Next week is S4x18, an Industrial Control System (ICS) focused conference that I’ve been attending for a number of years. It’s a great conference with fantastic presentations and social events that has grown in quality and extravagance every year. This year is particularly exciting for a couple reasons.
First, I am presenting on analyzing windows events to evaluate removable media usage and propagation of malware via sneakernet (the #1 attack vector for ICS). It should be a fun talk and we are releasing an open source tool at the conference. The tool is some code we have used to accomplish this task in the past, but nowadays we have Gravwell. Come check it out on Stage 2 at 16 JANUARY 2018, 15:00-15:30.
Secondly, Gravwell is participating in the ICS detection challenge. The goal of the challenge is to “provide an objective test of the growing class of passive ICS detection solutions in the market.” If you are thinking “but that’s not really what Gravwell does,” you are right. We are a bit of an outlier when it comes to the competition. While our founders have extensive experience in cybersecurity and ICS, Gravwell is not strictly a security tool. We aren’t creating signatures, indicators of compromise, or doing attribution -- we’ll leave that to the experts. Gravwell is, however, an extremely powerful analytics tool capable of network monitoring right alongside process monitoring and statistical alerting -- more on that shortly.
Contestants in the challenge are given a single “span port” or “packet feed” of traffic from a real ICS system. Phase I involves asset identification and detection and Phase II will insert attack traffic into the mix. In general, the contestant able to provide the most complete picture of the assets and identify the attacks will emerge the victor. The ICS detection challenge is only tapping into a small portion of what Gravwell can do. It would be great to get other sources such as windows event logs. A single data feed, while useful, is only part of the whole picture. If you’re only looking at individual trees, you’re going to miss the forest. Having built many challenges like this myself, however, I appreciate the logistical difficulty of the situation and I applaud Dale and Eric for their efforts.
At the event, we're going to be using Gravwell to identify assets on the network, monitor and track which machines are interacting with them, create an HMI and process historian from the ground truth network data, and collect cybersecurity alerts from OSS indicator tools (e.g. bro, snort, etc). We use all of that data for reporting and also to generate a "baseline" of heuristics to which later data can be compared. Thus, when attacks are inserted on the second day we can do statistical comparisons for attack identification. In other words, when you have a perfect view into the history of the forest, you can see how trees are growing and identify diseases immediately.
The power of our platform lies in its flexibility. People in the ICS space are familiar with historians and the value they provide but there hasn't been innovation in the historian space in years, if not decades. We're changing that. Our mission is to enable complete and total visibility; an issue that isn't just an ICS problem. In 2018, companies have to monitor IT infrastructure logs, cybersecurity information, employee behavior, chemical tank pressure, WiFi activity -- the list goes on. Gravwell makes all of that possible.
I’m excited for the event and I look forward to seeing friends and colleagues. The agenda looks great as well. Unfortunately I have to miss a number of talks I would like to see in order to participate in the challenge but it should be great fun. Besides, there’s usually a chance to get the condensed version over a dominoes game while enjoying excellent mojitos.