I&C Exercise 2 - Attack Analysis

Scenario

During this exercise, you will monitor both network traffic and data accesses to identify potentially malicious behaviour on the I&C network. As you understand the normal traffic, changes in network traffic can be identified. The engineering work station (EWS) contains all of the files necessary to setup, configure, and monitor the I&C system. Knowing and understanding the data paths within the I&C environment is necessary to protect EWS’s critical assets.


Objective

For the network analysis, this exercise will utilize Wireshark for monitoring and analyzing I&C network traffic to determine what network traffic is normal. Using your network traffic baseline you can quickly identify unexpected traffic. Another objective is to view and modify a firewall configuration.

We will be using the following tools during the exercise:

  • Wireshark is a cross-platform open-source network traffic analyzer that supports Linux, Unix, and Microsoft Windows.
  • IPFire is a distribution of Linux built to function as a network Firewall.

Building on the previous exercises, you will use Microsoft Management Console (MMC) to observe access to the file system of the EWS.

Prerequisites

Log on to the Engineering Workstation (EWS):

  • Username: iaea
  • Password: iaea

Verify the EWS Siemens Totally Integrated Automation (TIA) project view and RT (runtime) Simulator windows are open.


Exercise Steps & Questions

Creating a Network Fingerprint

Step 1 - Baseline Network Behaviour

On the EWS, start Wireshark by double-clicking the icon located on the desktop and then start the network capture by double clicking on Local Area Connection.

ws-lan-start

After 1 minute, stop the network traffic collection by clicking the red stop button.

ws-stop-capture

Local Area Connection: This is the primary connection used by the EWS and is connected directly to the I&C network with the IP address 192.168.0.33. This connection is also a mirror or span port on the switch in the I&C network, which will allow you to view all network traffic on the I&C switch.

Questions

Hint: You can isolate this traffic by applying a Display Filter in Wireshark. A good example of this is:

ip.addr==192.168.0.33 || ip.addr==192.168.0.1 || ip.addr==192.168.0.2

ws-example-df

ws-cotp-example

COTP is an ISO 8073 based protocol that stands for Connection Oriented Transport Protocol. The Siemens specific protocol used in this I&C system is based upon COTP, so Wireshark is able to identify it as such. The lower-level meaning of each packet (i.e. decoding the data portion of the packet) requires specific knowledge and decoding of the Siemens protocol.

Step 2 - Analyse Abnormal Network Behaviour

Clear any Wireshark display filters you may have set by pressing the red X button at the end of the display filter text box.

ws-clear-df

Before conducting the next instruction, ensure that the enable MAC Name Resolution is enabled (Edit -> Preferences -> Name Resolution -> Resolve MAC addresses).

From the Automated Laboratory Exercise Web Server, click the I&C Exercise 2.1 icon link. Make sure you closely monitor Wireshark, and when ready, click the Run Exercise button. After 1 minute stop the network traffic collection.

Questions

Step 3 - Examine the I&C Firewall Rules

In this step, you will use the I&C network firewall to analyze the unexpected network traffic. To access the firewall interface, follow these instructions:

  1. On the EWS, open a new tab in Firefox
  2. Browse to the firewall configuration page by clicking on the I&C Firewall bookmark or entering https://192.168.0.250:444.
  3. To login, use admin for the username, and iaea for the password.

ipfire-main-page

Wait a few seconds for the page to load. For the LAN and DMZ networks, does the main page of the I&C firewall match what you know from your network diagram?

The green network is the I&C network protected by the firewall.
The orange network is a DMZ for the I&C.
The red network is the outside network that is typically connected to a corporate network or the internet.

From this interface you can view and analyze the firewall rules by clicking on the Firewall menu and selecting Firewall Rules.

ipfire-fw-rules-overview

Questions

Q7: View the details of a specific rule by clicking the yellow pencil icon, located just to the right of the rule. Write down what each rule is implementing:

Firewall Rule #1 is blocking all outbound connections from the green (I&C) network to the outside (red) network. This all inclusive deny rule is not usually the only rule in a firewall, but this is an example of how strict outbound firewall rules are implemented. Allowed connections will now need to be explicitly added for any outbound traffic.

