1 00:00:04,920 --> 00:00:13,740 hello I'm Steven or the title of my talk 2 00:00:09,690 --> 00:00:16,230 today is reversing the reversing of the 3 00:00:13,740 --> 00:00:19,020 tri station protocol it's mostly a story 4 00:00:16,230 --> 00:00:22,980 about me learning about industrial 5 00:00:19,020 --> 00:00:25,019 control systems ICS security which I had 6 00:00:22,980 --> 00:00:28,019 you know a couple months ago know 7 00:00:25,019 --> 00:00:32,070 nothing about and three T's in 8 00:00:28,019 --> 00:00:33,899 particular triton try connects and try 9 00:00:32,070 --> 00:00:37,710 station I'll explain what all of those 10 00:00:33,899 --> 00:00:41,340 are shortly a little bit about me Steve 11 00:00:37,710 --> 00:00:43,440 Miller I am a researcher at fire I slash 12 00:00:41,340 --> 00:00:46,280 mandiant I used to do host-based 13 00:00:43,440 --> 00:00:50,610 forensics now I do network stuff and 14 00:00:46,280 --> 00:00:53,610 dabbling in ICS stuff I live in the u.s. 15 00:00:50,610 --> 00:00:56,489 in central New York New York is a big 16 00:00:53,610 --> 00:00:59,550 state I live in a little tiny town right 17 00:00:56,489 --> 00:01:02,879 in the middle I've been playing the 18 00:00:59,550 --> 00:01:05,880 battlefield 5 open beta know if anybody 19 00:01:02,879 --> 00:01:07,679 plays that but my grandma thinks I play 20 00:01:05,880 --> 00:01:11,640 video games for a living so it's 21 00:01:07,680 --> 00:01:14,790 suitable and that's a picture of my 22 00:01:11,640 --> 00:01:17,850 motorcycle BMW f800r yes when I was 23 00:01:14,790 --> 00:01:21,390 riding through Northern California about 24 00:01:17,850 --> 00:01:24,330 a year ago I am on fire eyes advanced 25 00:01:21,390 --> 00:01:28,740 practices team we have a cool logo it's 26 00:01:24,330 --> 00:01:31,770 an eagle shooting to desert Eagles so we 27 00:01:28,740 --> 00:01:35,220 think we have a pretty cool logo anyway 28 00:01:31,770 --> 00:01:38,158 that's a little bit about me this is a 29 00:01:35,220 --> 00:01:40,829 just to get you into why I became 30 00:01:38,159 --> 00:01:43,320 interested in security it wasn't this 31 00:01:40,829 --> 00:01:45,960 but when I was traveling I was living in 32 00:01:43,320 --> 00:01:48,380 Australia and my mom received a letter 33 00:01:45,960 --> 00:01:52,798 of mail from the US Office of Personnel 34 00:01:48,380 --> 00:01:55,890 Management and it was about a year after 35 00:01:52,799 --> 00:01:58,320 the OPM hack went public they decided to 36 00:01:55,890 --> 00:02:04,259 send mail to everyone which was nice of 37 00:01:58,320 --> 00:02:06,169 them but the US OPM is manages the 38 00:02:04,259 --> 00:02:10,318 records of all the government employees 39 00:02:06,170 --> 00:02:13,050 so my entire security clearance and 40 00:02:10,318 --> 00:02:13,790 everything I ever the government ever 41 00:02:13,050 --> 00:02:16,909 knew about 42 00:02:13,790 --> 00:02:18,890 is now owned by China you could probably 43 00:02:16,909 --> 00:02:21,590 look it up on the dark web if you're 44 00:02:18,890 --> 00:02:24,470 interested but anyway that's kind of why 45 00:02:21,590 --> 00:02:26,420 I'm into security and for the next about 46 00:02:24,470 --> 00:02:30,409 20 minutes I'll talk to you about Triton 47 00:02:26,420 --> 00:02:35,750 which is a malware framework try konnex 48 00:02:30,409 --> 00:02:38,899 which is an ICS PLC programmable logic 49 00:02:35,750 --> 00:02:42,739 controller and tri station which until 50 00:02:38,900 --> 00:02:45,140 recently was a undocumented proprietary 51 00:02:42,739 --> 00:02:47,540 network protocol so this is really just 52 00:02:45,140 --> 00:02:50,659 my interest in these subjects and I kind 53 00:02:47,540 --> 00:02:53,030 of poked at them for a little bit and I 54 00:02:50,659 --> 00:02:54,138 hope you will learn something I'm not 55 00:02:53,030 --> 00:02:55,549 sure what you all have different 56 00:02:54,139 --> 00:02:56,780 backgrounds in different interests I'm 57 00:02:55,549 --> 00:02:58,489 not sure what you'll take away from this 58 00:02:56,780 --> 00:03:04,549 but we will see 59 00:02:58,489 --> 00:03:07,810 so Triton sometime around December 2017 60 00:03:04,549 --> 00:03:11,780 I think fireEye released a blog about 61 00:03:07,810 --> 00:03:14,840 the Triton malware framework it was 62 00:03:11,780 --> 00:03:18,919 written in Python it was found at a 63 00:03:14,840 --> 00:03:20,810 customer site in the Middle East it was 64 00:03:18,919 --> 00:03:23,930 compiled in PI 2 Exe 65 00:03:20,810 --> 00:03:27,440 and it was designed to interact with try 66 00:03:23,930 --> 00:03:29,780 connects controllers this is the first 67 00:03:27,440 --> 00:03:32,000 of its kind we live in an industry where 68 00:03:29,780 --> 00:03:34,190 everything's like a total GameChanger 69 00:03:32,000 --> 00:03:37,010 but I think this was this is kind of a 70 00:03:34,190 --> 00:03:38,629 game changer so it's designed to 71 00:03:37,010 --> 00:03:41,269 interact with try connect controllers 72 00:03:38,629 --> 00:03:43,518 this is what a try connects controller 73 00:03:41,269 --> 00:03:47,510 looks like there's like three of 74 00:03:43,519 --> 00:03:51,680 everything triple redundancy controller 75 00:03:47,510 --> 00:03:54,620 Tricon very clever but it's a plc and 76 00:03:51,680 --> 00:03:56,629 this is a particular type of PLC which 77 00:03:54,620 --> 00:03:59,180 is designed for safety systems so it 78 00:03:56,629 --> 00:04:02,030 connects to sensors and if the sensors 79 00:03:59,180 --> 00:04:05,000 see something they have logic that turns 80 00:04:02,030 --> 00:04:07,449 a gizmo or a motor or a widget and you 81 00:04:05,000 --> 00:04:10,250 know controls some industrial process 82 00:04:07,449 --> 00:04:13,760 for safety reasons so that things like 83 00:04:10,250 --> 00:04:15,799 oil refineries don't explode which is 84 00:04:13,760 --> 00:04:16,599 you know I think we can all see some 85 00:04:15,799 --> 00:04:21,459 value in that 86 00:04:16,599 --> 00:04:24,010 so petrochemicals oil and gas power 87 00:04:21,459 --> 00:04:27,710 pharmaceuticals anybody with a 88 00:04:24,010 --> 00:04:30,020 industrial plant that wants to 89 00:04:27,710 --> 00:04:32,570 have safety systems in a plant you might 90 00:04:30,020 --> 00:04:33,799 have hundreds of these literally 91 00:04:32,570 --> 00:04:36,130 hundreds and they could be all over the 92 00:04:33,800 --> 00:04:41,419 place and they are networked of course 93 00:04:36,130 --> 00:04:46,610 try station is for the purpose of this 94 00:04:41,419 --> 00:04:50,539 talk will be the in protocol the binary 95 00:04:46,610 --> 00:04:54,290 protocol that allows a PC running some 96 00:04:50,540 --> 00:04:57,500 software to communicate with the Tricon 97 00:04:54,290 --> 00:04:59,630 or try connects controller so everybody 98 00:04:57,500 --> 00:05:02,240 got their try contract connects try 99 00:04:59,630 --> 00:05:04,909 Triton try station we got a lot of 100 00:05:02,240 --> 00:05:09,169 buzzwords here so I will try not to mix 101 00:05:04,910 --> 00:05:11,810 them up so sometime earlier this year it 102 00:05:09,169 --> 00:05:14,539 was like probably May somebody was like 103 00:05:11,810 --> 00:05:15,950 you should look at the Triton malware I 104 00:05:14,540 --> 00:05:17,150 was like wow that's cool 105 00:05:15,950 --> 00:05:19,099 I didn't have anything to do with it 106 00:05:17,150 --> 00:05:20,929 when my company responded in the 107 00:05:19,100 --> 00:05:25,340 incident response and somebody was like 108 00:05:20,930 --> 00:05:26,960 it uses a proprietary protocol I was 109 00:05:25,340 --> 00:05:28,789 like what is proprietary mean I don't 110 00:05:26,960 --> 00:05:31,010 know it there's like it's undocumented 111 00:05:28,790 --> 00:05:34,070 and I'm awesome undocumented things are 112 00:05:31,010 --> 00:05:36,800 my favorite things so I thought to 113 00:05:34,070 --> 00:05:39,020 myself I became really like curious how 114 00:05:36,800 --> 00:05:41,180 does this malware framework use the 115 00:05:39,020 --> 00:05:43,280 protocol what does the protocol look 116 00:05:41,180 --> 00:05:46,490 like I asked around nobody had any pcap 117 00:05:43,280 --> 00:05:49,489 which is my worst case scenario there's 118 00:05:46,490 --> 00:05:51,050 