Red Teaming On Critical Infrastructure Granit Beka

[Applause] hi everyone so yeah today we're going to talk uh pretty good topic about redeeming on critical infrastructure so to kick off things uh who am I so I'm Granite I currently work at KPMG so uh I'm a security engineer I deal with r teaming pentesting and I've been doing that for the past six years uh I moved recently in the UK I moved actually last year so it it has been treating me very well and considering that English is not my main language I try to keep it as simple as possible and try to explain uh every question that you may have in the end and yeah I love to play Dots uh as a

hobby so right to the topic so what is red teaming what is pentesting what's the main difference and so yeah uh a normal company would normally engage on a pen test on a penetration testing to complete the compliance requirements to test the solution web app mobile app Etc but red teing is more complex one because it has to it is more functioned on Enterprise level so a companies that has in place a security Operation Center a blue team and you try to check if the responsive of that blue team is more than enough to suffer a Cyber attack so uh a penetration testing is a main thing main focus would be to find as many vulnerabilities as you can and

report that the blue team may be aware of it and they will it will not make much noise and they do not worry to get about getting detected they often got issues when they perform a red team uh penetration testing and it takes a small amount of time to complete it so it takes just one to three weeks and more complex infrastructures like a more complex solution it will take more maybe like up to a month but U not more than that redeeming is you try to get inside the main infrastructure the domain controller the critical points of your infrastructure as soon as possible so at the earlier stage and they will try and mimic a threat actors group so APS the

advanced persistent threats so they try and mimic that uh along the way so they will use different Frameworks like mitro attack framework and it will try and mimic they sessions and their parts on what they can do on that step and it takes a long of a lot of time to perform rum assessments the minimum is going to take one to 3 months but for critical infrastructure in this place it can take from 6 months to a year to fully complete it so what is the critical infrastructure so critical infrastructure has has everything that is crucial about our life so the supply chain the food uh government banking or the financial sector uh transportation system uh nuclear reactors and materials

and waste uh energy sector the water supplies and everything so everything that actually brings us a basic stuff into our life it's very crucial uh because once that chain is broken then it's it's going to cause Panic chaos and a lot of things that we could not imagine so how do we approach redeeming uh especially the modology so it always starts with a reconnaissance so Recon is the main important bit on every engagement even on pet testing even on redeeming and the open source intelligence so then you move out the one that differs from the pentesting which is physical access so on a traditional pent test you will not have physical access checkings and assessments but on redeeming is kind of

uh important one to gain initial access and then once you have done that you will try and get the as much information about the infrastructure and the architecture and you will try and establish a foothold initial access even if that's a zero day uh CV exploit or anything that you can find along the way and once you got your steps in and usually these three steps takes more the most of the time like four months to complete and then you move to lateral movement this is uh of course it's going to be hard to move Lally especially on a critical infrastructure environment because it's going to be isolated from the network it's going to have its own

network is going to have its own communication protocols is going to have not usual things that you used to see when you perform for example a pent test you're not going to have a website to to hack your way in you have to use your social engineering skills and stuff and then let's consider that you moved laterally you got access to the domain controller you will have the crown jewels we call the crown jewels the most critical parts of an infrastructure so for example the in the critical infrastructure is going to be a scatter system which we're going to talk lately uh but these four that I highlighted in red are the important bits when you perform red

team assessment on a critical infastructure for example a power grid so you'll have to gain physical access first you cannot perform reconnaissance from the outside you cannot find anything on the internet so you have to get your way in you have to use tailgating Mas raing any technique that you can have uh I have seen on bides lock picking where is very useful when you try to get in especially on a for example a power grid station and you can use unauthorized connections like rubber rubber dock USBS you can use a flip a z you can use hack RF when my colleague display earlier at the presentation and then you can access the crown jewels but

what's the kind of the most important one uh and the the biggest vulnerability that you can see in a critical infrastructure is the human error it's it's always going to be on top on everything when it comes to cyber security humans are made to make mistakes so that's the reason why so what's the most important part as I mentioned is the scatter system so uh what's the scatter so it's a supervis control and data acquisition it's let's consider it as a server which connects everything into one place from uh plcs and uh rtus where it GS like gibberish information and it trans translates them to human uh language and in this case it's going to be the human machine

interface so in a scatter system there are three main components it's HMI rtus and plcs the human machine interface is the one that you could see for example on movies like the big screen the monitors the monitoring room of that critical infrastructure for example let's take a power grid so when they do have when you can see like eight screens and they monitor the temperature the bulbs the sensors uh the humidity and stuff that's what HMI does so it trans it has a beautiful dashboard but you can see and manage everything and rtus is some that will transfer the data from Level zero which is the programmer loog logic controllers so they it gathers information from that one and transfer

