# ICS-CERT TECHNICAL INFORMATION PAPER ICS-TIP-12-146-01A—TARGETED CYBER INTRUSION DETECTION AND MITIGATION STRATEGIES **UPDATE A** July 19, 2012 **OVERVIEW** Sophisticated and targeted cyber intrusions against owners and operators of industrial control systems across multiple critical infrastructure sectors have increased in recent months. ICS-CERT developed the following guidance to provide basic recommendations for owners and operators of critical infrastructure to mitigate the impacts of cyber attacks and enhance their network security posture. This guidance applies to organizations whose networks have been compromised by a cyber attack as well as to those desiring to improve their network security preparedness to respond to a cyber incident. The guidance is relevant to both enterprise and control system networks, particularly where interconnectivity could allow adversaries to move laterally within and between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to avoid any negative impact to normal operations. The guidance is organized into several topical areas and provides network administrators with concepts for improving detection of intrusions, preventing lateral movement of threat actors, and controlling access to the various segments of a network. The guidance is in the form of “what” should be done and “why” it is important. The “how” of implementation is the responsibility of each organization and is dependent on individual needs, network topology, and operational requirements. **GUIDANCE AND RECOMMENDED PRACTICES** The impacts of a cyber intrusion will likely be different for every organization depending on the nature of the compromise and the organization’s capabilities to respond. Each organization must assess its particular situation, identify the criticality of the impacted devices, and develop a prioritized course of action. Unfortunately, a simple and prescriptive remedy that can be applied uniformly to every organization does not exist. However, basic principles and recommendations exist that are essential to maintaining a sound network security posture and that will provide the necessary capabilities to respond to an incident. ICS-TIP-12-146-01A Page 1 of 10 ----- Organizations that suspect a compromise should first consider how to preserve forensic data and stop movement of the intruder through the network. While the tendency might be to first find and eliminate the intruder, unless adequate steps are taken to preserve data and prevent lateral movement, the recovery processes will not likely be successful. Also, while disconnecting compromised workstations from the network is important, unless the data that are essential to identifying the intruder are preserved, future detection will be more challenging. Therefore, the guidance listed in the Preserving Forensic Data and Credential Management sections below should be considered primary actions to help mitigate the spread of compromise through a network. Also, the need for intrusion detection capabilities cannot be overstated. The ability to detect and identify the source and analyze the extent of a compromise is crucial to rapid incident response, minimizing loss, mitigating exploited weaknesses, and restoring services. Early detection of an incident can limit or even prevent possible damage to control systems and reduces the level of effort required to contain, eradicate, and restore affected systems. Auditing and logging, with host-level Domain Name Service (DNS) resolution capabilities, are essential for improving detection and determining the depth and breadth of any compromise. Network segmentation, role-based access control, and application whitelisting are additional concepts discussed in this guidance, which will provide a defensive posture to prevent intruders from moving within a network. These techniques can be more challenging to implement but will provide long-term value. PRESERVE FORENSIC DATA Preserving forensic data is an essential aspect of any incident response plan. The forensic data acquired during the overall incident response process are critical to containing the current intrusion and improving security to defend against the next attack. An organization’s network defenders should make note of the following recommendations for retention of essential forensic data: - Keep detailed notes of all observations, including dates/times, mitigation steps taken/not taken, device logging enabled/disabled, and machine names for suspected compromised equipment. More information is generally better than less information. - When possible, capture live system data (i.e., current network connections and open processes) prior to disconnecting a compromised machine from the network. - Capture a forensic image of the system memory prior to powering down the system. ICS-TIP-12-146-01A Page 2 of 10 ----- - When powering down a system, physically pull the plug from the wall rather than gracefully shutting down. Forensic data can be destroyed if the operating system (OS) executes a normal shut down process. - After shutting down, capture forensic images of the host hard drives. - Avoid running any antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines. - Avoid making any changes to the OS or