no pee cap so the big questions for me 119 00:05:49,490 --> 00:05:54,020 and this was you know part of my job 120 00:05:51,050 --> 00:05:55,729 right was to you know what the hell what 121 00:05:54,020 --> 00:05:57,409 the hell's going on how does the try 122 00:05:55,729 --> 00:06:00,590 station protocol work what does it look 123 00:05:57,410 --> 00:06:03,320 like to what extent did the malware 124 00:06:00,590 --> 00:06:05,539 authors reverse-engineer the protocol 125 00:06:03,320 --> 00:06:09,320 yeah how did they do that and how did 126 00:06:05,539 --> 00:06:11,240 they build a malware family that spoke 127 00:06:09,320 --> 00:06:14,210 with this protocol and then to what 128 00:06:11,240 --> 00:06:17,810 extent did they implement the protocol 129 00:06:14,210 --> 00:06:20,359 network stack into the malware these are 130 00:06:17,810 --> 00:06:22,940 important questions because if what I've 131 00:06:20,360 --> 00:06:26,660 observed in looking at a lot of malware 132 00:06:22,940 --> 00:06:28,850 is that when you implement a protocol 133 00:06:26,660 --> 00:06:33,560 you have a very good chance of doing it 134 00:06:28,850 --> 00:06:35,810 wrong and if they did it wrong if there 135 00:06:33,560 --> 00:06:37,820 was any sort of error in their 136 00:06:35,810 --> 00:06:41,040 implementation then we would be able to 137 00:06:37,820 --> 00:06:43,080 detect that right that was a kind of 138 00:06:41,040 --> 00:06:44,940 yes and that is true for a lot of other 139 00:06:43,080 --> 00:06:47,159 protocols I was kind of hoping it was 140 00:06:44,940 --> 00:06:48,960 true for this one so I wanted to poke at 141 00:06:47,160 --> 00:06:52,550 that this is kind of what it looked like 142 00:06:48,960 --> 00:06:57,989 in practice I stole this from the fire I 143 00:06:52,550 --> 00:07:01,050 blog but you have a PC over there and 144 00:06:57,990 --> 00:07:05,750 that's running some sort of you know 145 00:07:01,050 --> 00:07:10,890 special software the try log exe is the 146 00:07:05,750 --> 00:07:13,860 PI to exe compiled malware and inside of 147 00:07:10,890 --> 00:07:16,409 that it has a bunch of scripts and it 148 00:07:13,860 --> 00:07:20,040 talks to the controller and the purpose 149 00:07:16,410 --> 00:07:23,700 of the malware was to communicate with 150 00:07:20,040 --> 00:07:26,640 the controller the Tricon controller so 151 00:07:23,700 --> 00:07:28,920 I had to talk to it had to reprogram it 152 00:07:26,640 --> 00:07:31,349 or manipulate it and ultimately exploit 153 00:07:28,920 --> 00:07:34,530 it and the purpose of this was to inject 154 00:07:31,350 --> 00:07:36,360 a custom binary backdoor the controller 155 00:07:34,530 --> 00:07:39,539 does not run Windows it does not run 156 00:07:36,360 --> 00:07:41,940 Linux it has its own custom Orca texture 157 00:07:39,540 --> 00:07:44,670 and firmware I'm not qualified to talk 158 00:07:41,940 --> 00:07:48,380 about any of that so I decided to kind 159 00:07:44,670 --> 00:07:51,900 of focus on the the networking protocol 160 00:07:48,380 --> 00:07:53,159 so try logged exe to break it down a 161 00:07:51,900 --> 00:07:55,140 little bit anything that's written in 162 00:07:53,160 --> 00:07:58,350 Python and compiled with PI THC can 163 00:07:55,140 --> 00:08:00,390 actually be uncompelled when you compile 164 00:07:58,350 --> 00:08:06,300 you have the option of specifying some 165 00:08:00,390 --> 00:08:08,880 zip files but you know developers and 166 00:08:06,300 --> 00:08:11,670 malware authors being lazy like me used 167 00:08:08,880 --> 00:08:14,670 all the defaults so all the scripts were 168 00:08:11,670 --> 00:08:16,260 you know just compiled there and inside 169 00:08:14,670 --> 00:08:19,470 of the main executable stored inside a 170 00:08:16,260 --> 00:08:21,719 zip file called library dot zip and this 171 00:08:19,470 --> 00:08:26,310 is what when we uncle pile it kind of 172 00:08:21,720 --> 00:08:27,510 breaks out pyc is a Python bytecode but 173 00:08:26,310 --> 00:08:32,820 that's actually pretty easy to 174 00:08:27,510 --> 00:08:35,760 uncompelled to break down the the plain 175 00:08:32,820 --> 