Industrial Cybersecurity. Efficiently monitor the cybersecurity posture of your ICS environment

Cover
Title page
Copyright and Credits
Contributors
Table of Contents
Preface
Section 1:ICS Cybersecurity Fundamentals
Chapter 1: Introduction and Recap of First Edition
	Industrial Cybersecurity – second edition
	Recap of the first edition
	What is an ICS?
		ICS functions
		ICS architecture
		The Purdue model for ICSes
		IT and OT convergence and the associated benefits and risks
		Example attack on the Slumbertown papermill
		The comprehensive risk management process
		The DiD model
		ICS security program development
		Takeaway from the first edition
	Summary
Chapter 2: A Modern Look at the Industrial Control System Architecture
	Why proper architecture matters
	Industrial control system architecture overview
		The Enterprise Zone
		The Industrial Demilitarized Zone
		The Industrial Zone
		The hardware that's used to build the ICS environment
		ICS environment and architecture management
	Summary
Chapter 3: The Industrial Demilitarized Zone
	The IDMZ
		Fundamental concept
		IDMZ design process
		Design changes due to an expanding ICS environment
	What makes up an IDMZ design?
		The Enterprise Zone
		IDMZ firewalls
		IDMZ switches
		IDMZ broker services
		The Industrial Zone – Level 3 Site Operations
	Example IDMZ broker-service solutions
	Summary
Chapter 4: Designing the ICS Architecture with Security in Mind
	Typical industrial network architecture designs
		Evolution from standalone islands of automation
	Designing for security
		Network architecture with security in mind
	Security monitoring
		Network choke points
		Logging and alerting
	Summary
Section 2:Industrial Cybersecurity – Security Monitoring
Chapter 5: Introduction to Security Monitoring
	Security incidents
	Passive security monitoring
	Active security monitoring
	Threat-hunting exercises
	Security monitoring data collection methods
		Network packet capturing
		Event logs
	Putting it all together – introducing SIEM systems
	Summary
Chapter 6: Passive Security Monitoring
	Technical requirements
	Passive security monitoring explained
		Network packet sniffing
		Collection and correlation of event logs
		Host-based agents
	Security Information and Event Management – SIEM
		What is a SIEM solution?
		How does a SIEM solution work?
	Common passive security monitoring tools
		NSM
		IDS
		Event log collection and correlation
	Setting up and configuring Security Onion
	Exercise 1 – Setting up and configuring Security Onion
		Deploying the Security Onion VM
		Configuring Security Onion
		Deploying Wazuh agents
	Exercise 2 – Setting up and a configuring a pfSense firewall
		Deploying a pfSense VM
		Configuring pfSense
	Exercise 3 – Setting up, configuring, and using  Forescout's eyeInsight (formerly known as SilentDefense)
		Deploying the SilentDefense sensor and Command Center VMs
		Configuration of the SilentDefense setup
		Example usages of the SilentDefense setup
	Summary
Chapter 7: Active Security Monitoring
	Technical requirements
	Understanding active security monitoring
		Network scanning
		Endpoint inspection with host-based agents
		Manual endpoint inspection/verification
	Exercise 1 – Scanning network-connected devices
		Dangers of scanning in the ICS environment
		Nmap
		Assets scan
		Interrogating Windows machines
		Exploring Modbus
		Getting EtherNet/IP information
		Scanning Siemens S7 (iso-tsap)
		Manual vulnerability verification
		Scanning for vulnerabilities
	Exercise 2 – Manually inspecting an industrial computer
		Pulling Windows-based host information
		Configured users
	Summary
Chapter 8: Industrial Threat Intelligence
	Technical requirements
	Threat intelligence explained
	Using threat information in industrial environments
	Acquiring threat information
		Your own incidents and threat hunting efforts
		Vendor reports
		Your own honeypots
		Peers and sharing communities
		External/third-party free and paid-for feeds
	Creating threat intelligence data out of threat information
	Exercise – Adding an AlienVault OTX threat feed to Security Onion
	Summary
Chapter 9: Visualizing, Correlating, and Alerting
	Technical requirements
	Holistic cybersecurity monitoring
		Network traffic monitoring
		Network intrusion monitoring
		Host-based security monitoring
	Exercise 1 – Using Wazuh to add Sysmon logging
	Exercise 2 – Using Wazuh to add PowerShell Script Block Logging
	Exercise 3 – Adding a Snort IDS to pfSense
	Exercise 4 – Sending SilentDefense alerts to Security Onion syslog
	Exercise 5 – Creating a pfSense firewall event dashboard in Kibana
	Exercise 6 – Creating a breach detection dashboard in Kibana
		NIDS alerts
		Zeek notices
		Zeek Intel logs
		Suspicious process and file creation
		Suspicious PowerShell commands
		Suspicious egress connections
		Suspicious ingress connections
		Failed user login attempts
		New user creation and changes to user accounts
		Downloaded files
		SilentDefense alerts
		Finishing up the dashboard
	Summary
Section 3:Industrial Cybersecurity – Threat Hunting
Chapter 10: Threat Hunting
	What is threat hunting?