hardware, including updates and patches, as they might overwrite important information relevant to the analysis. Organizations should consult with trained forensic investigators for advice and assistance prior to implementing any recovery or forensic efforts. When a compromised host is identified, it should be removed from the network for forensic data collection (but not powered off, as noted above). When all available data have been retained from the infected host, the organization should follow established internal policies for recovering the host. If an organization does not have an adequate incident response plan or the necessary staff to handle a serious cyber incident, it should consult trained forensic investigators to assist with developing a response plan and implementing recovery efforts. Control system environments have special needs that must be evaluated when establishing a cyber incident response plan. ICS-CERT recommends a review of the CSSP Recommended Practice: Creating Cyber Forensics Plans for Control Systems.[a] CREDENTIAL MANAGEMENT --------- Begin Update A Part 1 of 1 ------- Protecting logon credentials for network hosts is an important consideration when defending a network against lateral movement by an intruder. Common tactics employed by attackers to compromise these credentials are brute force cracking of the password hash and a technique referred to as “pass-the-hash.” Brute force cracking requires the attacker to “guess” the original password by systematically hashing and comparing the result of possible passwords. When a match is found, then a usable password has been identified. This process is greatly expedited through the use of “rainbow tables,” or large tables of precomputed hashes. The pass-the-hash technique involves using cached password hashes extracted from a victim machine’s memory or a. Recommended Practice: Creating Cyber Forensics Plans for Control Systems (2008), http://www.uscert.gov/control_systems/pdf/Forensics_RP.pdf, Web site last accessed July 19, 2012. ICS-TIP-12-146-01A Page 3 of 10 ----- local disk to gain access to additional machines in the domain. The following list describes mitigation techniques that serve to reduce the possible vectors that attackers can use to compromise these credentials and/or reduce the locations that the stolen credential can be used to spread through the network. Administrators should evaluate each of these techniques and possible side-effects of implementing them before making any changes to systems. - Proper Permission Management a. Careful consideration should be given to the decision of granting users administrative rights to their own machines. When executing processes, such as Web browsing or reading email as an administrator, the machine is at greater risk of being compromised and losing control of its cached credentials. b. Domain Administrators’ accounts should not log in to any system other than domain controllers. Exceptions should be handled through the creation of temporary accounts that are removed after completing the intended task, or through the use of designated management machines that are not Internet connected.[b] Also, Domain Administrators should avoid using tools that require interactive logons (e.g., remote desktop) and should instead use remote console tools. This will reduce the likelihood that the administrator’s credentials will be stored in memory.[c] c. Restrict the use of the SeDebugPrivilege privilege to those users that actually need it. This privilege can be used to perform DLL injection, a technique used by the majority of the pass-the-hash tools and other malware. By default, this is assigned to the Administrators group but should really be more restricted than this. Create a specific debug user, and assign this account the right to use the privilege via the “run as” command, thereby gaining temporary privilege escalation.[d] - Network/System Design and Policies a. Take the principle of Internet, DMZ, and intranet zones and apply it throughout the network to isolate different trust sectors. There is usually little reason for one workstation to talk to another workstation, or for it to talk to all the servers. Using infrastructure devices and software to create security zones that group users needing to communicate b. http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283, Web site accessed on July 19, 2012. c. http://www.infoworld.com/d/security/the-two-most-feared-attacks-and-how-avoid-them-196351, Web site accessed on July 19, 2012. d. http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219, Web site accessed on July 19, 2012. ICS-TIP-12-146-01A Page 4 of 10 ----- with each other, helps to slow or prevent lateral movement throughout the rest of the network.[e] b. Change the number of cached credentials being stored by Windows to “0” for everything but mobile devices (e.g., laptops). This reduces the number of credentials at risk of being stolen and cracked, but may prevent domain logins in the event that a domain controller is not available (local user accounts can still be used). Mobile devices should reduce the number of cached credentials to as few as possible (e.g., 1 or 2). Mobile devices will still require cached credentials, because it is likely that mobile device users will be attempting to log in when a domain controller is unavailable (e.g., working outside the office). i. **Note: After credential caching has been disabled, an enterprise wide password reset** should be implemented. If a password reset is done first, the new credentials will be cached and will continue to be at risk. Therefore, resetting passwords after disabling credential caching will ensure that the old passwords are no longer valid, and the new passwords are not stored locally. c. If using a common baseline image to load company workstations, caution should be exercised if active local user accounts are present on the machine. Because all images will share the same password, this is especially damaging if the local administrator accounts have not been disabled. With these common credentials, an attacker could quickly compromise all the machines loaded with this image. For this reason, IT administrators should consider disabling or removing local machine accounts or at least, ensure that local accounts across the network have unique passwords.[f] d. Require that all machines be rebooted immediately after being used by a privileged user. This clears the user’s credentials from memory, a common place that pass-the-hash tools target.[g] e. ICS-CERT also recommends that organizations move away from using LAN Manager (LM) hashes,[h] where possible. LM hashes are inherently weak and can be broken relatively quickly, allowing an adversary to use the actual password instead of relying on a pass-the-hash attack. Not all companies will be able to make this switch as some legacy systems are incompatible, but every effort should be used to migrate away from these systems in order to increase the networkwide security posture. e. http://www.infoworld.com/d/security-central/isolated-security-zones-yield-stronger-network-protection403?page=0,1, Web site accessed on July 19, 2012. f. http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf, Web site accessed on July 19, 2012. g. http://www.infoworld.com/d/security-central/isolated-security-zones-yield-stronger-network-protection403?page=0,1, Web site accessed on July 19, 2012. h. http://support.microsoft.com/kb/299656, Web site last accessed July 19, 2012. ICS-TIP-12-146-01A Page 5 of 10 ----- i. **Note: When switching from credential caching and performing a global password** reset, network managers should, at the same time, disable LM hashes to avoid the need for another global password reset when that method of password storage is disabled. f. Organizations should consider moving to a multi-factor authentication system (e.g., SmartCards) or at least ensure that users choose complex passwords that change regularly. --------- End Update A Part 1 of 1 ------- INCREASE LOGGING CAPABILITIES System and network device logs provide valuable records of activities that have occurred. Logs may contain indicators of compromise, command and control (C2) communications, exfiltrated data, remote access logins, and more. The following types of logging should be considered. - firewall, - proxy, - DNS, - IDS, - packet captures, - flow data from routers and switches, and - host and application logs. DNS LOGGING WITH HOST LEVEL GRANULARITY When implementing increased auditing and logging capabilities, organizations should particularly consider enabling host level DNS resolution. Because most malware uses domain name-based C2 servers (versus hard coded IP based C2), it is essential for network defenders to have full awareness of DNS requests throughout the enterprise. ICS-CERT recommends that organizations deploy host level granularity in DNS logging to give network administrators the ability to identify which internal host (by hostname or IP address) originated a specific DNS request and to identify hosts that have connected to malicious domains. This is one of the best indicators of compromise. To ensure that all DNS resolutions are captured and logged, network administrators should ensure that all DNS requests go through company DNS servers. In addition, the company servers should only service DNS requests from authorized company hosts. ICS-TIP-12-146-01A Page 6 of 10 ----- Logging these data also provides a historical view of when and how the malware has moved through the network after the initial infection. This information helps to determine the full breadth and depth of the compromise. Retention of logs is essential since sophisticated threat actors tend to maintain a presence for long periods of time and will often lay dormant for many months. If possible, log retention for a year or two would be ideal and will provide the ability to go back and possibly find the time of initial infection and indictors of a compromise. In most configurations, host-level DNS logging is disabled by default and must be specifically enabled on authorized DNS resolvers. ICS-CERT recommends that organizations evaluate their DNS solution and enable this logging feature. AUDIT NETWORK HOSTS FOR SUSPICIOUS FILES MD5 hashes are digital fingerprints used to identify files. Changing just one byte in a file will result in a different hash. If an MD5 hash is known to belong to a malicious file, any file with a matching hash should be considered malicious, regardless