Professional Documents
Culture Documents
SANS Perspective of A Cyber Attack
SANS Perspective of A Cyber Attack
SANS Perspective of A Cyber Attack
1 System Variables
recognizable techniques. As an ICS defender, your
defensive actions (or lack of actions) will determine
what your next attack will look like.
Your cyber environment includes many elements specific Altering any element affects the overall security
to your implementation, engineering, and operational of the system, with each element dependent upon
needs. Those elements combine to create a unique other elements in the overall system.
System Variables environment to defend and protect.
The various cyber, physical, and support
1 components found in an environment
TECHNOLOGY
Adopt and utilize technology
APPLICATIONS SYSTEM MANAGEMENT to improve security
Cyber Maturity SYSTEM VENDOR
In many cases, Third-party • Patching
Variables vendor-specific design applications required • Change control
2 O rganization culture, investment, and
criteria will determine
system requirements
for operational
function • Monitoring
• Alerting
management programs that shape
• Malware protection
cybersecurity capability • Account management
3 Adversary
Capabilities INFRASTRUCTURE
• Physical system
NETWORK
ARCHITECTURE
• Design decisions • Segmentation approaches
• Operating procedures • Perimeter defense
Take Action!
and training 20 80 maturity level may be • Information exfiltrated
ICS defenders must consider unaware of an ongoing • M ultiple access points obtained
Perspectives
0 100
prolonged enterprise-
opportunities to disrupt targeted attack with
• P rivileged accounts obtained
INVENTORY • E xternal party or adversary may identify
adversarial actions with
Effect of Attack
potential elements of
Know your assets: the attack
an ICS-focused attack.
HW, SW, and the goal of minimizing the
of a
configuration
ACCESS
CONTROL
impact of the attack on
SYSTEM DEFINED STAGE
Electronic and the process or operation.
Cyber Attack
physical HARDENING
EVENT AND Organizations at this What an attack at this maturity will look like:
Asset configuration
limited to required INCIDENT
maturity level may have • M ovement throughout the environment using
RESPONSE
elements
Logging, monitoring, The adversary tactics, already undergone an in-place tools and software
enterprise-targeted Stage-1 • C2 channel hidden in trusted
and responding to
events of interest
MALWARE techniques, and procedures attack or an ICS-focused communications
DEFENSE
Protection and ACCOUNT RECOVERY (TTP) used in your attack will Stage-2 attack and are • Targeted organization or external party may
MANAGEMENT CAPABILITIES
Defender Actions prevention
Individual, shared, Operational be influenced by the maturity
working on mitigation. identify the attack
P O S T E R Focused on Minimizing
and default functions, and
individual assets of your cybersecurity program,
OPTIMIZED STAGE
the Effect of the Attack the effectiveness of your
Organizations at this What an attack at this maturity will look like:
processes, and the capabilities maturity level are proactively • R elatively silent
of your defenders. monitoring and responding • R elies on external communications paths
ics.sans.org
to potential attacks with with trusted parties
Active Defense techniques to • May utilize zero-day elements
defend the enterprise and • Targeted organization will likely identify
ICS environments. the attack
JOIN THE ICS COMMUNITY Disruption Activities
https://ics-community.sans.org/signup
ICS-PSTR-ATTACK-0117-v1
Adversary campaigns often 3 Adversary Capabilities
use similar and recognizable
System techniques. As an ICS defender, Seven Habits of an Effective APT
1 Variables your defensive actions (or lack of “Adversaries have managers Start with the Why
actions) will determine what your and PowerPoint too” Define the goal of the campaign and what success looks like:
-Robert M. Lee
next attack will look like. data sets, project files, operational data, and capability demonstration.
2 Cyber Maturity
Variables Execute
Perform final-stage attacks systematically, create Flexibility
collateral impacts to confound and confuse recovery efforts, Target environments change –
Adversary Capabilities and follow up on ICS defender’s defensive actions. maintain a variety of accessible tools
3 As an ICS defender, you can’t control whether your and capabilities to adapt to changes.
organization becomes the target of a capable adversary. Lead
Stay several steps ahead of the ICS defender.
Anticipate defensive responses upon discovery Understanding Human Behavior
4 Adversary Methods to ensure continuation of attack. Targeted employees generally have a desire to do a
ICS defenders do not control the intent, objectives, good job and help others, but they typically do not
or scope of the campaign. assess technical risks very well and may have a limited
Test to Win
5 Validating the exploits will achieve
understanding of the interconnectedness of cyber systems.
External Drivers desired outcomes in target environment.
Adversary objectives and scope can be fluid and may change Limit damage to non-target environments.
with external drivers such as geopolitical or economic events. Avoid Discovery by Appearing Normal
Eliminate reliance on initial attack footholds and blend in to behave
like a trusted user utilizing existing communication paths and tools.