Evaluating Network Segmentation Strength | Episode 124
How hard is it for an attacker to dig around in my network? Robin Berthier of Network Perception joins us to look at new network segmentation evaluation and visualization technology that lets us see at a glance how much trouble, or not, we're in.
Waterfall team
“…in the news pretty much on a monthly if not weekly basis examples of critical equipment being exposed on the Internet and being breached…”
About Robin Berthier and Network Perception
Dr. Robin Berthier is the co-founder and CEO of Network Perception. He has over 15 years of experience in the design and development of network security technologies. He was part of the University of Illinois research team that originally developed the technology that drives the Network Perception platform. He received his PhD in the field of cybersecurity from the University of Maryland College Park before joining the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign (UIUC) as a Research Scientist.
Share
Transcript of this podcast episode #124:
Evaluating Network Segmentation Strength
Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.
Nathaniel Nelson
Welcome. Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the Vice President of Industrial Security at Waterfall Security Solutions who’s going to introduce the subject and guest of our show today Andrew has gone.
Andrew Ginter
I’m very well. Thank you Nate our guest today is Robin Berthier he is the CEO and co-founder at Network Perception and he’s going to be talking to us about machine analysis of network zoning so you know basically analyzing our networks. So we can understand attack pads. Okay.
Nathaniel Nelson
Okay, then here’s your interview with Robin
Andrew Ginter
Hello Robin and welcome to the podcast. Before we get started. Can you tell our listeners a little bit about yourself and about the good work that you’re doing at Network Perception.
Robin Berthier
Thanks Andrew for having me so my name is Robin Berthier I’m the CEO and Co-founder of Network Perception. We help OT networks to get understood visualized and and analyzed for risks. And my background is in Computer Science in cyber security. I grew up in France moved to the United States in 2005 for grad school and then moved from grad school to to Chicago to launch Network Perception and and support the critical infrastructure industry by developing solutions that that helps practitioners in those OT and cyber physical system environments.
Andrew Ginter
Thanks for that. And our topic today is analyzing networks – analyzing zoning. You were on the show six months ago walking us through your your network modeling tools your capabilities back then? um you know. To remind our listeners you know back then you were reading and analyzing config files and backups for for firewalls and routers in my recollection this lets you visualize the network it lets you, you know design a policy express the policy to your tool. Compare all of these configurations to the policy. You know the policy. This machine can be reachable by those networks but not by anything else and then report on deviations you know is the network configured the way we think it ought to be configured and you know you’re back? So. You’re talking about today. What’s new. Is there a new problem that that you’re solving.
Robin Berthier
Yeah, so two things are happening one inside Network Perception and and one outside let me start with the the outside the driving force first. So in the last six months we’ve seen in uptake in terms of interest by organizations with OT networks to formerly verify the segmentation of of the environment. It’s it’s it’s becoming more and more of a fire ready for them and I think that’s driven by both a. Ah, more pressure from adversaries and making sure you have the right access policy in place to to block attackers to prevent a bridge from spreading to and the critical zones inside your network and it’s also driven by. More stringent regulations. We’ve seen with Noqsip we’re seeing now with the tsa security security directives is just more focused being put around the importance of extremely robust network segmentation. Good hygiene for your firewalls and having you know, very precise rules to only without traffic on a need-to- no basis and then the second thing that that’s happening inside a perception is that we you know I didn’t measure in my background but I really have two passion one is. Is cybersecurity. The other one is information visualization and and specifically how to present a large volume of data into concise reports that leads to efficient decision-making so over the the past couple of quarters.
We you know reflected on the data analytics that NPV provides and we went back to the you know brainstorming and and the white world to really think how to best present that information because sometimes you know you start importing file configuration files and and you will have thousands or even tens of thousands of network path being discovered by the modeling engine that tells you the exposure of your different critical assets. So how do we compress and present and summarize this information. In a way that’s helping you making better decision in terms of risk in terms of of you know the the risk really to your to your network.