00:08:37,919 text scripts so untidy Exe a nun 176 00:08:35,760 --> 00:08:40,650 compiled six these are on github you can 177 00:08:37,919 --> 00:08:43,710 go download them and do this yourself so 178 00:08:40,650 --> 00:08:47,490 this is kind of what the logic looked 179 00:08:43,710 --> 00:08:48,750 like so back in this one I looked at all 180 00:08:47,490 --> 00:08:51,480 these so it's like two hundred and forty 181 00:08:48,750 --> 00:08:54,450 Python scripts in here most of them are 182 00:08:51,480 --> 00:08:56,730 just default Python stuff 183 00:08:54,450 --> 00:08:57,600 support different types functions but 184 00:08:56,730 --> 00:09:00,149 there were a bunch of them that 185 00:08:57,600 --> 00:09:01,529 obviously seemed very specific to the 186 00:09:00,149 --> 00:09:04,440 malware and specific to the 187 00:09:01,529 --> 00:09:08,130 implementation of tri station so these 188 00:09:04,440 --> 00:09:10,709 are the ones evil evil stuff dot PI 189 00:09:08,130 --> 00:09:13,550 that's the main routine the malware that 190 00:09:10,709 --> 00:09:17,399 was what was going to inject the 191 00:09:13,550 --> 00:09:19,260 controller with the backdoor and then we 192 00:09:17,399 --> 00:09:22,410 had all these other things but you could 193 00:09:19,260 --> 00:09:24,389 see it's a very nice cascading logic 194 00:09:22,410 --> 00:09:27,689 evil stuff imports TS hi 195 00:09:24,389 --> 00:09:29,850 TSI imports TS base and so forth and so 196 00:09:27,690 --> 00:09:32,070 all the way down that chain was where I 197 00:09:29,850 --> 00:09:35,130 decided to start looking at the plain 198 00:09:32,070 --> 00:09:36,720 text content of these scripts so I'm 199 00:09:35,130 --> 00:09:38,790 looking for the implementation of try 200 00:09:36,720 --> 00:09:40,440 station when you look and you want to 201 00:09:38,790 --> 00:09:42,120 document an undocumented protocol there 202 00:09:40,440 --> 00:09:43,589 a couple things you gotta look for you 203 00:09:42,120 --> 00:09:45,180 want to look for magic values you want 204 00:09:43,589 --> 00:09:48,750 to look for counters you want to look 205 00:09:45,180 --> 00:09:50,790 for timestamps padding there are a lot 206 00:09:48,750 --> 00:09:53,579 of different things but when you want to 207 00:09:50,790 --> 00:09:55,260 document a protocol you want to look for 208 00:09:53,579 --> 00:09:56,370 the structures the major structures and 209 00:09:55,260 --> 00:09:58,380 there's a lot of other things but those 210 00:09:56,370 --> 00:10:01,320 are kind of the basics that you go into 211 00:09:58,380 --> 00:10:02,449 and this all turned out to be much 212 00:10:01,320 --> 00:10:05,640 easier than I thought 213 00:10:02,449 --> 00:10:09,839 so when I opened up see names 214 00:10:05,640 --> 00:10:12,510 TSC names pi what was apparent it was 215 00:10:09,839 --> 00:10:15,360 that it was just basically a bunch of a 216 00:10:12,510 --> 00:10:17,160 race with string text and these string 217 00:10:15,360 --> 00:10:19,470 texts were attached to kind of integer 218 00:10:17,160 --> 00:10:22,010 values and you get the sense that it 219 00:10:19,470 --> 00:10:24,750 serves as a library for something else 220 00:10:22,010 --> 00:10:26,670 but then when I want to go look at where 221 00:10:24,750 --> 00:10:29,040 these arrays are referenced and some of 222 00:10:26,670 --> 00:10:32,490 the other scripts we kind of have to 223 00:10:29,040 --> 00:10:35,939 dive into some of the functions so we 224 00:10:32,490 --> 00:10:43,079 can see that this is an array called TS 225 00:10:35,940 --> 00:10:45,959 c st and that t sc/st is referenced as a 226 00:10:43,079 --> 00:10:49,739 it's a dictionary result so used as a 227 00:10:45,959 --> 00:10:50,910 library of strings for TCM result and so 228 00:10:49,740 --> 00:10:54,060 that was the function i wanted to go 229 00:10:50,910 --> 00:10:56,100 look at next so we look at that and 230 00:10:54,060 --> 00:10:58,949 that's actually in a different python 231 00:10:56,100 --> 00:11:00,990 file and right here we're already seeing 232 00:10:58,949 --> 00:11:03,750 that they're breaking down the try 233 00:11:00,990 --> 00:11:06,990 station protocol in some way when we 234 00:11:03,750 --> 00:11:08,240 have a bunch of UDP data coming back we 235 00:11:06,990 --> 00:11:11,720 see that the 236 00:11:08,240 --> 00:11:14,300 first four bytes are broken into type 237 00:11:11,720 --> 00:11:16,610 and size so pretty pretty 238 00:11:14,300 --> 00:11:20,300 straightforward and then the last two 239 00:11:16,610 --> 00:11:22,010 bytes are a CRC so it's right there it's 240 00:11:20,300 --> 00:11:24,469 really easy we didn't have to do any 241 00:11:22,010 --> 00:11:25,279 reverse engineering we did it the easy 242 00:11:24,470 --> 00:11:28,160 way 243 00:11:25,279 --> 00:11:30,140 so that that's pretty cool and if you 244 00:11:28,160 --> 00:11:33,410 want to document a protocol you can do 245 00:11:30,140 --> 00:11:35,449 it in the you know kind of C structure I 246 00:11:33,410 --> 00:11:38,930 call this the the pretentious way I just 247 00:11:35,450 --> 00:11:41,330 kind of penciled it down on a napkin and 248 00:11:38,930 --> 00:11:43,849 then what I wanted to do is is dive in a 249 00:11:41,330 --> 00:11:49,220 little bit further and then going into 250 00:11:43,850 --> 00:11:51,890 TS result we also saw that the next 251 00:11:49,220 --> 00:11:56,300 bytes after those first four bytes 252 00:11:51,890 --> 00:11:59,209 this is packet type five and in that 253 00:11:56,300 --> 00:12:01,699 first array I showed you type five was a 254 00:11:59,209 --> 00:12:04,819 command reply so just for command reply 255 00:12:01,700 --> 00:12:08,750 packets we now have these additional 256 00:12:04,820 --> 00:12:12,860 fields broken out in the data so one two 257 00:12:08,750 --> 00:12:18,290 three four five six seven eight nine ten 258 00:12:12,860 --> 00:12:21,079 more bytes are unpacked there so now our 259 00:12:18,290 --> 00:12:23,089 understanding of the of the protocol has 260 00:12:21,079 --> 00:12:25,670 grown a little bit and we can document 261 00:12:23,089 --> 00:12:27,470 that and just based on the variables in 262 00:12:25,670 --> 00:12:30,349 the in the code we could get the sense 263 00:12:27,470 --> 00:12:34,730 that you know this stands for something 264 00:12:30,350 --> 00:12:36,980 or the other you know size and checksum 265 00:12:34,730 --> 00:12:41,720 or unknown you know anybody label 266 00:12:36,980 --> 00:12:44,570 anything unknown probably probably not 267 00:12:41,720 --> 00:12:47,000 maybe but anyway so this is the command 268 00:12:44,570 --> 00:12:49,339 type structure and that's all well and 269 00:12:47,000 --> 00:12:52,070 good Oh what was that 270 00:12:49,339 --> 00:12:55,970 oh and okay the commands and then so 271 00:12:52,070 --> 00:12:58,880 that particular byte was referencing a 272 00:12:55,970 --> 00:13:02,149 different array in that first python 273 00:12:58,880 --> 00:13:04,070 file and it has all these you know all 274 00:13:02,149 --> 00:13:06,770 these like different about all these 275 00:13:04,070 --> 00:13:09,770 different strings for what the command 276 00:13:06,770 --> 00:13:12,410 reply is so that's really cool we're 277 00:13:09,770 --> 00:13:13,579 seeing that the malware authors had a 278 00:13:12,410 --> 00:13:15,620 pretty good understanding of this 279 00:13:13,579 --> 00:13:19,579 protocol they have all these message 280 00:13:15,620 --> 00:13:21,920 types yadda yadda yadda right so I 281 00:13:19,579 --> 00:13:24,920 wanted to validate 282 00:13:21,920 --> 00:13:27,229 that the structure of tri station that 283 00:13:24,920 --> 00:13:28,819 they they knew was actually true I want 284 00:13:27,230 --> 00:13:31,339 to see if they made any errors or 285 00:13:28,820 --> 00:13:33,800 anything so obviously I googled arounds 286 00:13:31,339 --> 00:13:36,769 my ask people for p-cad nobody had pcap 287 00:13:33,800 --> 00:13:39,529 for me it was a sad day I found a paper 288 00:13:36,769 --> 00:13:40,850 by the coordinated science laboratory at 289 00:13:39,529 --> 00:13:44,630 the University of Illinois 290 00:13:40,850 --> 00:13:47,269 urbana-champaign that's a mouthful this 291 00:13:44,630 --> 00:13:49,430 is a really cool paper it