September 26, 2018 2:50 PM
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Jimmy Wylie is a Senior Adversary Hunter at Dragos who spends his days (and nights) searching for and tearing apart threats to critical infrastructure. Starting as a hobbyist in 2009, he has over 9 years experience with reverse engineering and malware analysis. As a professional in the U.S. Intelligence Community, he utilized a wide range of skills against national level adversaries, including network analysis, dead disk and memory forensics, in-depth malware analysis, and software development supporting the detection, analysis and classification of malware in a variety of programming languages. Before joining Dragos, he was a course developer and instructor at Focal Point Data Risk, teaching a wide range of malware analysis techniques starting with beginner behavioral analysis and ending with kernel driver analysis. At Dragos, he was involved in the analysis of CRASHOVERRIDE, and was a lead analyst on TRISIS. He can be found on Twitter @mayahustle.