organisations where there is an abundance of data and it is absolutely necessary to treat data exhaustively. Threat detection can be one of the key ways to maintain data availability, integrity and confidentiality.