was behind a 292 00:13:47,269 --> 00:13:52,040 paywall I did Google long enough and 293 00:13:49,430 --> 00:13:53,810 found like one of those PDF reproduction 294 00:13:52,040 --> 00:13:55,880 sites where they try to sell it to you 295 00:13:53,810 --> 00:13:59,300 for a dollar but you can take the screen 296 00:13:55,880 --> 00:14:00,920 cap of all the all this stuff and I read 297 00:13:59,300 --> 00:14:03,050 the paper and there were a couple of 298 00:14:00,920 --> 00:14:06,410 things that these researchers did one 299 00:14:03,050 --> 00:14:10,790 the Tri Station protocol which is 300 00:14:06,410 --> 00:14:13,939 undocumented is similar to a documented 301 00:14:10,790 --> 00:14:17,839 protocol by the same protocol author 302 00:14:13,940 --> 00:14:20,060 called tsaa and the researchers used one 303 00:14:17,839 --> 00:14:22,250 protocol to make inferences about how 304 00:14:20,060 --> 00:14:24,859 the other protocol worked and they also 305 00:14:22,250 --> 00:14:26,510 were able and they did that and then 306 00:14:24,860 --> 00:14:29,630 they did some testing of their own and 307 00:14:26,510 --> 00:14:31,370 they documented the Tri station basic 308 00:14:29,630 --> 00:14:32,149 structure and so this is what it was 309 00:14:31,370 --> 00:14:34,459 like 310 00:14:32,149 --> 00:14:37,220 which validated a lot of what I saw and 311 00:14:34,459 --> 00:14:39,018 the Triton framework and what do you do 312 00:14:37,220 --> 00:14:41,180 with a protocol structure like once 313 00:14:39,019 --> 00:14:44,029 you've got it first thing that I want to 314 00:14:41,180 --> 00:14:48,709 do is is dissect some pcap but I didn't 315 00:14:44,029 --> 00:14:52,070 have any pcap but they printed out some 316 00:14:48,709 --> 00:14:54,050 bytes in their paper so I kind of 317 00:14:52,070 --> 00:14:56,029 noticed I was like okay if that's a real 318 00:14:54,050 --> 00:15:01,130 try station packet from their 319 00:14:56,029 --> 00:15:03,649 experiments and I also noticed that we 320 00:15:01,130 --> 00:15:06,740 were talking about command Type O 5 and 321 00:15:03,649 --> 00:15:11,269 I noticed that everything before the o 5 322 00:15:06,740 --> 00:15:15,440 was actually probably UDP header data so 323 00:15:11,269 --> 00:15:17,630 I tried to OCR it but when you take a 324 00:15:15,440 --> 00:15:21,170 screencap of this you get a lot of oohs 325 00:15:17,630 --> 00:15:23,839 instead of zeros in an OCR so I typed 326 00:15:21,170 --> 00:15:26,510 all of this into a hex editor very 327 00:15:23,839 --> 00:15:29,120 slowly I know it's terrible if I'm 328 00:15:26,510 --> 00:15:33,290 embarrassed that I had to do that but I 329 00:15:29,120 --> 00:15:35,720 did and I stripped off the the UDP 330 00:15:33,290 --> 00:15:37,910 header bytes and then I used 331 00:15:35,720 --> 00:15:41,029 some cyber chef to print it out to like 332 00:15:37,910 --> 00:15:44,750 a fancy text file and then I used text 333 00:15:41,029 --> 00:15:46,670 to pcap to generate my own pcap and then 334 00:15:44,750 --> 00:15:48,680 I went on a journey of opening it and 335 00:15:46,670 --> 00:15:51,649 Wireshark there's no parser no parser 336 00:15:48,680 --> 00:15:58,069 existed for this publicly no dissector I 337 00:15:51,649 --> 00:16:01,579 created a really terrible Lua dissector 338 00:15:58,069 --> 00:16:04,009 mess up on my github it's awful but you 339 00:16:01,579 --> 00:16:06,109 can go look at that and dissect that 340 00:16:04,009 --> 00:16:08,120 pcap and then about a month later the 341 00:16:06,110 --> 00:16:12,230 news Oh me guys really showed me up and 342 00:16:08,120 --> 00:16:14,029 they produced a totally badass dissector 343 00:16:12,230 --> 00:16:16,160 for this protocol I recommend you you 344 00:16:14,029 --> 00:16:17,420 you go check it out but that's one thing 345 00:16:16,160 --> 00:16:20,029 you could do once you understand the 346 00:16:17,420 --> 00:16:23,719 structure of a protocol this is that 347 00:16:20,029 --> 00:16:26,810 same key cap that I typed out but 348 00:16:23,720 --> 00:16:28,540 dissected by the Nozomi try station 349 00:16:26,810 --> 00:16:32,680 dissectors