of the filename. The ability to perform an enterprise wide host level search for MD5 hashes is a powerful organizational tool for incident response. MD5 hashes are among the key indicators that can be used to identify the presence of an intruder. Multiple host-based IDS and forensic tools, as well as plug-ins to enterprise configuration management software, offer this functionality. NETWORK SEGMENTATION Network segmentation involves separating one large network into smaller functional networks using firewalls, switches, and other similar devices. Effective network segmentation restricts communication between networks and reduces the extent to which an adversary can move across the network. Organizations should decide which departments, applications, services, and assets should reside on each network segment. Implementation of network segmentation can be a long-term project and should include careful planning, implementation, and regular maintenance. In an ideal world, the business and control system networks would be physically separated. However, this is not practical in many situations. In practice, firewalls and data diodes are good options for segmenting networks. A data diode allows only one-way communication between network segments and can be used to ensure that network data only flows out of the control ICS-TIP-12-146-01A Page 7 of 10 ----- systems network. Firewalls allow two-way communication between networks and risks of exposure if the firewall is not well configured. The network should also include one or more demilitarized zone (DMZ) segments grouped by function such that the attack surface at each segment is minimized. DMZs should include the organization’s external services that are exposed to the Internet or any critical systems that are accessed from multiple internal network segments. Firewalls should control communication between DMZs and internal/external hosts. STRICT ROLE-BASED ACCESS CONTROL Role-based user access control grants or denies access to resources based on job function. Active Directory (AD) implements role-based user access control through group policies. Groups provide logical network segmentation and prevent users from accessing machines that are not necessary for job performance. Organizations should define the roles and permissions needed for each group to perform its duties. Implementing strict role-based access control allows better auditing and reduces risk by minimizing the privileges associated with each group. In addition, this logical network segmentation makes it harder for an adversary to move laterally through the network after the initial intrusion. APPLICATION WHITELISTING Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware. One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden is significantly reduced in control systems environments, because the set of applications that run in those systems is essentially static. ICS-CERT recommends deploying application whitelisting on the control systems and business networks wherever applicable. In particular, application whitelisting could be appropriate for business servers such as mail servers and domain controllers. **ADDITIONAL RECOMMENDED PRACTICES** ICS-CERT recommends that users take the following standard measures to protect themselves from social engineering attacks. 1. Do not click Web links or open unsolicited attachments in email messages. ICS-TIP-12-146-01A Page 8 of 10 ----- 2. Refer to Recognizing and Avoiding Email Scams[i] for more information on avoiding email scams. 3. Refer to Avoiding Social Engineering and Phishing Attacks[j] for more information on social engineering attacks. ICS-CERT encourages asset owners to take the following additional defensive measures. - Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. - Keep software up to date with a patch management plan.[k] - Develop, review, and maintain an up-to-date incident response plan.[l] - Keep patches up to date whenever possible. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) Web page also provides a section for control systems security recommended practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.[m ]ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. **CONTACTING AND REPORTING TO ICS-CERT** For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org i. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, Web site last accessed July 19, 2012. j. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, Web site last accessed July 19, 2012. k. Recommended Practice for Patch management of Control Systems, http://www.uscert.gov/control_systems/practices/documents/PatchManagementRecommendedPractice_Final.pdf, Web site last accessed July 19, 2012. l. Developing an ICS Cybersecurity Incident Response plan, http://www.uscert.gov/control_systems/practices/documents/final-RP_ics_cybersecurity_incident_response_100609.pdf, Web site last accessed July 19, 2012. m. CSSP Recommended Practices, http://www.uscert.gov/control_systems/practices/Recommended_Practices.html, Web site last accessed July 19, 2012. ICS-TIP-12-146-01A Page 9 of 10 ----- ICS-CERT continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://forms.uscert.gov/ncsd-feedback/. ICS-TIP-12-146-01A Page 10 of 10 -----