	Threat hunting in ICS environments
	What is needed to perform threat hunting exercises?
		Network traffic logs
		Endpoint OS and application event logs
		Making modifications to PLC, HMI, and other control systems and equipment
		Tracking new and changed devices on the (industrial) network
		Network services event logs
		SIEM
		Network packet captures
		Research, lookups, and comparison resources
	Threat hunting is about uncovering threats
	Correlating events and alerts for threat hunting purposes
	Summary
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
	Forming the malware beaconing threat hunting hypothesis
	Detection of beaconing behavior in the ICS environment
		Malware beaconing explained
		Data exfiltration
		Legitimate application beaconing
		Using Security Onion to detect beaconing behavior
		Using RITA to detect beaconing behavior
	Investigating/forensics of suspicious endpoints
		Finding the suspicious computer
		Find the beaconing process – netstat
		Upload executable to VirusTotal
		Rudimentary inspection of the suspicious executable – malware analysis 101
	Using indicators of compromise to uncover additional suspect systems
		Discovered IOCs so far
		Searching for network-specific indicators of compromise
		Searching for host-based indicators of compromise
	Summary
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
	Technical requirements
	Forming the malicious or unwanted applications threat hunting hypothesis
	Detection of malicious or unwanted applications in the ICS environment
		Comparing system snapshots to find artifacts
		Looking for application errors to find artifacts
		Looking for malicious network traffic to find artifacts
		Comparing port scans to find artifacts
		Inventorying currently running processes in the ICS environment
		Inventorying startup processes in the ICS environment
	Investigation and forensics of suspicious endpoints
		Securely extracting the suspicious executables
	Using discovered indicators of compromise to search the environment for additional suspect systems
		Using YARA to find malicious executables
		Using file strings as an indicator of compromise
	Summary
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
	Forming the suspicious external connections threat hunting hypothesis
	Ingress network connections
		Mayhem from the internet
		Attacks originating from the enterprise network
	Summary
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Chapter 14: Different Types of Cybersecurity Assessments
	Understanding the types of cybersecurity assessments
	Risk assessments
		Asset identification
		System characterization
		Vulnerability identification
		Threat modeling
		Risk calculation
		Mitigation prioritization and planning
	Red team exercises
		How do red team exercises differ from penetration tests?
	Blue team exercises
	Penetration testing
	How do ICS/OT security assessments differ from IT?
	Summary
Chapter 15: Industrial Control System Risk Assessments
Chapter 16: Red Team/Blue Team Exercises
	Red Team versus Blue Team versus pentesting
		Penetration-testing objective – get to the objective at any cost
		Red Team exercise objective – emulate real-world adversary TTPs
		Blue Team objective – detect and respond to security incidents as quickly as possible
	Red Team/Blue Team example exercise, attacking Company Z
		Red Team strategy
		Blue Team preparation
		The attack
	Summary
Chapter 17: Penetration Testing ICS Environments
	Practical view of penetration testing
	Why ICS environments are easy targets for attackers
	Typical risks to an ICS environment
	Modeling pentests around the ICS Kill Chain
		The Cyber Kill Chain explained
		The Intrusion Kill Chain
		The ICS Cyber Kill Chain
		Pentest methodology based on the ICS Kill Chain
	Pentesting results allow us to prioritize cybersecurity efforts
	Pentesting industrial environments requires caution
		Creating an approximation of the industrial environment
	Exercise – performing an ICS-centric penetration test
		Preparation work
		Setting up the test environment
		Pentest engagement step 1 – attacking the enterprise environment
		Pentest engagement step 2 – pivoting into the industrial environment
		Pentest engagement step 3 – attacking the industrial environment
		Testing Level 3 Site Operations
		Testing the lower layers
		Pentest engagement step 4 – reaching the objective of the attack
	Summary
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
Chapter 18: Incident Response for the ICS Environment
	What is an incident?
	What is incident response?
	Incident response processes
		Incident response preparation process
		Incident handling process
	Incident response procedures
		Incident response preparation process
		Incident handling process
	Example incident report form
	Summary
Chapter 19: Lab Setup
	Discussing the lab architecture
		The lab hardware
		The lab software
	Details about the enterprise environment lab setup
		ENT-DC
		ENT-SQL and ENT-IIS
		ENT-Clients
		Active Directory/Windows domain setup
	Details about the industrial environment – lab setup
		Servers
		Workstations
		HMIs
		PLCs and automation equipment
		Active Directory/Windows domain setup
	How to simulate (Chinese) attackers
	Discussing the role of lab firewalls
	How to install the malware for the lab environment
	Configuring packet capturing for passive security tools
	Summary
	Why subscribe?
About Packt
Other Books You May Enjoy
Index