Nathaniel Nelson
This is of course a very important subject that Robin is hitting on here network segmentation comes up in any domain of cybersecurity. At some point relatively frequently in it. Especially I can think of a million examples where an attacker started off with one network resource and ended up moving their way through a network because wasn’t segmented enough. The classic example being the target breach. Ah, back in 2013 when a phishing email at a small HVAC provider in Pittsburgh led through targets client portal supplier porter rather attackers got into the network associated with the hvac systems and ended up. Burrowing the way through the Target get network through to their point ofsale systems and then stole a bunch of credit card information. The story goes on from there. So all that is to say this is very important you and I have talked about air gapping and you know directional gateways and all of these relevant technologies before?
Andrew Ginter
Absolutely and you know where to begin. It is important. This is why you know the first volume the first volume that was published in the 62443 series. You know it’s it’s a 14 volume set of standards. The first volume. You know half of it was about segmentation. You know it’s that important. and you know on the OT side. You know to me the the classic example was the the ransonware attacks SNAKE got into Honda a couple of years ago I mean there’s been lots of of ransomware attacks. Had OT consequences but that was sort of the the the highest profile one that had you know enough enough detail published to be able to figure out vaguely what happened and in my recollection it was the bad guys got into the it network through the it to Internet firewall. And pivoted from the it network into the OT network and you know contaminated the the production line with the with ransonware. You know, operated the ransonmware remotely encrypted stuff. Blah blah blah and so you know there were firewalls all the way along there and you know what. What people don’t understand is you know Ah, when people when I entered the industry naively you know more than much more than a decade ago. you know I had sort of the same perception. Everybody else. Did you know you take a little encryption throw a few firewalls at it.
You know some VPNs and and you’re good right? And you know it was once I started digging into it I mean bluntly I went to SANS training on firewalls and I was appalled and a couple of years later I put together my own presentation on 13 ways to break a firewall. You know? what’s the low-tech way to break a firewall your shoulder surf as you know the the firewall admin enters the password and you enter it yourself later on and at a rule that says allow all and and it’s all over. You know? what’s the what’s the high-tech way to break a firewall. You find a zero day. A bug that no one else has found in the firewall you write code to exploit the bug you sneak your way through the firewall in a way that that you know there is no defense against because there’s no patch for the bug. There’s there’s no you know attack signature for the attack. it’s it’s brand new you know what’s the yeah the the modern way to break through a firewall. Well you know we’ve talked about it countless times you get into the it network you you know trick various ways into you know people and technology into into getting domain credentials and now you give yourself permission to log in. To systems through the firewall and you know work your will upon the the Target system. you know here here’s a pop quiz. What is the most widely known sort of the instinctive. The knee-jerk reaction. How do you break through a firewall What’s the most widely known way through a firewall.
Nathaniel Nelson
Is it like they do in the movies where you type a bunch of Zeros and ones until you get a notification that pops up and says access granted and your screen scrolls really fast I have no idea.
Andrew Ginter
Um, no, but good. Good one okay, you know it’s it’s the most widely known is you don’t attack the firewall itself. you know every firewall people imagine that firewalls protect. Industrial systems from cyber attacks. you know they give you access to industrial data but they protect the industrial systems. In fact, that’s not what firewalls do what firewalls do is they give you access to some industrial systems and hopefully block you from others so that you can ask. Those industrial systems for data if you ask for data politely. Well you get data back if you ask for data impolitely by let’s say you know guessing the admin password instead of going in as your mere user password now you’re attacking the OT system through. Firewall this is the sort of the the way that that you know everyone knows of course you can attack through a firewall. The firewall gives you access to a handful of industrial systems and lets you send messages to those systems and some of those messages can be attacks and so you know. This is you know back to the point here with with Robin if you can send messages to the OT systems through the firewalls you can attack them. You can pivot attacks into those systems and so in my understanding this is you know the question he’s asking of I have you know in a refinery I don’t know.
Andrew Ginter
Dozens and dozens of sub-networks and dozens of firewalls and you know configuration for all of those firewalls the most complex would be the itot firewall but you know there’s other configurations everywhere else and the question becomes where can I pivot. How many steps do I have to go through how many systems do I have to compromise before I get from where I am on the Internet or in the it network or whatnot to a target that has really high value. You know how do you do that and this is the kind of analysis that. That his tools are doing.