that to the scatter server which will then it brings up to the HMI so how can we utilize mitro attack for red teeming on critical infrastructure mitro attack is the most famous framework when it comes to Red teaming and mimicking a threat actor an AP group even if it's if that's going to be uh Anonymous or fancy Bears on any AP that you can name it but they do have one thing uh mitro released uh mitro framework for IC for critical infrastructure so it differs a lot from performing a red teing on simple on you can go and check it out yourself you can play with it it has a GitHub link also uh on inside the mitro tech IC framework

and uh you can see a lot of difference between the usual one because it does have uh frameware update mode and checking for example exploits that are not known on the internet and yeah the famous one uh the one that break the world I I think that's the best title that I could find because 500 kilobytes that change the world it's the stocks net I think everyone is familiar with stocks net everybody has heard it everybody maybe have seen it in the movies so it did happen on Iran on 2010 it its main target was a nuclear facility and the main target was the programology controllers in this case it was produced by seens uh so how it did happen uh they

got initial access by mounting a flash drive USB into the network because that was isolated fully completely and even though Iran said that they were prepared for any Cyber attack but this took I think it took about 5 years of development to develop such a womm that it will act in autonomous way inside the end so what it does it will go inside what it did do sorry it it it it goes inside the system using a USB flash drive amount uh and that's how it was delivered then it will go and in its own way it it will check if it's a Windows Server if it's a SE if it's a seus PLC what it does it has a list of

vulnerabilities zero days certificates everything that you can imagine like a long sheet of vulnerabilities inside that small flash drive and it will try and exploit every reability that they could find along the way uh on any server and once they got access then uh a TCP connection was uh performed with the CNC server and uh also they used command and control to exploit stuff uh and then the main point when they moved laterally they use zero days use vulnerabilities they used everything then they managed to get inside the centrifuges so how what they did inside the cukes they were doing it like now what we call it the time frame attacks so basically they were heat it up wait

30 minutes heat the centrifuges up wait 30 minutes and then that caused the explosion and for the HMI for the people working on the human machine interface on that day it was pretty much too late to understand what's happening because uh the worm was sending f signals to the HMI uh so people thought that the temperature is fine and it's it's nothing to worry about and I think this one is a good one because it was released 10 days ago uh so these are the latest cve exploits that you can find for critical infrastructure for example some of them are even accessible through remote connection so you even don't have to get inside the critical

infrastructure to perform those so for example in Delta Electronics uh it has a vulnerability that allows you to execute uh rce uh remote command execution and we do have for example the CV of 5 5885 for ffs caliber which is a fuel inventory system management system and then you can GA inside access like imagine this one is kind of the honeypots where every attacker would look like in a critical infrastructure so so if if you're trying if you're trying to find your way in every time on the critical infrastructure engagement you'll have to check the cve directory first of all because critical infrastructure systems are old ones uh they often do not get upgraded because

it is very costly and that's reason why they try to isolate it as much as possible from the outside world so no one could gain access and understand what's happening and thank you any questions and more than [Applause]

wel thank you um God uh so I was just wondering obviously you need to get physical access have you seen situations where that physical access hasn't been possible yeah so that's the reason why in most cases in rtim engagements we have get out of the jail Cod it's called Uh so when you get try to get physical access inside the uh especially for example critical infrastructure most of the people get caught by police or security guards so you just pop up the uh get out the jail card so you will not be convicted and prosecuted so that's that's the main thing that you're trying to avoid but yeah it happens most of the times and when is that done you have to

try it again so that's the only way one yeah um I was also wondering you see like in architecture thre like the pury model and stuff where you try and keep untrusted on one side of a firewall I wouldn't know if you have you could talk about the efficacy like how good these models are if they work or not if you know uh yeah uh so the main the main problem on a critical infrastructure based on my engagements it was uh the misconfigurations of the communications because plc's plc's and the Rus remot units use something called modbus modbus is a communication like TCP let's say for example it does have also TCP it's a communication that

happens from plc's to the rtus to transfer them to HDMI so that is the main important bit because in the Modas connection if you find something if you are enabl to perform Man in the middle for example or capture that packet and see what's happening then that's the game over any other questions last one at front here hi great talk thank you um just a question when you read teaming on critical National infrastructure if there is a chance that or when you want to get into something or even get going and you need to run an exploit and there's a very high likelihood of it going down what do you do just so that you can get an assume

breach foothold yeah so that's also a good question and a good problem that we actually in car went to perform it because you're not trying to break something when you're performing a rum assessment so to to perform an assumed breach scenario on a critical infrastructure we usually gather the architecture information of that critical infrastructure and try to mimic that on our labs and uh and or and any test environment that they do have because every facility has its own test environment where they kind of pre-check things before they do it in production and if that is exploited on a test environment it's considered that it works on day because we we are not trying to break things

up cool thank you very much thank you