Exploring security controls for ICS/SCADA environments

Trabalho de projeto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Os Sistemas de Controlo Industriais (ICS) estão a começar a fundir-se com as soluções de IT, por forma a promover a interconectividade. Embora isto traga inúmeros benefícios de uma perspetiva de controlo, os ICS apresentam uma falta de mecanismos de segurança que consigam evitar possíveis ameaças informáticas, quando comparados aos comuns sistemas de informação [29], [64]. Dada a natureza crítica destes sistemas, e a ocorrências recentes de ciberataques desastrosos, a segurança ´e um tópico que deve ser incentivado. À luz deste problema, na presente dissertação apresentamos uma avaliação de possíveis aplicações e controlos de segurança a serem implantados nestes ambientes críticos e a implementação de uma solução de segurança extensível que dá resposta a certos ataques focados em sistemas industriais, capaz de ser implantada em qualquer rede industrial que permita a sua ligação. Com o auxilio de uma framework extensivel e portátil para testes de ICS, e outros ambientes industriais de testes, foi possível analisar diferentes cenários de ameaças, implantar mecanismos de segurança para os detetar e avaliar os resultados, com o intuito de fornecer uma ideia de como empregar estes mecanismos da melhor maneira possível num ambiente real de controlo industrial.Industrial Control Systems (ICS) are beginning to merge with IT solutions, in order to promote inter-connectivity. Although this brings countless benefits from a control perspective, ICS have been lacking in security mechanisms to ward off potential cyber threats, when compared to common information systems [29], [64]. Given the critical nature of these systems, and the recent occurrences of disastrous cyber-attacks, security is a topic that should be encouraged. In light of this problem, in this dissertation we present an assessment of possible security applications and controls that can be deployed in these critical environments and the implementation of an extensible security solution that responds to certain attacks focused on industrial systems, capable of being deployed in any industrial network that allows its connection. With the help of an extensible and portable framework for ICS testing, and other industrial testing environments, it was possible to analyze different threat scenarios, implement security mechanisms to detect them and evaluate the results in order to provide an idea on how to employ these mechanisms as best as possible in a real industrial control environment, without compromising it’s process

Advances in modern botnet understanding and the accurate enumeration of infected hosts

Botnets remain a potent threat due to evolving modern architectures, inadequate remediation methods, and inaccurate measurement techniques. In response, this re- search exposes the architectures and operations of two advanced botnets, techniques to enumerate infected hosts, and pursues the scientific refinement of infected-host enu- meration data by recognizing network structures which distort measurement. This effort is motivated by the desire to reveal botnet behavior and trends for future mit- igation, methods to discover infected hosts for remediation in real time and threat assessment, and the need to reveal the inaccuracy in population size estimation when only counting IP addresses. Following an explanation of theoretical enumeration techniques, the architectures, deployment methodologies, and malicious output for the Storm and Waledac botnets are presented. Several tools developed to enumerate these botnets are then assessed in terms of performance and yield. Finally, this study documents methods that were developed to discover the boundaries and impact of NAT and DHCP blocks in network populations along with a footprint measurement based on relative entropy which better describes how uniformly infections communi- cate through their IP addresses. Population data from the Waledac botnet was used to evaluate these techniqu

Analysis of possibilities to use information from NetFlow protocol for improvement of performance of Wide Area Network

The main goal of this project is to analyze the data regarding to the connections of the Wide Area Networks (WAN) with the networks of Akademia Górniczo-Hutnicza (AGH University), and therefore try to obtain possibilities of optimizimization. Due to this, by analyzing the dumps of the connections, we will collect the characteristics of this network, and therefore to try to figure out how to resolve the troubleshooting this connections encountered. This document contains the obtained results of a deep analyze of the traffic produced on a WAN and along it (campus network), and also the methods and tools that have been used during the development of it. Once shown the results of the analyze, the study of possible solutions, deducted from previous studies will be presented, showing all the possibilities that might perform somehow the WAN and also the possible drawbacks of them.El principal objetivo de este proyecto es analizar la información relacionada con las conexiones que las Redes de Área Extensa (WAN) realizan con la red de la Universidad AGH de Cracovia,en Polonia, y de ahí obtener posibilidades de optimización. Es por ello que, mediante análisis de los registros de las conexiones, recogeremos las características de nuestra red, y de este análisis intentaremos averiguar cómo resolver los problemas que estas conexiones sufren. Este documento contiene los resultados obtenidos de un profundo análisis de el tráfico producido en una WAN y a lo largo de ella (red del campus), y también los métodos y herramientas usadas durante el desarrollo de este. Una vez expuestos los resultados del análisis, el estudio de las posibles soluciones, deducido de estudios previos será presentado, explicando las posibilidades que podrían llevarse a cabo y los posibles inconvenientes de estas

A Brave New World: Studies on the Deployment and Security of the Emerging IPv6 Internet.

