Behave You: Network Control

Part 4 of 6 in our Series

You and I See an Innocuous Camera…

Step into a major contract manufacturer and the machines are buzzing and whirling with activity. Production lines are busy cranking out the latest consumer electronics and cameras are everywhere making sure the quality process and controls are in ship-shape order. Major facilities here and overseas can have thousands of cameras installed along a production line.

All-day long these digital cameras stream images and video to the data center maintaining diligent logs to track production line quality. The problem is of course that cameras have been an easily exploitable weakness for cyber attacks. It gets more confounding since oftentimes, cameras come configured with default passwords. Alarmingly, it is very easy to hack into a camera and instruct the camera to send its recording to a remote suspicious site. Upgrade the password across all these hundreds of cameras? It won’t accomplish much asides give you a list of new passwords. Furthermore, industrial cameras are embedded systems so you cant even upgrade the OS or install any anti-virus even if you wanted to.

Dealing with Anomalies

Firewalls, anti-virus, and vulnerability detection tools are all available to help us deal with the constant ongoing threats but how do you deal with sophisticated malware attacks which can infiltrate a camera of all things? Much can be accomplished with signature detection and we at Ordr work closely with well-known sources to identify and see deep into signatures for anything that might provide clues of ill intent. We rely on signatures to identify what we consider “known” malware.

There are numerous anti-malware solution providers that identify objects, adding new signatures to its known database and we work them as well. These repositories grow each day and hold data on hundreds of millions of signatures that identify and classify malicious objects. Signature protection against malware works, it is relatively easy to use and it’s a tried and true method of catching the millions of older but still persistent threats that are roaming out there.

But Signatures Only Get You So Far

The problem in this sophisticated age of cyber attacks is that some versions of code may not always be recognized by this mapping approach of signatures. New versions of nasty code can appear that are not readily recognized by traditional signature-based technologies. A study by Cisco found that 95% of malware files analyzed weren’t even 24 hours old.

Worse yet, sometimes signatures can morph and hide. Think about that for a second, malware changing to avoid detection. It’s actually not that hard, some code permutation change here, a register renamed there or code shrunk or expanded and malware can avoid the traditional signature detection.

NotPetya: The Dangers of Hidden Signatures

When NotPetya surfaced, it was originally thought that it was another annoying resurfacing as it had a similar code structure and signature to that of the original Petya ransomware.

NotPetya, however, was way worse and way more sinister. NotPetya got its name from Petya but alarmingly, though it looked similar to Petya, the ransomware message was only a disguise. There was no real money demanded, no real unlocking code at all. The intention of NotPetya was all destructive and to irreversibly encrypt a computer master boot record.

NotPetya was designed to not just encrypt the master boot record (MBR) but to overwrite it with the attacker’s own MBR and with no access to MBR, the user can not access the OS on the computer leaving it inoperable. The signature told security managers that NotPetya was ransomware but NotPetya was actually a highly descriptive data wiper disguised as Petya. Identifying signatures is a start but to really understand what’s happening in your network, one needs to understand the behaviors of the devices with respect to its peer group, history, and context.

Ensuring the Camera is in its best Behavior

If we go back to the example of the cameras at the factory floor, we know what the device should be doing, sending images and video streams to the video servers at the data center. If there is any deviation from this behavior, we will see it right away and we can shut things down immediately.

It’s not just the changes from the daily routine that we can see, our engine can monitor how each device acts in a normal setting relative to its peer group. Time series is also factored in that we can see if a camera’s behavior is deviating or is different from what its behavior was in the prior weeks.

If there is some strange communication between a camera and remote suspicious site, our proactive system can prevent this since it’s smart enough to know that a particular camera never had this session in the past. Even if there is a request going into the camera from an external site, we will sound the alarm. An attempt to extract a video without permission? This is a behavior violation. Unusual communications, we catch that too. If it’s a behavior violation, Ordr will prevent it right away.  A thermostat talking to the finance department, that should not happen. Some traffic flow trying to disable security controls or install rootkits? We will shut it down.

Ordr Keeps Learning

Threats are dynamic and constantly evolving. Having a system that understands signature can help in a hyperconnected environment but to have real proactive protection a system must contextually be aware and have the insight to understand behaviors. Diving deeper into historic patterns can also help capture baseline deviations that might fly under the radar.

At Ordr our system is constantly expanding its behavior library, understanding what is normal and what is out of character for each and every device type. We complement your current tools and we work with what you already have. Ordr helps you quickly identify all the friends, eliminate all the foes and ensure all your devices behave the way they should.