Andrew Ginter
So that makes sense you know pressure from various kinds of regulators. you know pressure from the threat environment people caring more about about how their their networks are configured and you know which parts of it are are more or less easily reachable. But. If I recall that was kind of what you were focused on on the last time as Well. What’s what’s changed that you know you needed to to build something new?
Robin Berthier
So yeah, good question. So so based on that reflection we had to improve presenting large volume of data into concise report that are you know leading to efficient decision making we started to work on a new capability for for the platform. And that we call a zone segmentation matrix and that feature takes your entire set of connectivity path in the environment that you’re modeling and presenting it according to a matrix of zone path. So in one single screen. You can see. Like a bird’s eye. You can see which access network access would present a risk for your environment. So for instance, that metrics will reveal if someone from the corporate network would have direct access. To your skin environment and and if so on which port Before you had to go one by one into a subnet and asset and then look at the path in and out of that asset now we’re we’re surfacing in that matrix right away and those different results. And so that that gives you you know a faster way to identify overly permissive rules or very permissive segmentation or gaps in in terms of your network segmentation.
Andrew Ginter
All right? So So the ability to you know, visualize at a glance and see where problems are in in larger network configurations that that sounds good in Theory. You know in practice you know you mentioned you mentioned standards you mentioned drivers. You know can you connect the yeah the the theory the capability to the practice. How would you use this for INSM and you know can you remind us what is NERC INSM.
Robin Berthier
Sure so I mean as as a general theme network visibility has been a key challenge for OT infrastructure where you have geographically dispersed facilities and and then some very legacy equipment. And so getting good visibility over those networks is is just is difficult so FERC as a year ago NERC to start drafting a standardup around internal network security monitoring insm. And the concept there would be that even if you implement good cyber hygiene. Even if you have good proactive defense and initiatives in place if an adversary is able to breach your environment. You should have as part of your defense in depth. You should have capabilities to monitor suspicious network traffic and alert you and detect if if an attack is going on so NERC is in the process. The drafting team mind the process of of crafting a revision to the standard to include the requirement around putting sensors inside those critical networks in order to capture the traffic and and detect intrusions. It’s still much work in progress actually two days ago was the the end of the voting period for that.
First version I don’t think the that version was accepted so it’s going to go back to the drafting team for some changes. And then we’re going to know in the next few months in the final version with a actual enforcement date in the next couple of years but these. Ties into that big theme of network visibility and for us at natural perception. It’s really important that we we support the industry gaining a much more precise understanding of those routine networks. And we see our solution as extremely complimentary to the network traffic monitoring products that are on the market. We call this the two sides of network visibility so on one side you have actual network traffic monitoring and then on the other side. You have what will which is network modeling. So when you when you monitor network traffic you can see in real time. What’s happening and and you can answer questions such as there’s something suspicious occurring now in my network when you do modeling. Can answer a different question which is what can connect to what we we covered this in in the last of of the podcast. Now with the INSM the push for the INSM regulation we’re helping in two ways number one we can help.
Organizations to better plan. for the deploy of their sensors because within Pview you can very quickly generate a reference architectural diagram for your environment just you need the config file to your your firewalls wires and switches. And so once you have that diagram the decision of where to put sensor cells in order to capture and the correct and critical traffic is easier specifically with that zone segmentation metric that I referred to earlier where you you have that bird eye view when you see what are the critical connectivity path. Which zones should be instrumented with those sensors and then the second value is to be able to Build context around the event that you’re going to trigger through that network traffic monitoring sensor. So for example, you have. A suspicious and network connection that there connects to critical equipment. You want to know first you know how critical that equipment is in which what What’s the source zone of that traffic. What’s the destination zone and then if that equipment gets compromised where could an attacker go? What are the other paths that could be taken for this attack to propagate in cellular environment and those are the that’s the contextual environment the contextual information that that we can. We can provide for you for users.
Nathaniel Nelson
So Andrew it seems to me that we have spoken with many guests before about modeling attack paths about modeling networks and such um, what is the exact. Distinction in what Robin’s talking about here.
