Overview

Adversary Emulation for Operational Technology (OT)

Training

Introduction

The course is divided into three parts, beginning with preliminaries and followed by the framework and methodology for designing Adversary Emulation exercises for specific objectives. The training is concluded with the practical aspects of incorporating exercise results into the organizational cyber security program. The included hands-on exercises allow the attendees to experience the attacker's side of planning and executing cyber-physical attacks as well as practicing adversary emulation tasks.

Midnight Blue and Dr. Marina Krotofil from MK|Security jointly offer this high-paced course aimed at providing the attendees with practical knowledge on how to emulate realistic attacker behaviors and exploitation techniques for ICS/OT environments. This course will be offered for the first time at Black Hat Europe 2024.

Course Overview

PART 1: INTRODUCTIONS AND PRELIMINARIES

MODULE 1: ADVERSARY EMULATION FOR CYBER-PHYSICAL SYSTEMS

Introduction to adversary emulation (AE), different approaches to AE exercises, typical objectives and outcomes. Fundamentals of Industrial Control Systems (ICS) and Cyber-Physical Systems (CPS). Modern and projected digital threat landscape. Specifics and limitations of conducting AE exercises in industrial environments.

MODULE 2: ATTACK LIFECYCLE, MITRE ICS ATT&CK AND THREAT INTELLIGENCE

Conceptualization of complex attacks, existing models of IT and ICS attack lifecycles, cyber-physical attack lifecycle, categories of physical impact, tactical specifics of MITRE ICS ATT&CK, Cyber Threat Intelligence (CTI) framework, mapping recent OT threats to the CPS lifecycle and MITRE ATT&CK. Articles 21 & 23 from NIS2 (risk-based implementation of security measures and prompt reporting of attacks). IEC 62443 risk assessment (briefly).

MODULE 3: COMPLEXITIES OF DESIGNING CYBER-PHYSICAL EXPLOITS

Taxonomy of attack scenarios and their complexities, key constraints & success factors, overview of knowledge & skills involved in the design of cyber-physical exploits, challenges of programming exploits for embedded systems, typical required time & effort. Exploits for short-term vs. long-term physical impact. Taking these factors into consideration for red & blue teams.

PART 2: ADVERSARY EMULATION ACROSS CYBER-PHYSICAL ATTACK LIFECYCLE

MODULE 4: ACCESS STAGE

Getting initial access to the target organization and relevant information/documentation. Infrastructure locations and assets most likely to be initially accessed by the attacker. Lateral and deep lateral movements.

MODULE 5: DISCOVERY STAGE

Infrastructure reconnaissance and required IT/OT recon tools. Process comprehension, manual vs. automated activities, typical data sources, associated complexities and nuances. Identifying process design weaknesses and high-consequence events, deriving one or a few high-level attack scenarios. Granular discovery of infrastructure & process configuration data, requirements for exploit development.

MODULE 6: CONTROL STAGE

Achieving reliable, exclusive control over the process. Understanding the dynamic model of process and its control loops (normal operations & 'weird' states), testing acquired access to control signals for suitability to achieve attack objectives, observing attack effect propagation and evaluating the need for concealment measures.

MODULE 7: DAMAGE STAGE

This stage consists of three distinct substages: Damage, Prevent Response, Obtain Feedback. Planning tactical attack design, strategies and exploits for preventing response and obtaining attack feedback, nuisances of final payload design. Typical attack design strategies: Simple, Scalable, Instant, Reliable (SSIR). Assessing likely vs. less likely attack scenarios.

MODULE 8: CLEANUP STAGE

Strategies to designing a misleading forensic footprint to impede root-cause identification of an ongoing attack and during postmortem analysis. Roll back strategies (unsuccessful attack). Taking advantage of Standard Operating Procedures (SOP) and human factors.

PART 3: INTEGRATING ADVERSARY EMULATION INTO OT CSMS

MODULE 9: CYBER SECURITY MANAGEMENT SYSTEM FOR OT

Typical components of OT Cyber Security Management System (CSMS) in industrial organizations. Key architectural, technical, procedural and contractual (legal) security controls. Typical Roles & Responsibilities and interdisciplinary project executions.

MODULE 10: PRACTICING ACQUIRED KNOWLEDGE

To consolidate the acquired knowledge, the attendees will be offered a final exercise with a few challenging constraints we observed in the real world. The exercise results can be submitted to the trainers for feedback and comments.

Course Exercises

EXERCISE 1: Discovery - Finding sensitive and confidential engineering documentation.

‍EXERCISE 2: Discovery - Analysis of a crown-jewel asset. Practical overview of the Engineering Workstation and OPC server, and what makes them valuable attack vantage points.

EXERCISE 3: Discovery - Understanding attacker efforts. Analyzing Modbus TCP traffic without context.

‍EXERCISE 4: Damage - Constructing a damage attack on a demo process and mapping attack instances to MITRE ICS ATT&CK

‍EXERCISE 5: Integration - Given a specific use-case, the participants will be tasked to design adversary emulation exercises for a selection of objectives while maximizing Return on Investment (ROI).

Course Takeaways

Upon course completion, all students should be able to:

- Understand the evolution of the ICS/OT threat landscape and the rationale behind ongoing attack campaigns; have reasonable anticipation of future threats.
- Design tailored adversary emulation exercises and their variations (Red vs. Blue or Purple Team exercises, pentests, table-top exercises) for given OT environments.
- Assist with an informed risk assessment to fulfill safety, operational, business and regulatory requirements (e.g., NIS/NIS2, IEC 62443, etc.).
- Contribute to designing defensible network and systems architectures with a focus on preventive security controls and early detection of compromise.
- Assist with developing realistic incident response playbooks.

Provisions and Requirements

Students will be provided with:
- Digital copy of the slides deck
- Printed version of the key knowledge concepts and exercises
- VMs with tooling & exercise tasks

Students should have familiarity with:
- Basics of OT/ICS concepts and risk assessment principles
- The Cyber Attack Lifecycle
- The MITRE ATT&CK framework (basic familiarity)
- MITRE ICS ATT&CK (basic familiarity)

Students should bring a laptop with the following requirements:
- Configured account with Administrator privileges and ability to disable security software if necessary
- Ability to access internet
- Web browser to access online parts of exercises
- Ability to access Wi-Fi
- 16GB RAM or more
- 100GB free disk space or more
- Intel VT / AMD-V enabled
- Recent version of VirtualBox software (installed & tested before course kick-off) to run provided VM

‍NOTE: Do not bring a locked down or regular production laptop to this course since this might limit the ability to install required software

Upcoming Trainings

Black Hat Europe 2024
Attendance: In-Person
Trainers : Dr. Marina Krotofil (MK|Security), Jos Wetzels (Midnight Blue)
Dates : December 9-10
Location: London, United Kingdom
Register

Related knowledge items

All items

Jan 2018

Blog

Analyzing the TRITON industrial malware

A discussion of an incident targeting Schneider Triconex, along with its background, the TRITON attack framework and the attack payload.

30 Minutes

Aug 2017

Research

Immobilization revisited - ECU authentication in modern vehicles

While vehicle immobilizer transponders have gotten increasingly advanced, the authentication between the BCM and ECM is still overlooked. We analyze three systems and break two

10 Minutes

Home

Services

Markets

Knowledge