Sémafor Conseil, votre guide en cybersécurité!

ICS Forensics

BT223

Table of Contents

Description

Organizations, both private and governmental, are trying to build security teams to protect the ICS/SCADA environment. The program was designed comprehensively and professionally to impart the skills and knowledge required to integrate into key positions of the information security world, both in defense and attack teams.

Participants will learn about the security threats that are unique to ICS/SCADA systems and the inherent weaknesses and vulnerabilities in Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) through the use of real-world examples, the frameworks and standards available to help develop an effective ICS/SCADA cyber-security strategy.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc …

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.

The participant will also need a good personal computer suitable for running virtual machines, with a broadband Internet connection.

Target audience

The course targets participants with OT and Cyber Security knowledge

  • OT
  • Incident responders
  • Cyber forensics investigators

Objectives

  • Understand ICS networks on a deep level
    Monitor and analyze user and system activities on the ICS network to recognize patterns of typical attacks
  • Analyze abnormal activity patterns to detect signs of an intrusion
  • Use advanced tools for intrusion detection
  • Analyze log files and log data

Pre-requisites

  • ThinkCyber Level-1 Courses

Syllabus

Module #1 ICS Risk Assessment

Description

During this module, participants will learn the world of cybersecurity in the environment of Industrial Control Systems. Participants will learn how a control system can be attacked from the internet and perform hands-on practice sessions on network discovery techniques.

Technical content

  • ICS Network Architectures
  • Known ICS Protocols
    o Modbus
    o DNP3
    o How to Approach Protocols Research
    o ICS Protocol Fuzzing
  • Security Architecture Overview
    o Host Configuration Overview
    o Wireless Access Overview
    o Remote Access Overview
  • Cyber-security for ICS
    o Network Discovery
    ▪ Passive Discovery
    ▪ Active Discovery
    ▪ Passive Enumeration
    o Using CSET
    o Ladder Logic Overview
    o Using Metasploit Framework
    o Web Hacking Techniques

Module #2 Security Methods and Products

Description

In this module, we will present participants’ ways to plan, design, and implement an effective program to protect SCADA systems. Participants will gain an understanding of common Industrial Control Systems (ICS) threats, vulnerabilities, and risks.

Technical content

  • ICS Protection Concepts
  • Endpoint Defenses
    o Passive Solutions
    o Agents
  • Update and Patching
  • Hardening Configuration
  • Auditing Log Management
  • Network Fundamentals
    o TCP/IP Protocol Suite
    o ICS Protocols over TCP/IP
  • Firewalls
  • Building an ICS/SCADA Honeypots
  • Securing Wireless in ICS

Module #3 ICS Network Analysis

Description

ICS Network Analysis evolves around the extraction, analysis, and identification of a user’s online activities; the findings include artifacts such as logs and history files, cookies, cached content, and any remnants of the information left in the computer’s volatile memory. During this module, participants will identify different user-behavior patterns, even after they tried to “cover their tracks”. Upon completion of this stage, they will be able to perform a detailed forensic analysis of the network traffic.

Technical content

  • Wireshark Analysis
    o Wireshark Tool Inspection
    o Using Display Filters
    o Advanced Usage
    o The PCAP Format
    o Extracting Files from PCAP Files
    o Reading Encrypted Data with Wireshark
    o Advance Attack Analyzing
  • Advanced Packet Analysis
    o Bro
    o Bro-Cut
    o Open-Source Tools
  • Identifying Attacks
    o Network Scanning
    o MiTM
    o Brute-Force
    o Injections
    o Web Server Attacks
  • Extracting Network Traffic from Memory
    o Dump Memory from Devices
    o Using Volatility
  • Firewall Findings

Module #4 Introduction to Malware Analysis

Description

In this module, participants will learn the world of malware, in which they will create a virtual environment to study different types of malware and see how they operate. We will show how antivirus works and will develop an idea of how to approach a malicious file and where to find it. Tools for performing malware analysis will also be presented during this module.

Technical content

  • Different Behaviors of Malware Types
    o Behavioral Analysis
    o Code Analysis
    o Memory Analysis
    o Malware Behavior Blocking
  • Indicator of Compromise (IOC)
    o Hash
    o Hex Sequence
    o Host-Based Signatures
    o Network-Based Signatures
  • PE Files
  • Sandboxes
  • Windows Libraries and Processes
  • Setting up a Safe Environment for Inspecting Malware
    o Virtual Machine
    o Real Systems
    o Malware Analysis Tools:
    ▪ Process Hacker
    ▪ Process Monitor
    ▪ Regshot
    ▪ API Monitor
    ▪ IDA
  • Malware Hiding Places
    o On Live Systems
    o On Dead Systems
  • Malware on the Network
    o Identifying Malware
    o Carving Malware
    o Analyzing Malicious PCAP Files

Labs

The following labs are part of the actual BT223 course:

  • Lab 1 Modbus
  • Lab 2 CSET
  • Lab 3 ICS Protocols
  • Lab 4 Filtering with Bro
  • Lab 5 Log Analysis
  • Lab 6 Static Analysis
  • Lab 7 Dynamic Analysis

Real cases studies

Case study #1 (ICF001) Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines in the USA; Security researchers suspect a malware installed on their systems. You were summoned to investigate the incident and identify the source of the attack and to harden the control system.ReferenceCase study #2 (ICF002)Honda Motor Company released a statement this week, saying the company was forced to halt its production for more than 24 hours in one of its Japan-based factories after finding the WannaCry infections in its computer networks. Honda motor company hired you to perform malware analysis on the WannaCry using the tools you mastered.ReferenceCase study #3 (ICF003)Recently, researchers at security firm FireEye have discovered a new variant of Havex remote access Trojan that can actively scan OPC (Object linking and embedding for Process Control) servers, used for controlling SCADA. \”NewEnergy\”, an Italian green energy company, was a victim of the attack and managed to monitor some of the traffic for you to analyze. Use your skill to help them.ReferenceCase study #4 (ICF004)A cyber-attack on the Ukrainian Electric power grid caused a power outage in the northern part of Kyiv. The incident caused blackouts all over the city. The Forensics team started the investigation that day to identify the source of the attack causing the blackouts.ReferenceCase study #5 (ICF005)An attacker was able to break a 200-megawatt wind turbine system owned by NextEra Energy Resources. The IT team discovered a vulnerability in the company\’s Cisco security management software. They require your assistance to disclose the incident.Reference
Précédent
Suivant
\"BT223\"

Join a session

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:
ICS SCADA

LEVEL
0%
1
HOURS

 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies:

1
%
Hands-on
1
Labs
1
Case studies

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, the attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details




Subscribe


Join a session

0Likes
About Author

You May Also Like

RT434
Learning, Offense
RT434 – Exploit Development Advanced
BT221
Cybercrime Investigator, Cybersecurity Analyst, Défense, Learning, Monitoring, Detection, Defense
BT221 – Reverse Engineering