Andrew Ginter
Yeah, so um, where to begin. Um, Robin I think actually later in the episode says this so I’m I’m going to repeat what he says in in a moment but I think I recall him saying drawing a distinction between intrusion detection looking at network packets. And the kind of analysis that that his tools do intrusion detection looks at um, what connections are happening and if you see an unusual connection one that you haven’t seen before you might raise an alarm saying someone should look at this I’ve never seen this before so it looks at what’s happening. Ah. The attack is the the analysis tool that that Robin has doesn’t look at what’s happening he looks at what’s possible. He looks at the the firewall configurations and says well this device here could connect to that device. There. The firewall allows it. Whether or not it’s currently happening. Ids is what’s currently happening and you know his tool talks about what could happen to you.
Nathaniel Nelson
I guess I’m kind of surprised that that that’s actually never been covered before in all of our previous discussions.
Andrew Ginter
You know I could be wrong I don’t recall. It has been covered but you know we’re at 120 episodes my yeah, my memory fails sometimes I do remember that something like this. We talked about with Terry Ingoldsby at amanaza um you know his company does the attack tree analysis where he says well, you know how could you get from? you know a source the internet a source of an attack. you know or a malicious insider sitting at that workstation or whatever. How do you get from the source of an attack to a high value target. First you’d have to break into this machine then you’d have to get through that firewall then you’d have to and each step he assigns a weight indicating how difficult it is to do that. How capable the adversary has to be and he puts together. You know, all of the possibilities into a ridiculous number sometimes literally over a billion. Possible attack pads weighs them all and says here’s the bit you should be worried about um but in my recollection and I could be wrong. You know his tool um looked at things sort of a little bit generally whereas. Um, what. Robin’s tool is doing what you know Network Perception is doing is looking at the config files for the firewalls and saying here’s everything that’s possible, um, not sort of generally well you know you an attack could pivot through the firewall he he would say well these machines here can talk to those machines there. That’s all the firewall allows and so he’s he’s doing that sort of detailed analysis that I’m not aware that other people are doing.
Andrew Ginter
Okay, so so so that makes sense you know, IDS is you know what is happening. You’re talking about context. Are you connecting? Are you supplying that context in a sense in in real time are you are you taking the alarms in and. Analyzing the the IP addresses and you know somehow augmenting them.
Robin Berthier
So step by step. We are so we started to develop integration with the ideas vendors to be able to first and reach the topology map that we generate with the asset and equipment that. Ah. It been detected as communicating on the network because you know so far when we create a map. We are inferring the presence of endpoints based on references that we extract from the configurations of firewalls routers and switches. But we don’t know for sure that those IP addresses there’s equipment behind it. But if you start integrating with your network scanners your asset inventory solution your ideas providers then we can turn those inference into actual endpoint you know communicating and being present on the network which which is enriching your map so that part is is you know we have prototype available today the next phase in in that roadmap is to be able to also visualize the network traffic directly inside the NPV map so that’s something on which we’re actively working. Right now you can leverage NPV to contextualize. But that’s not yet. You know automated through integration.
Andrew Ginter
So that makes sense. Another thing that that you said that intrigued me, you know you said, Figure out where the adversary can go if an intrusion detection system an Ids is alarming about a particular asset that appears to have been compromised and is now sending out probes and. And attacks to other or you know, suspicious traffic to other assets. This is pivoting this is using a compromise machine you know I heard you say that you could figure out what what were you know? what assets were at risk by a pivoting attack given you know that a certain asset might have been taken over well you know. In the worst case if an adversary is you know, taking advantage of I don’t know known vulnerabilities exploiting vulnerabilities. And you know a lot of control systems are they have. They’re not fully patched. It’s hard to patch these systems because of reliability concerns because of safety concerns. Sometimes. In the worst case, you can pivot to you know, arguably everything on the local network and everything through firewalls that anything on the local met network can reach it. It does little good if you take over one asset to take your entire you know zoned network map and turn the whole thing red and say this is where they can go eventually. I’m guessing. You’ve got something finer-grained. Can you talk about? you know what? you actually show people is it is it one or two steps ahead. Is it something else. You know other than the the whole thing lighting up.