as you can see it breaks down 350 00:16:28,540 --> 00:16:36,019 the protocol into you know the channels 351 00:16:32,680 --> 00:16:37,878 you know the data length this is the 352 00:16:36,019 --> 00:16:41,569 results of a custom protocol they put 353 00:16:37,879 --> 00:16:43,459 the data length twice I don't know why I 354 00:16:41,569 --> 00:16:46,819 probably wouldn't do that if I were 355 00:16:43,459 --> 00:16:48,649 designing one anyway there are a lot of 356 00:16:46,819 --> 00:16:49,399 a lot of things about this protocol that 357 00:16:48,649 --> 00:16:51,170 are weird 358 00:16:49,399 --> 00:16:54,920 but we also have to remember it was 359 00:16:51,170 --> 00:16:55,849 written probably like 20 years ago what 360 00:16:54,920 --> 00:16:57,319 else can you do with a protocol 361 00:16:55,850 --> 00:16:59,480 structure you can observe the traffic in 362 00:16:57,319 --> 00:17:02,809 real time if you know kind of what it 363 00:16:59,480 --> 00:17:05,870 looks like I tend to favor snort because 364 00:17:02,809 --> 00:17:09,230 all my sensors use snort and it's really 365 00:17:05,869 --> 00:17:13,789 easy language to kind of write in for 366 00:17:09,230 --> 00:17:16,849 packet matching so if we knew that value 367 00:17:13,789 --> 00:17:19,569 one type you know the first two bytes if 368 00:17:16,849 --> 00:17:22,250 the type was one the connection request 369 00:17:19,569 --> 00:17:25,908 and we also know that the you know the 370 00:17:22,250 --> 00:17:29,630 probably the smallest size packet is six 371 00:17:25,909 --> 00:17:32,539 bytes we can kind of guess that type 372 00:17:29,630 --> 00:17:35,200 size and a CRC and because we don't know 373 00:17:32,539 --> 00:17:38,809 CRC we could pretty much calculate that 374 00:17:35,200 --> 00:17:40,940 CRC 16 and then we could write a very 375 00:17:38,809 --> 00:17:44,678 simple snort rule that does a Content 376 00:17:40,940 --> 00:17:47,090 match for that looking for UDP traffic 377 00:17:44,679 --> 00:17:48,690 so what this would do if you push this 378 00:17:47,090 --> 00:17:50,549 out to a sensor it would you know do 379 00:17:48,690 --> 00:17:53,340 TEKT you know if there were a tri 380 00:17:50,549 --> 00:17:56,730 station connection requests on UDP on 381 00:17:53,340 --> 00:18:00,120 the default port and snort rules are 382 00:17:56,730 --> 00:18:05,070 really good for identifying traffic that 383 00:18:00,120 --> 00:18:07,799 you want to observe BSI in Germany they 384 00:18:05,070 --> 00:18:10,379 did some awesome research on the Tri 385 00:18:07,799 --> 00:18:13,289 Station protocol this guy Thomas Schmidt 386 00:18:10,379 --> 00:18:15,600 led to charge in creating a snort rule 387 00:18:13,289 --> 00:18:18,240 set for you know intrusion detection 388 00:18:15,600 --> 00:18:21,178 systems it's free it's accessible to 389 00:18:18,240 --> 00:18:23,070 everyone and again you know before a 390 00:18:21,179 --> 00:18:24,960 couple months ago nobody had any 391 00:18:23,070 --> 00:18:28,529 visibility into this traffic so this is 392 00:18:24,960 --> 00:18:30,629 like a super awesome research project 393 00:18:28,529 --> 00:18:35,549 that actually delivered some value to 394 00:18:30,629 --> 00:18:37,559 anybody who owns Tricon controllers this 395 00:18:35,549 --> 00:18:38,789 is what that snort step looks like and 396 00:18:37,559 --> 00:18:40,769 it depends on a bunch of configuration 397 00:18:38,789 --> 00:18:43,860 stuff but it's out there you can google 398 00:18:40,769 --> 00:18:45,570 for it it's pretty straightforward um so 399 00:18:43,860 --> 00:18:48,320 how was triton developed now that we 400 00:18:45,570 --> 00:18:51,799 kind of like looked at all that stuff 401 00:18:48,320 --> 00:18:55,408 when we D compiled the Python bytecode 402 00:18:51,799 --> 00:18:57,840 on compile six kind of gives us a guess 403 00:18:55,409 --> 00:18:59,429 at the compile time I'm not sure a 404 00:18:57,840 --> 00:19:02,639 hundred percent how accurate this is I 405 00:18:59,429 --> 00:19:06,000 assume it's accurate but there are about 406 00:19:02,639 --> 00:19:09,240 two hundred and two hundred or so 407 