Recent IPv4 address exhaustion events are ushering in a new era of rapid transition to the next generation Internet protocol---IPv6. Via Internet-scale experiments and data analysis, this dissertation characterizes the adoption and security of the emerging IPv6 network. The work includes three studies, each the largest of its kind, examining various facets of the new network protocol's deployment, routing maturity, and security. The first study provides an analysis of ten years of IPv6 deployment data, including quantifying twelve metrics across ten global-scale datasets, and affording a holistic understanding of the state and recent progress of the IPv6 transition. Based on cross-dataset analysis of relative global adoption rates and across features of the protocol, we find evidence of a marked shift in the pace and nature of adoption in recent years and observe that higher-level metrics of adoption lag lower-level metrics. Next, a network telescope study covering the IPv6 address space of the majority of allocated networks provides insight into the early state of IPv6 routing. Our analyses suggest that routing of average IPv6 prefixes is less stable than that of IPv4. This instability is responsible for the majority of the captured misdirected IPv6 traffic. Observed dark (unallocated destination) IPv6 traffic shows substantial differences from the unwanted traffic seen in IPv4---in both character and scale. Finally, a third study examines the state of IPv6 network security policy. We tested a sample of 25 thousand routers and 520 thousand servers against sets of TCP and UDP ports commonly targeted by attackers. We found systemic discrepancies between intended security policy---as codified in IPv4---and deployed IPv6 policy. Such lapses in ensuring that the IPv6 network is properly managed and secured are leaving thousands of important devices more vulnerable to attack than before IPv6 was enabled. Taken together, findings from our three studies suggest that IPv6 has reached a level and pace of adoption, and shows patterns of use, that indicates serious production employment of the protocol on a broad scale. However, weaker IPv6 routing and security are evident, and these are leaving early dual-stack networks less robust than the IPv4 networks they augment.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120689/1/jczyz_1.pd

Detection of HTTPS brute-force attacks in high-speed computer networks

Tato práce představuje přehled metod pro detekci síťových hrozeb se zaměřením na útoky hrubou silou proti webovým aplikacím, jako jsou WordPress a Joomla. Byl vytvořen nový dataset, který se skládá z provozu zachyceného na páteřní síti a útoků generovaných pomocí open-source nástrojů. Práce přináší novou metodu pro detekci útoku hrubou silou, která je založena na charakteristikách jednotlivých paketů a používá moderní metody strojového učení. Metoda funguje s šifrovanou HTTPS komunikací, a to bez nutnosti dešifrování jednotlivých paketů. Stále více webových aplikací používá HTTPS pro zabezpečení komunikace, a proto je nezbytné aktualizovat detekční metody, aby byla zachována základní viditelnost do síťového provozu.This thesis presents a review of flow-based network threat detection, with the focus on brute-force attacks against popular web applications, such as WordPress and Joomla. A new dataset was created that consists of benign backbone network traffic and brute-force attacks generated with open-source attack tools. The thesis proposes a method for brute-force attack detection that is based on packet-level characteristics and uses modern machine-learning models. Also, it works with encrypted HTTPS traffic, even without decrypting the payload. More and more network traffic is being encrypted, and it is crucial to update our intrusion detection methods to maintain at least some level of network visibility

An investigation of protocol command translation as a means to enable interoperability between networked audio devices

Digital audio networks allow multiple channels of audio to be streamed between devices. This eliminates the need for many different cables to route audio between devices. An added advantage of digital audio networks is the ability to configure and control the networked devices from a common control point. Common control of networked devices enables a sound engineer to establish and destroy audio stream connections between networked devices that are distances apart. On a digital audio network, an audio transport technology enables the exchange of data streams. Typically, an audio transport technology is capable of transporting both control messages and audio data streams. There exist a number of audio transport technologies. Some of these technologies implement data transport by exchanging OSI/ISO layer 2 data frames, while others transport data within OSI/ISO layer 3 packets. There are some approaches to achieving interoperability between devices that utilize different audio transport technologies. A digital audio device typically implements an audio control protocol, which enables it process configuration and control messages from a remote controller. An audio control protocol also defines the structure of the messages that are exchanged between compliant devices. There are currently a wide range of audio control protocols. Some audio control protocols utilize layer 3 audio transport technology, while others utilize layer 2 audio transport technology. An audio device can only communicate with other devices that implement the same control protocol, irrespective of a common transport technology that connects the devices. The existence of different audio control protocols among devices on a network results in a situation where the devices are unable to communicate with each other. Furthermore, a single control application is unable to establish or destroy audio stream connections between the networked devices, since they implement different control protocols. When an audio engineer is designing an audio network installation, this interoperability challenge restricts the choice of devices that can be included. Even when audio transport interoperability has been achieved, common control of the devices remains a challenge. This research investigates protocol command translation as a means to enable interoperability between networked audio devices that implement different audio control protocols. It proposes the use of a command translator that is capable of receiving messages conforming to one protocol from any of the networked devices, translating the received message to conform to a different control protocol, then transmitting the translated message to the intended target which understands the translated protocol message. In so doing, the command translator enables common control of the networked devices, since a control application is able to configure and control devices that conform to different protocols by utilizing the command translator to perform appropriate protocol translation

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches

Tilannekuvan muodostaminen tietojärjestelmistä

As the complexity of networks increases, new tools need to be implemented in order to maintain control over the connected devices. The thesis presents a way to reach situation awareness in computer system in a cost-effective way without compromising flexibility and scalability. The definition in situation awareness in cyber security context includes i.e. that one needs to be aware of the current situation, how situations evolve and why and how the current situation is caused. In order to achieve situation awareness, two tools are presented: monitoring system and log analytics platform. Monitoring system is a proactive system which keeps track of status about all the devices and services conigured to be monitored. The status and received events are stored for later usage, and graphs are drawn based on values of different services and statuses. Log analytics platform is a reactive system which provides insight into structured and enriched log data. It can visualize the log data, analyze and alarm based on pre-defined rules and utilize machine learning for anomaly detection. These two systems are integrated together using alarming feature of the monitoring system, so that logs can be linked to the exact device in monitoring system, hence collecting the relevant data in one centralized view so that the incidents can be investigated further on log analytics platform. Together they provide deep insight into the computer system and enable situation awareness