Robin Berthier
Yeah that’s a great question so currently. We’re looking four steps ahead. So what we do is to leverage our understanding of your network segmentation. So based on on your access policy firewalls wires and and switches. Um. What are the pivots from one subnet to another subnet. Now within a single local area network to your point its game over right? if you have one if you have one and equipment compromised and then that switch is not. Segmenting the network into VLANs so you have pretty much everything can talk to everything else in that one net subnet then there’s you know, not much you can do where we’re refining the analysis. There is to be able to ingest also the reports from vulnerability scanners. So if you scan that environment. Either active scanning or or passively monitoring to extract which and IP addresses is hosting application where you have a vulnerability then we we were planning to refine that analysis to show you exactly you know which CVE could be exploited on which port and services. but that. Really leads to the discussion around actually the importance of reducing the size of your segment. You know the whole micro segmentation movement. So instead of having a giant you know local area network with dozens of of IP addresses is segmenting with VLANs or segmenting with actual you know firewall access control to be able to group by level of criticality and function equipment. So that if something is compromised then you contain within a very small zone that breach.
Andrew Ginter
So Nate I don’t know if it was it was completely clear. But what I just heard Robin say there was that this tool is helping us answer the question. You know how should we design our networks. How should we segment our networks. Um. I mean look at ah you look at the internet you look at the the threats out there nation states are out there stirring the pot Ransom Warre is out there. Some of the ransonware is backed by nation states. They’ve got the capabilities of nation states some of the ransonware is rich enough to. Buy their own nation-state tools leverage enough to build their own nation-state grade tools. So what’s coming at us across the internet is can be really nasty and you know the the bad part about these ransom with with with nation state tools is that unlike nation states. They’re not just going to go after important targets. They’re. Going to go after everybody with money. So if that grade of ransomware is coming after us. We got to ask the question you know are have we designed our networks in such a way as to to defend them properly so we look at our networks and you know generally you’ve got 2 kinds of networks. You’ve got networks where the worst case. Compromise if it occurs is unacceptable. Um, you know rail switching systems, safety systems and there’s other networks where well if we get compromised. You know we kind of want to recover quickly and we want our insurance companies to pay us out. But.
Andrew Ginter
You know it’s it’s a big deal but it’s not the end of the world. Um, so in both cases in both kinds of networks. We’ve got to figure out how exposed we are if a bad guy from the internet wants to get in. How many steps do they have to go through how many machines do they have to compromise and then pivot use the compromise machine to reach through the next layer of firewall to compromise another machine and what Robin’s saying is that they’re starting to integrate this this tool not just with the network diagrams to count the steps. But. To look at the vulnerabilities in each of these targets and ask the question. Um, how hard is it to carry out the next pivot. So for example, if we have a really important system buried deep in in our our networks. Um. And it turns out that we’ve designed the network we’ve broken it not just into 1 big network you’re in you’re in you know Robin saying let’s talk about finer-grained segmentation microsegmentation if you break it into small networks and you’ve got to get from 1 small network into another one into another one. Let’s say 3 or 4 hops in. And 2 of those hops have to pass through a machine that has 0 known vulnerabilities in it. Well suddenly the bad guys if they want to get in. They’ve got to conjure up two zero days to punch through that.
Kind of of segmentation. Um, that’s expensive and so you know it’s not just how many hops that are being counted here but it it you know it sounds like um what we can start doing with this kind of system that Robin’s putting together is is getting insights into really how thoroughly protected. Or not our networks are.
Andrew Ginter
So that all sounds good. You know I’m I’m going to ask you in a moment for sort of examples and experience. But before I get to that. Let me ask you about about availability this new capability. You know I can’t ask you for examples if it hasn’t been released yet or you know at least be available in Beta. What’s the status of of this this new development here.
Robin Berthier
Yeah, so we are actively working with a fewer for development partners on finalizing that release and we’re actually getting super close to release resing that to the market. So we’re planning to have a launch of the latest version of Np that includes that zone segmentation matrix at the S4 conference early march.
Andrew Ginter
And okay, so then let me ask you the hard question about about experience. You know? do you have Beta customers. Do you have you know sites where you’ve been trying this out. You know who’ been working with you. How’s it working What are these people learning what kind of feedback are you getting you know how? how’s it going, especially this. Ah. This whole pivoting concept sounds interesting. Have you got any examples of that.
