The course is divided into three parts, beginning with preliminaries and followed by the framework and methodology for designing Adversary Emulation exercises for specific objectives. The training is concluded with the practical aspects of incorporating exercise results into the organizational cyber security program. The included hands-on exercises allow the attendees to experience the attacker's side of planning and executing cyber-physical attacks as well as practicing adversary emulation tasks.
Midnight Blue and Dr. Marina Krotofil from MK|Security jointly offer this high-paced course aimed at providing the attendees with practical knowledge on how to emulate realistic attacker behaviors and exploitation techniques for ICS/OT environments. This course will be offered for the first time at Black Hat Europe 2024.
Introduction to adversary emulation (AE), different approaches to AE exercises, typical objectives and outcomes. Fundamentals of Industrial Control Systems (ICS) and Cyber-Physical Systems (CPS). Modern and projected digital threat landscape. Specifics and limitations of conducting AE exercises in industrial environments.
Conceptualization of complex attacks, existing models of IT and ICS attack lifecycles, cyber-physical attack lifecycle, categories of physical impact, tactical specifics of MITRE ICS ATT&CK, Cyber Threat Intelligence (CTI) framework, mapping recent OT threats to the CPS lifecycle and MITRE ATT&CK. Articles 21 & 23 from NIS2 (risk-based implementation of security measures and prompt reporting of attacks). IEC 62443 risk assessment (briefly).
Taxonomy of attack scenarios and their complexities, key constraints & success factors, overview of knowledge & skills involved in the design of cyber-physical exploits, challenges of programming exploits for embedded systems, typical required time & effort. Exploits for short-term vs. long-term physical impact. Taking these factors into consideration for red & blue teams.
Getting initial access to the target organization and relevant information/documentation. Infrastructure locations and assets most likely to be initially accessed by the attacker. Lateral and deep lateral movements.
Infrastructure reconnaissance and required IT/OT recon tools. Process comprehension, manual vs. automated activities, typical data sources, associated complexities and nuances. Identifying process design weaknesses and high-consequence events, deriving one or a few high-level attack scenarios. Granular discovery of infrastructure & process configuration data, requirements for exploit development.
Achieving reliable, exclusive control over the process. Understanding the dynamic model of process and its control loops (normal operations & 'weird' states), testing acquired access to control signals for suitability to achieve attack objectives, observing attack effect propagation and evaluating the need for concealment measures.
This stage consists of three distinct substages: Damage, Prevent Response, Obtain Feedback. Planning tactical attack design, strategies and exploits for preventing response and obtaining attack feedback, nuisances of final payload design. Typical attack design strategies: Simple, Scalable, Instant, Reliable (SSIR). Assessing likely vs. less likely attack scenarios.
Strategies to designing a misleading forensic footprint to impede root-cause identification of an ongoing attack and during postmortem analysis. Roll back strategies (unsuccessful attack). Taking advantage of Standard Operating Procedures (SOP) and human factors.
Typical components of OT Cyber Security Management System (CSMS) in industrial organizations. Key architectural, technical, procedural and contractual (legal) security controls. Typical Roles & Responsibilities and interdisciplinary project executions.
To consolidate the acquired knowledge, the attendees will be offered a final exercise with a few challenging constraints we observed in the real world. The exercise results can be submitted to the trainers for feedback and comments.
EXERCISE 1: Discovery - Finding sensitive and confidential engineering documentation.
EXERCISE 2: Discovery - Analysis of a crown-jewel asset. Practical overview of the Engineering Workstation and OPC server, and what makes them valuable attack vantage points.
EXERCISE 3: Discovery - Understanding attacker efforts. Analyzing Modbus TCP traffic without context.
EXERCISE 4: Damage - Constructing a damage attack on a demo process and mapping attack instances to MITRE ICS ATT&CK
EXERCISE 5: Integration - Given a specific use-case, the participants will be tasked to design adversary emulation exercises for a selection of objectives while maximizing Return on Investment (ROI).
Upon course completion, all students should be able to:
Students will be provided with:
Students should have familiarity with:
Students should bring a laptop with the following requirements:
NOTE: Do not bring a locked down or regular production laptop to this course since this might limit the ability to install required software
Black Hat Europe 2024
Attendance: In-Person
Trainers : Dr. Marina Krotofil (MK|Security), Jos Wetzels (Midnight Blue)
Dates : December 9-10
Location: London, United Kingdom
Register
All items
