{"id":446,"date":"2018-06-03T10:07:21","date_gmt":"2018-06-03T10:07:21","guid":{"rendered":"https:\/\/www-new.brucon.org\/2018\/?page_id=446"},"modified":"2018-06-08T22:11:42","modified_gmt":"2018-06-08T20:11:42","slug":"threat-hunting-in-industrial-control-system-environments-with-open-source-tools","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2018\/brucon-2018-training\/threat-hunting-in-industrial-control-system-environments-with-open-source-tools\/","title":{"rendered":"Threat Hunting in Industrial Control System Environments with Open Source Tools"},"content":{"rendered":"

[vc_row][vc_column][vc_column_text]<\/p>\n

Course Description<\/span><\/h2>\n
\n
\n
\n
Industrial Control System environments contain purpose-driven network and hosts devices\u00a0related to the production goal of the industrial environment. Due to the unique nature of\u00a0production environments, IT approaches to threat hunting do not map well to OT\u00a0environments. Within this workshop, we will share our approach to hunting in industrial control\u00a0system environments using only open source tools.<\/div>\n<\/div>\n<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Course contents<\/span><\/h2>\n

We will first discuss hunting strategy relevant to oil refineries, power generation facilities, and\u00a0wind farms. We will compare and contrast strategies we have found useful to threat hunt in\u00a0each environment. We will then move to the hands-on portion of the course where we will\u00a0show how to implement the planned strategies using packet captures and host files from our\u00a0industrial control system range. We will show how to focus threat hunting on protocols found\u00a0in both IT and OT networks to include DNS, HTTP, and SMB as well as how to tackle\u00a0protocols found only in ICS environments.<\/p>\n

The first day of the course will consist of an\u00a0overview of hunting, the relevance of hunting to industrial environments, how to plan a hunt,\u00a0and then move into a series of guided exercises focused on hunting in IT protocols specific to\u00a0protocol usage in OT environments. The second day of the course will consist of all guided\u00a0exercises focused on finishing up hunting in traditional IT protocols and move to strategies for
\nhunting in industrial specific protocols to include Modbus, IEC 104 and DNP3. At the end of\u00a0the course; students will leave with both a sound understanding of strategy and proven threat\u00a0hunting techniques for industrial environments.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Target audience<\/span><\/h2>\n
    \n
  • Industrial Control System Incident Responders and Threat Hunters<\/li>\n
  • Anyone interested in learning more about threat hunting in ICS environments!<\/li>\n<\/ul>\n

    [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

    Requirements<\/span><\/h2>\n
      \n
    • General familiarity with open source security tools including Bro IDS, Snort<\/li>\n
    • General familiarity with Elasticsearch and Kibana<\/li>\n
    • Industrial protocol and device knowledge is a plus but not necessary<\/li>\n<\/ul>\n

      [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

      Hardware\/Software Requirements<\/span><\/h2>\n

      Laptop with VMWare VirtualBox, or similar virtualization software capable of importing an\u00a0OVA[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

      Trainer Biography<\/span><\/h2>\n

      [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=”5\/6″][vc_column_text]Daniel Michaud-Soucy<\/strong>\u00a0is a Principal Threat Analyst, Threat Operations Center at\u00a0the industrial cyber security company Dragos, Inc. where he provides threat hunting and\u00a0assessment services within a variety of industrial environments. Daniel previously worked for\u00a0Sempra Energy on RD&D tasks revolving around machine to machine automated threat\u00a0response, data aggregation, advanced threat detection and secure system interfaces for\u00a0ICS\/SCADA. Daniel also worked with Red Tiger Security performing cyber vulnerability\u00a0assessments and penetration tests on oil & gas, electrical power, water treatment and\u00a0pharmaceutical ICS\/SCADA environments. Daniel also co-authored and co-taught the Red\u00a0Tiger Security \u201cSCADA Security Advanced Training\u201d class between 2010 and 2015 training\u00a0hundreds of professionals around the world.<\/p>\n

      Twitter:\u00a0@danms0[\/vc_column_text][\/vc_column][vc_column width=”1\/6″][vc_single_image image=”1407″][\/vc_column][\/vc_row][vc_row][vc_column width=”5\/6″][vc_column_text]Marc Seitz<\/strong> is a Threat Analyst, Threat Operations Center, at the industrial\u00a0cyber security company Dragos, Inc. where he coordinates industrial control system cyber test\u00a0lab functions as well as performing threat hunting services in ICS networks. Marc is a\u00a0specialist in designing and implementing innovative simulated industrial environments to\u00a0provide a safe and realistic training and attack simulation experience for internal and external analysts. He also conducts onsite vulnerability assessments and threat hunting services for\u00a0customers in a variety of verticals.<\/p>\n

      Twitter : @SubtleThreat[\/vc_column_text][\/vc_column][vc_column width=”1\/6″][vc_single_image image=”1408″][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

      [vc_row][vc_column][vc_column_text] Course Description Industrial Control System environments contain purpose-driven network and hosts devices\u00a0related to the production goal of the industrial environment. Due to the unique nature of\u00a0production environments, IT approaches to threat hunting do not map well to OT\u00a0environments. Within this workshop, we will share our approach to hunting in industrial control\u00a0system environments using only open source tools. [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text] Course contents We will first discuss hunting strategy relevant to oil refineries, power generation facilities, and\u00a0wind…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-446","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/comments?post=446"}],"version-history":[{"count":5,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/446\/revisions"}],"predecessor-version":[{"id":1409,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/446\/revisions\/1409"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/media?parent=446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}