Robin Berthier
Yeah, so on the development partner we are you know, working closely with them to Deploy that solution and and inform them with what we call a stepping still map and and that’s you know what? And what’s interesting is that while we don’t have you know example of of actual natural bridge yet to to illustrate the value of it What we observe is and just the initial value of enabling stakeholders from. Different teams and different background to understand and finally like how you know the network environment is is configured and what segmentation means and how things are protected. You know with the visual map and and this you know lining up the the pivoting points you put risk in Context. And whether you are from compliance or cybersecurity or networking whether you are a technical person or you are in in the you know in the leadership and you know the the picture helps everyone to have the same language to discuss it but those concepts which can can be pretty complex with the size and sophistication of networks today and so and the the feature and the capability and the visualization of it has been received extremely well by our our initial. you know, beta testers.
Andrew Ginter
Okay, so Let me ask you what if I mean If I have a complex network and I’ve got high value assets buried deep in that network somewhere protective Relays or safety instrumented systems or I don’t know Leak detection systems. What do I Know. You’ve got high valueue assets. and you know the the the pivoting path that I worry about is from a command and control center on the Internet. Can I ask you? you know? is it possible to take your tool and say I’m worried about an attack from the Internet. what’s the the shortest the easiest path to get from the Internet into these high value assets and you know is that possible and you know do do people start seeing things that their eyes open and go oh shoot I forgot about that. you know is that. Is that doable with your technology.
Robin Berthier
Yes, so it actually it’s pretty interesting like every time we reundent analysis for the first time. You know they are insights. I can’t I can’t remember like it’s a single example where. Someone saw the result of that stepping still map and didn’t tell us oh I didn’t know that this was possible. You know I a dc didn’t know that this access was you know was doable in that environment. But so the way we do it and often you know you have. You start importing some config files into the the platform they may not cover all your and network path all the way to the to the Internet because you start with your own your critical environment with your criticals or like an ESP in the case of NERC. What we do is that we. When we pass the config files we extract the the routing table and specifically the default route and so we know that in a traffic or external traffic would come from a specific gateway. We put that git in the map and then we have actually default. Template routers that you can also import in addition to your actual equipment in order to close the gaps between the environmental mapping with the the network that’s connecting to the external world and that allows to.
Robin Berthier
Bridge and connect the different islands that you could see in in a network map and then we launched the year stepping stone map from that external gateway and you’re going to see in one two three or four hops which nodes could be used as pivot for an adversary. Turning from next external zone to go all the way to your critical equipment right now these this analysis is agnostic of your vulnerabilities. But we’re working to be able to filter it down to to prune that set of capabilities set of possible path that we identified. Into you know to your point the shortest or easiest path based on venability information like which host have an outdated application of something that could be exploded and and matching a port or survey that’s available. Based on your firewall rules and like really connecting the dots and combining those two datasets into an insight for you to know like which path is the risk estimate and in in your network.
Andrew Ginter
So you know what you’re saying here. It. It actually reminds me of you know an experience in my past. I was at industrial defender I was working with Jonathan Palia a very capable penetration tester. Um. You know we were not doing a pen test. The business had been contracted with a customer to to look at some network diagrams and you know some systems. Do it a risk assessment. Basically and we did not have any kind of technology like this and so I remember Jonathan sat down with. I don’t know you know 17 three foot by five foot as-built network diagrams big massive things full of you know, wiring diagrams and he’s paging through these things one after another and he looks up and he says you realize there’s a path from the Internet into your you know deepest control system here. Without ever passing through a firewall just routers. What do you mean well on this network diagram it starts here from the Internet and then you go to this machine and that machine through here and then you take this thing over here that you know is kind of off in the corner takes you over to this page bang bang bang you’re in you know and the reaction was. Give me that and you know snatch the network diagnos back kick us out. Go and fix the problem and you know bring us back in a couple of months is this the kind of thing that that you know you’re looking at is this this the kind of experience you’re trying to prevent.
