ICS Forensics
BT223
Table of Contents
Description
Organizations, both private and governmental, are trying to build security teams to protect the ICS/SCADA environment. The program was designed comprehensively and professionally to impart the skills and knowledge required to integrate into key positions of the information security world, both in defense and attack teams.
Participants will learn about the security threats that are unique to ICS/SCADA systems and the inherent weaknesses and vulnerabilities in Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) through the use of real-world examples, the frameworks and standards available to help develop an effective ICS/SCADA cyber-security strategy.
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories
- Self-work at home between lessons
- Repetition of materials, self-learning, performing tasks, etc …
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
The participant will also need a good personal computer suitable for running virtual machines, with a broadband Internet connection.
Target audience
The course targets participants with OT and Cyber Security knowledge
- OT
- Incident responders
- Cyber forensics investigators
Objectives
- Understand ICS networks on a deep level
Monitor and analyze user and system activities on the ICS network to recognize patterns of typical attacks - Analyze abnormal activity patterns to detect signs of an intrusion
- Use advanced tools for intrusion detection
- Analyze log files and log data
Pre-requisites
- ThinkCyber Level-1 Courses
Syllabus
Description
During this module, participants will learn the world of cybersecurity in the environment of Industrial Control Systems. Participants will learn how a control system can be attacked from the internet and perform hands-on practice sessions on network discovery techniques.
Technical content
- ICS Network Architectures
- Known ICS Protocols
o Modbus
o DNP3
o How to Approach Protocols Research
o ICS Protocol Fuzzing - Security Architecture Overview
o Host Configuration Overview
o Wireless Access Overview
o Remote Access Overview - Cyber-security for ICS
o Network Discovery
▪ Passive Discovery
▪ Active Discovery
▪ Passive Enumeration
o Using CSET
o Ladder Logic Overview
o Using Metasploit Framework
o Web Hacking Techniques
Description
In this module, we will present participants’ ways to plan, design, and implement an effective program to protect SCADA systems. Participants will gain an understanding of common Industrial Control Systems (ICS) threats, vulnerabilities, and risks.
Technical content
- ICS Protection Concepts
- Endpoint Defenses
o Passive Solutions
o Agents - Update and Patching
- Hardening Configuration
- Auditing Log Management
- Network Fundamentals
o TCP/IP Protocol Suite
o ICS Protocols over TCP/IP - Firewalls
- Building an ICS/SCADA Honeypots
- Securing Wireless in ICS
Description
ICS Network Analysis evolves around the extraction, analysis, and identification of a user’s online activities; the findings include artifacts such as logs and history files, cookies, cached content, and any remnants of the information left in the computer’s volatile memory. During this module, participants will identify different user-behavior patterns, even after they tried to “cover their tracks”. Upon completion of this stage, they will be able to perform a detailed forensic analysis of the network traffic.
Technical content
- Wireshark Analysis
o Wireshark Tool Inspection
o Using Display Filters
o Advanced Usage
o The PCAP Format
o Extracting Files from PCAP Files
o Reading Encrypted Data with Wireshark
o Advance Attack Analyzing - Advanced Packet Analysis
o Bro
o Bro-Cut
o Open-Source Tools - Identifying Attacks
o Network Scanning
o MiTM
o Brute-Force
o Injections
o Web Server Attacks - Extracting Network Traffic from Memory
o Dump Memory from Devices
o Using Volatility - Firewall Findings
Description
In this module, participants will learn the world of malware, in which they will create a virtual environment to study different types of malware and see how they operate. We will show how antivirus works and will develop an idea of how to approach a malicious file and where to find it. Tools for performing malware analysis will also be presented during this module.
Technical content
- Different Behaviors of Malware Types
o Behavioral Analysis
o Code Analysis
o Memory Analysis
o Malware Behavior Blocking - Indicator of Compromise (IOC)
o Hash
o Hex Sequence
o Host-Based Signatures
o Network-Based Signatures - PE Files
- Sandboxes
- Windows Libraries and Processes
- Setting up a Safe Environment for Inspecting Malware
o Virtual Machine
o Real Systems
o Malware Analysis Tools:
▪ Process Hacker
▪ Process Monitor
▪ Regshot
▪ API Monitor
▪ IDA - Malware Hiding Places
o On Live Systems
o On Dead Systems - Malware on the Network
o Identifying Malware
o Carving Malware
o Analyzing Malicious PCAP Files
Labs
- Lab 1 Modbus
- Lab 2 CSET
- Lab 3 ICS Protocols
- Lab 4 Filtering with Bro
- Lab 5 Log Analysis
- Lab 6 Static Analysis
- Lab 7 Dynamic Analysis
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
- In situe classroom with proctored labs and scenarios executed in our Cyberium Arena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group:
ICS SCADA
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies:
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, the attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic
