Prior to embarking on a full-time information or network security career, I served as a US Navy Information Warfare Officer (IWO) for five years. While ‘cyber’ took up the majority of my time, I also spent a large amount of time and effort on one of the original IWO reasons for being: anti-ship missile defense (ASMD) through electronic warfare (EW). When it comes to anti-ship missiles, there are multiple layers of defense up to and including ‘hard kill’ (shooting them down) – but the most effective and sustainable defense mechanisms exist in the EW realm. The primary reasons for this are easy to grasp once highlighted: countering threats at earlier (and more manageable) stages, while also layering in defense through multiple potential adversary actions.

Now that I work full-time in information security – and especially with an Industrial Control System (ICS) focus – these concepts that I studied in great detail in a past life come back to me. Two aspects specifically come to mind: first, the idea of pushing threats out as far as possible for mitigation and countering to limit potential adversary success; two, layering defenses with the understanding that countermeasures will fail or be evaded by a capable and dedicated adversary. The result of the above approach is a concerted, dedicated effort to mitigate threats as soon as practical while making sure sufficient countermeasures are in place to take care of ‘bleed through’. Applied to information security and especially ICS security, these concepts resonate strongly with me as a theoretical underpinning of robust network defense.

Anti-Ship Missile Defense and Electronic Warfare

US Navy concepts of anti-ship missile defense (ASMD) and the supporting efforts of electronic warfare (EW) to further this mission focus on defense in depth while also attempting to mitigate threats at the earliest (i.e., farthest away) possible moment. From a tactical employment perspective, defense breaks down into two complementary disciplines: counter-targeting and counter-missile.

Counter-targeting concerns the information and processing necessary for an adversary to actually fire on target. The aim is to deny the adversary information necessary for developing a targeting solution: specific position data in near real-time. In many respects, this is a passive exercise as the defender seeks primarily to deny information to the adversary. In an age of robust signals generation and leakage, this information denial includes tactics such as Emissions Control (EMCON) to prevent sufficient signals emerging from the defended unit to allow for targeting; or even robust operational security (OPSEC) to deny the adversary information on intentions and direction that could be used for further queueing.

Counter-missile, in contrast, is a far more active approach. At this stage, the adversary formulated a reasonably accurate targeting solution, and launched a weapon. Further actions are designed to counter this imminent, inbound threat. As such, these defenses are layered to attempt multiple means of countering the inbound missile: more active versions of counter-targeting to muddy the weapon’s targeting data; electronic warfare solutions to interfere with or otherwise degrade the missile’s terminal seeker; and finally physical countermeasures to either confuse (e.g., chaff) or destroy the missile before impact. All components of this countermeasure chain receive equal weight as any could fail – either due to internal technical difficulties or external capabilities to counter the countermeasures. The result is a multi-staged, semi-automated defense-in-depth designed to eliminate the threat from its earliest stages (initial launch) all the way to near impact (using the Close-in Weapon System, or CIWS, to shoot down an inbound missile).

A couple of important concepts emerge from this (abbreviated) overview of ASMD:

  • No single defensive measure is sufficient on its own, from counter-surveillance to ‘soft’ kill (EW) through ‘hard’ kill.
  • Defenses are oriented to attempt mitigation at the earliest possible moment (preventing an adversary weapons launch in the first place) through the last – trying to stay as far ‘left of boom’ as possible.

One item that was not previously addressed concerns how the above is possible outside of theory and wargames. In order to counter adversary targeting, let alone adversary weapon systems, the defender requires information on the function and employment of these capabilities. Thus another factor comes into play: accurate and timely technical intelligence informing defenders on the capabilities and operating parameters of the adversary. This critical information provides the basis on which responses can be developed and deployed to ensure timely, accurate defense.

ASMD to Information Security

The ASMD overview above should strike most information security professionals as familiar in many respects, but different enough that some important lessons can be gleaned. The two conceptual areas of defense-in-depth and mitigating at the earliest possible moment are both likely very familiar to information security professionals, but the way in which they are employed indicates that we, as a community, may be able to learn something from our seagoing brethren.

First, concerning defense-in-depth, the concept is certainly discussed frequently in information circles, but the precise implications of this strategy are often lost. Namely, true defense-in-depth requires robust defensive measures at every stage of the relevant kill-chain: from all those steps ‘left of boom’ to countering actual effects delivered on target. Frequently in information security – whether due to cognitive biases surrounding specific parts of the cyber kill-chain or due to simple resource constraints – various layers of potential defense are ignored or just not sufficiently resourced. Doing so creates potential gaps and weak-points in defense  – and a successful countermeasure at one layer (say, an expensive next-generation firewall) then leads to relatively easy compromise at follow-on layers where little to no investment has taken place.

Second, mitigating items as far away as possible as an initial strategy is often conflated in information security as beefing up perimeter defenses to keep ‘bad things’ out from the start. Unfortunately, this perimeter-focused approach is wrong in conception and application. Rather than attempting to create an impenetrable firewall for intrusions, defenders should first seek to exercise counter-targeting with respect to adversaries. While the nature of the Internet and publicly-accessible services does not allow for actions as extreme as the USN’s EMCON, other measures may yield significant benefits in reducing and limiting the overall attack surface. When combined with a robust defense-in-depth approach, minimizing attack surface to a handful of accessible – and known – services then allows defenders to prioritize defensive resources to these few available ingress points. While not eliminating the possibility of an adversary targeting the enterprise, the defender can shift initiative in their favor by limiting the adversary’s options to a limited set of known alternatives.

Lastly, the role of timely, relevant technical intelligence underpinning efforts is a vital component to ensure effective defense. Too often in information security, intelligence is viewed as a stream of indicators of compromise (IOCs) to be used for alerting or blocking purposes. Unfortunately, as I have written repeatedly elsewhere, IOCs are useful to indicate if you are compromised by something known, but not especially effective in either preventing compromise or detecting an unknown threat. Just as members of the USN IW community work diligently to ensure defensive measures against anti-ship missiles, information security threat intelligence personnel must also work hard to identify and defend against types and behaviors of attacks, rather than specific instantiations of an attack type. (For more on this, please refer to my earlier post, http://pylos.co/2018/03/05/threat-analytics-and-activity-groups/)

Counter-Targeting and ICS

Now that we’ve covered some of the concepts of ASMD applied to information security on a general level, I would like to explore one component of this line of thought with specific implications toward ICS security. A frequent – and faulty – assumption in the ICS security space is that networks are (relatively) isolated from general IT, and thus there are few (if any) ingress routes for an attack aside from exotic measures such as USB-propagating infections. Unfortunately, recent events have shown this assumption to be quite wrong, as attacks ranging from highly targeted (CRASHOVERRIDE and TRISIS) to IT-oriented but rapidly and indiscriminately spreading (WannaCry and NotPetya) have severely impacted ICS networks.

While IT-ICS links are far more numerous than many might like to admit, and are necessary in many respects for modern ICS operations, defenders can take action from a counter-targeting perspective to limit exposure and narrow an adversary’s options. First and foremost, identification and aggressive management of ICS network links is a critical first step to identifying the scope of the potential attack surface, and then working to minimizing it. Establishing a narrow set of well-defined IT-ICS pathways used for necessary services limits the number of potential routes and makes security management easier.

The benefit to this approach is, from a counter-targeting perspective, you have reduced the scope and breadth of adversary actions. Rather than being able to infiltrate the ICS network from multiple potential pathways, the adversary now is faced with a more limited set of choices as defined by network design. At this stage, defenders can further reduce visibility and attack scope by taking these links and limiting both the types of available services (to reduce attack surface) and the directionality of allowed services (to impede bidirectional adversary communication in the event of compromise). For example, business operations may require outbound SMB from ICS to IT for business intelligence collection – but closing inbound SMB traffic can at least prevent exploitation of related services on the other end of the communications path.

If the above steps are applied, an ICS defender has successfully reduced the scope and size of their potential IT-to-ICS attack surface, and made an adversary’s job that much harder. At this stage, defenders can seize the initiative to deploy further steps more aligned with ‘counter-missile’ approaches to detect and defeat malicious activity should it get this far. With a narrower set of communication links, defenders can establish more robust defense and monitoring of these critical, strategic nodes that enable IT-ICS connectivity. Furthermore, end-points on either side of this link can be treated as key defensive positions for hardening, security tool deployment, and host-based monitoring. By ensuring that the adversary must, by virtue of network design, traverse these critical nodes, defenders can establish defense and countermeasures at these points to capture actions now required by the adversary.

Conclusion

Applying strategic thought and planning to information security can greatly increase defender capability and effectiveness. By identifying and learning how the adversary must act to achieve their objective, and furthermore how your environment shapes an adversary’s behavior to complete their objective, defenders can gain insight into what nodes – logical or physical – on the network can be utilized to enhance defense and monitoring.

Taking a lesson from activities such as USN counter-targeting and counter-missile, this broader strategic concept can be distilled into two complementary steps: first, reducing attack surface to shape traffic (and adversary activity) to a handful of known and defined pathways; second, using this new concentration of activity along specific pathways to establish key defensive positions to block or monitor potentially malicious activity.

But the above will only remain effective and relevant provided defense remains informed and engaged with the nature and operations of their network, and the capabilities and likely objectives of their adversary. Just as USN IW personnel must continue to refine their capabilities with respect to adversary changes in technology and tactics, so must information security personnel continue to monitor their threat landscape and how this interacts with the network defended.

By adhering to an iterative, evolving approach of continued analysis of one’s own network combined with continual learning of the threat environment, defenders can equip themselves to apply effective ‘counter-targeting’ and ‘counter-missile’ concepts to the information security realm.

Categories: ICSInfosec