Robin Berthier
Ah, precisely and and it’s it’s interesting because I I can’t Find in my memory like a single example of a you know user who hasn’t had this type of insight after deploying or solution. And there’s always a weakness or some misconfiguration or overly permissive rule that someone forgot inside the configuration that allows this type of of path. Maybe not always on the Internet but for sure from an untrusted zone to a trusted zone. So. And the the key there is to do that. You know with the power of technology right? because for you know the the expertise and and experience that that John is is bringing. You example we want to be able to bring that that capability without the risk of human error. to the mass and and to be able to have all of stakeholders being able to identify those risky path. But yeah, it’s it’s it’s fascinating like we stopped you know, importing config files the map is getting generated and then. You know in those firewalls we have in the routers. We extract the default gateways we know we can infer where the external access point into your environment. We launch a stepping stone analysis from that excess point you know, just a few seconds later you see the the node in your map laging up.
Robin Berthier
And you know youre you’re going to see your critical zone with everything lead up a specific color that says you know this is protected. This is mitigated by access control and then for sure there’s always like one or two nodes. in bright red that tells you there’s a direct access from an external. IP address all the way to that critical equipment deep inside your environment that you have no idea about and you know the the causes are they vary but often it’s oh someone added a temporary firewall rule like six months ago and he was supposed to stay for a couple of days but they forgot to remove it or. You know we thought that this rule was actually preventing external traffic from getting in but we had a misconfiguration the rule never got attached to an interface. So the rule was useless and you know just the line in your config that that the fire wasn’t taking into account. Or we had examples of Just object groups not being correctly defined. You know you have rules that are referencing source and definition services using groups and then it’s it’s pretty complex as a human to keep track of that right? you have to use lookup tables and make sure that you know. What value is in which group which set up firewall rule is which should of port and services and so often we see you know an all IP or something forgotten that gives more access than they expect.
Andrew Ginter
So the examples that that Robin gave there were misconfigured firewalls and. You know I just wanted to jump in sort of with a couple of examples of misconfigured firewalls on my own. Um, you know I used to do a demo at at like trade shows how to break through firewalls you know, just an awareness thing a threat awareness thing. Um, one of the scenarios. Was just misconfiguring the firewall and um, we’re not We’re not talking about home. You know small office firewalls here. We’re talking about enterprise grade firewalls and these firewalls have operating systems and user interfaces that are designed for scale.
They’re designed for big systems. You know they’re designed to deal with complexity and so you know if you want to put a rule in there that says Andrew’s laptop is allowed to connect to you know the PI server through the firewall. Well. You can’t just it’s not one rule. Um, first you have to define who Andrew is and then you have to define what Andrew’s laptop is and then you have to define what the PI server is and then you put a rule together. Not with Andrew’s laptop’s IP address and the PI server IP address and and allow you put it together you you have to pardon you have to define service numbers the the port numbers as well. You put a rule together that says roughly in english um, Andrew’s laptop is allowed to connect to the you know AVEVA PI client server port on the PI server in the DMZ network you you use almost exactly those words. Okay there’s no IP addresses anywhere. There’s there’s no usernames there’s it’s all symbols. And they do this so that you know these thousands of complicated firewalls are are comprehensible but what it means and you know my demo what it means is that you can look at that firewall rule and say there’s nothing wrong with this firewall rule and Ru’s laptop is allowed to connect to blah blah blah the rule is right.
Yet I’m letting the entire it network connect to the PI server. There’s something wrong with this rule and you can stare at the rule till the cows come home and you won’t find it because there’s nothing wrong with the rule. What’s wrong is with the definition of the IP address of Andrew’s laptop you’ve buggered up the definition and you’ve included the entire it t network in the definition you got to look in a different place. You got to look at the definition of each of the symbols and you know I I forget the details but there was another thing where you know instead of saying I’d messed up the definition of the DMZ network. And now you can connect to anything you want you know if you basically these these systems are complicated and it really is easy to mess them up in ways that just aren’t evident when you you know you look at you look at the definition and you try and understand. What it’s doing.
Andrew Ginter
So that’s all fascinating. Um, you know have you got anything else for us I mean you you seem to be a fountain of examples here. What where else you know can we can we get insights from using technology like this pause.
-16:01
Robin Berthier
Well, This actually in the news pretty much on a monthly if not weekly basis examples of critical equipment being exposed on the Internet and being breached right? The latest that I have in mind is. the water and wastewater treatment facility in aquipa in Sylvania and that they got compromised just a few months ago and the issue came from a PLC and with a human mission interface in the HMI. Where you know there’s a port on those equipment actually in this case Tcp bought twenty five six that was directly exposed to to the Internet and then. To make it worse the the password on that machine that the piece equipment was a default password from the manufacturer that hasn’t been changed so so that got compromised pretty quickly and you know this is the type of finding where if you have network modeling. You can very quickly. You know you import your your firewalls you import your list of equipment from your asset inventory and you can see. Okay, what’s exposed and what’s not exposed.
Robin Berthier
So another example is last year May 11 when you had a coordinated attack against 16 Danish energy companies where an attacker exploited. A venability inside a firewall to be able to craft arbitrary command and and run arbitrary command on those firewalls. So those equipment where little equipment were exposed to the outside but then the neutralize segmentation for the rest of the environment. Wasn’t strong enough to to contain those attacks. So the attackers on you know about five hundred UDP protocol of those Zixel devices were able to to get compromised and then pe but to or your discussion to get the critical equipment. Inside the inside those 16 facilities and so that’s the type of Insight you want to have prior to and a type because you know the next zero data of it being to get published. You want to have the confidence that you segmentation. And and the zoning that you put in place with access policy is strong enough to contain. any potential you know, 0 day into a you know vendor of network equipment to a single zone and not propagating to the rest of your critical environment.
Andrew Ginter
That all makes sense. You know we’re coming up on the end of the episode I want to say thank you so much for for joining us before we let you go Can you you know sum up for our listeners. What what should we take away from from you know the the changing needs and the you know the changing capabilities in the world of of Network segmentation.
Robin Berthier
But thanks Andrew again for having me and ensure. So really the the key point I wanted to make is is that verification of network segmentation is becoming more and more of a priority and it’s it’s it’s not a one ne-time thing right? because the networks of. two these networks are just growing in size and complexity and becoming more and more dynamic even in like traditionally more static environments such as OT yeah OT environments. So it’s a cyber hygiene-based practice to frequently. Make sure that the configuration of your of the equipment and forcing your segmentation. So the firewalls routes and switches is is correct and they don’t have of already can you see rules or or gaps that could open up access to your critical equipment. So to that end we are about to release. The most capable version of product and preview that includes that that new zone segmentation metrics to give you a birds eye view of your exposure for your environment really helping a faster insight and decision making in terms of network risks. And I invite folks to to check us out at at network-perception.com for more information about how we can we can help them.
Nathaniel Nelson
Andrew that just about concludes your interview with Robin Berthier. Do you have any final thoughts that you would like to leave with our listeners.
Andrew Ginter
I mean yeah, um, you know, reflecting back on the episode here. We’re talking about network segmentation this in a sense is the oldest trick in the book. It’s the oldest tool in the trade. It’s the first thing that was documented in the first volume of 62443 back when when you know. Industrial cybersecurity wasn’t industrial cybersec security. It was SCADA security. It was you know, even the terminologies changed and you know firewalls have been around forever yet, you know this is a new development in the field I mean when was the last sort of big new development. The field it was. There was deep packet inspection over a decade ago is is my recollection but here’s a way to analyze networks. Um, you know here’s a way to add context to alerts when there’s potential intrusions in in progress. You know we’ve been talking to some some vendors of of asset risk tools and asset inventory tools that sort of they’re working with the the intrusion detection vendors the alarming vendors to say look this asset is at risk from this attack. That’s that’s coming in here because they have. Information about the asset here’s an extra step the next step is okay given that this asset is at risk of potentially being compromised if it were compromised here’s all of the other assets that would be at risk because this one’s at risk. The field continues to to to develop. It surprises me that that something as old as the idea of network segmentation. You know there’s there’s so there’s still there’s new inventions happening in the field. So you know it’s an interesting development.
Nathaniel Nelson
Well thank you to Robin for sharing that development with us and Andrew as always thank you for speaking with me this has been the industrial security podcast from Waterfall. Thanks to everybody out there listening.
Trending posts
Impressions of Cyber-Informed Engineering
Top 10 Cyberattacks on Industrial and Critical Infrastructure of 2024
Stay up to date
Subscribe to our blog and receive insights straight to your inbox