Remote System Discovery
|Remote System Discovery|
|Data Sources||Process monitoring, Process use of network, Process command-line parameters, Network protocol analysis|
|Asset||Control Server, Data Historian, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface|
Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.
- The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.2
- The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically.3
- PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.4
- Stuxnet scanned the network to identify the Siemens PLCs that it was targeting.5
- Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6
- Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer.7 Proper segmentation helps mitigate the risk of broadcast storms resulting from port scans. Assigning each automation cell to a single VLAN limits unnecessary traffic flooding.
- Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.7
- Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas.7
- Implement VPNs to further restrict access in and out of control system computers and controllers, which help remove unauthorized, non-essential traffic from the intermediary network.7
- Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.7
- Implement heuristics to detect monitoring and invasive probing activity on the network. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date.7
- Enterprise ATT&CK. (2018, January 11). Remote System Discovery. Retrieved May 17, 2018.
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.