Step 4 - Analyze the I&C Firewall Logs

To inspect the I&C firewall logs, click the Logs menu and select Firewall Logs.

ipfire-fw-logs

Questions

Advanced Exercise

Edit rule #1 in the firewall and change the policy from Drop to Reject. Press the update button. One the main firewall rules screen press the Apply Changes button to activate the rule change. Repeat the exercise again by starting a new Wireshark capture and clicking Run Again from the Automated Lab Exercise Web Server.

Questions

Note: The big difference between REJECT and DROP is that REJECT results in a response being returned to the sender by the firewall, whereas a DROP will drop the packet and will not send a response to the sender.

Exercise Control

Network Fingerprint

  • Form submitted
  • Exercise completed

Advanced Scenario - Data Path Analysis

Verify that the EWS Siemens Totally Integrated Automation (TIA) Project View and RT (runtime) Simulator windows are open. Note: If you need help starting TIA and RT Simulator ask your instructor for help.

Step 1 - Execute an Attack

From the EWS perform the following steps:

  1. Open the Firefox browser and go the Automated Lab Exercise Web Server.
  2. Click the I&C Exercise 2.2 icon link and then click Run Exercise.

Question

Step 2 - Collect Network Data and Analyze

On the EWS, start a traffic capture using Wireshark in the following way:

  1. Double click the Wireshark icon on the desktop.
  2. To start the network traffic capture, double click on Local Area Connection.

From the Automated Lab Exercise Web Server webpage do the following steps:

  1. Click Run Again.
  2. Once the exercise finishes successfully, stop collecting traffic on Wireshark by pressing the red stop button.

Begin analyzing the traffic for any file transfer protocols (e.g. SMB, FTP, TFTP, SSH, etc.). Also identify any remote desktop connections protocols (e.g. VNC, RDP, etc.).

Questions

Note: File transfers and remote desktop connections to and from the Engineering Work Station allow the possibility for transfer or manipulation of sensitive information that is used to configure and operate the I&C system.

Step 3 - Further Network Analysis

Further analyze the SMB network traffic identified in the previous step by using a Wireshark filter for the SMB protocol. To do so, in the display filter box at the top of Wireshark, enter smb and click the right arrow . This will result in only SMB network traffic being shown.

ws-smb-filter

Question

Hint: Sort SMB traffic by clicking on the Info header in Wireshark.

Step 4 – Locate Affected Files

Using the directory paths identified previously, try to locate them on the EWS using File Explorer:

  1. From the EWS, click the Folder icon on the taskbar to open File Explorer.

file-explorer-loc

  1. Browse through the C:\Users\User directory and try to locate directories you identified from Wireshark.

Questions

To confirm your assumptions about the base directory in the previous step, do the following:

  1. Open the Siemens Project Window (Siemens TIA) from the taskbar.
  2. Compare the Title Bar path at the top of the window with the file path identified with Wireshark.

tia-window-title

You have confirmed the file transfer in Wireshark was copying the project directory for the Siemens EWS system; determine what allowed the transfer to take place. This can be done by checking what file shares are available on the EWS system by doing the following:

  1. Inspect the share information by building a Microsoft Management Console (MMC):
  2. Press the [Windows Key + R], and run the following command: mmc.exe. When asked if you want to allow the program to make changes to this computer, click Yes.
  3. Add a Snap-in to view the Windows Share information, by clicking File -> Add/Remove Snap-In… or pressing [Ctrl+M].
  4. In the list of Available snap-ins, select Shared Folders and click the Add button.

mmc-add-folder-snapin

  1. When the Select Computer dialog opens, ensure the Local Computer radio-button is selected and then click OK.
  2. Now click the OK button to close the Add/Remove Snap-ins dialog box. This will open a window showing you the current Shares, Sessions, and Open Files on the system.
  3. Select Shares on the left to see what shares are on the system.

mmc-view-shares

Questions

Note: Shares that end with the $ are system shares and are required by Microsoft Windows.

Step 5 - Mitigation

Remove the share by stopping it and re-run the exercise.

  1. Start a new Wireshark network capture
  2. Set the Wireshark display filter for SMB
  3. On the Automated Lab Exercise Web Server, for the I&C Exercise 2.2, click the Run Again button.
  4. Determine if the file transfer was successful, or if it failed. What indicator(s) in the network traffic capture show success or failure?

Question

Exercise Control

Data Path Analysis

  • Form submitted
  • Exercise completed