00:19:06,000 --> 00:19:13,620 Python bytecode files in librarianship 408 00:19:09,240 --> 00:19:16,799 and we my boss was my boss now he 409 00:19:13,620 --> 00:19:18,750 tweeted out this picture I tried to make 410 00:19:16,799 --> 00:19:21,360 a graph and I was like you know what he 411 00:19:18,750 --> 00:19:24,779 already did it so but this is what the 412 00:19:21,360 --> 00:19:27,209 timestamps on the Python byte code 413 00:19:24,779 --> 00:19:28,679 inside library dot zip kind told us and 414 00:19:27,210 --> 00:19:31,679 what's interesting is you can see that 415 00:19:28,679 --> 00:19:34,139 there are a bunch that were in June 2016 416 00:19:31,679 --> 00:19:39,799 and that what we see were a couple of 417 00:19:34,139 --> 00:19:42,299 edits later in 2016 of November and then 418 00:19:39,799 --> 00:19:45,840 2017 we started to see some more stuff 419 00:19:42,299 --> 00:19:48,029 in 20 August 2017 is when we started to 420 00:19:45,840 --> 00:19:49,820 see the last modified times of the Tri 421 00:19:48,029 --> 00:19:53,879 Station implementation so we know that 422 00:19:49,820 --> 00:19:57,119 this malware framework they spent like a 423 00:19:53,879 --> 00:20:00,719 good solid year on it maybe more I would 424 00:19:57,119 --> 00:20:02,610 guess more and we can tell that from the 425 00:20:00,720 --> 00:20:05,309 Python metadata 426 00:20:02,610 --> 00:20:08,039 there are some discrepancies in the 427 00:20:05,309 --> 00:20:12,690 Triton malware code and I became really 428 00:20:08,039 --> 00:20:15,059 fixated for no good reason on this there 429 00:20:12,690 --> 00:20:19,110 were a couple of misspellings in that 430 00:20:15,059 --> 00:20:20,908 first library of arrays that made me 431 00:20:19,110 --> 00:20:22,649 very curious and there also a bunch of 432 00:20:20,909 --> 00:20:25,020 strings in there and I was googling for 433 00:20:22,650 --> 00:20:27,210 them everywhere and I couldn't find any 434 00:20:25,020 --> 00:20:30,059 trace of any of this 435 00:20:27,210 --> 00:20:33,390 there were most of the train code is Mad 436 00:20:30,059 --> 00:20:35,340 Decent yo it's pretty solid has nice 437 00:20:33,390 --> 00:20:37,919 cascading logic there's good annotations 438 00:20:35,340 --> 00:20:41,789 everything the variables seem well named 439 00:20:37,919 --> 00:20:43,980 so like to look at that library of weird 440 00:20:41,789 --> 00:20:48,539 misspellings and then the rest of the 441 00:20:43,980 --> 00:20:50,190 code seems to be pretty solid it was 442 00:20:48,539 --> 00:20:53,460 really inconsistent there's nothing that 443 00:20:50,190 --> 00:20:55,820 drives me more insane inconsistencies so 444 00:20:53,460 --> 00:20:58,980 like here's an example of some of the 445 00:20:55,820 --> 00:21:02,100 some of the arrays that I was talking 446 00:20:58,980 --> 00:21:05,640 about you know Alec a label here's one 447 00:21:02,100 --> 00:21:06,860 that just driving crazy is just a case 448 00:21:05,640 --> 00:21:08,970 inconsistency 449 00:21:06,860 --> 00:21:10,879 these are small things that I've become 450 00:21:08,970 --> 00:21:14,159 very fixated on and I'm wondering why 451 00:21:10,880 --> 00:21:17,610 these arrays are so different from the 452 00:21:14,159 --> 00:21:20,640 rest of the code reponse there were 453 00:21:17,610 --> 00:21:22,370 probably a bunch of these and I don't 454 00:21:20,640 --> 00:21:25,649 know there were probably maybe 10 or 12 455 00:21:22,370 --> 00:21:27,779 misspellings so I'm like googling around 456 00:21:25,649 --> 00:21:31,020 for these and I couldn't find anything 457 00:21:27,779 --> 00:21:33,890 so obviously I have access to virustotal 458 00:21:31,020 --> 00:21:37,649 intelligence does anybody use virustotal 459 00:21:33,890 --> 00:21:38,730 intelligence a couple people there's a 460 00:21:37,649 --> 00:21:42,299 reason that I go to virustotal 461 00:21:38,730 --> 00:21:46,169 intelligence and we heard from the virus 462 00:21:42,299 --> 00:21:49,110 bay guys earlier is that a lot of people 463 00:21:46,169 --> 00:21:52,679 a lot of products will submit files 464 00:21:49,110 --> 00:21:54,870 willy-nilly to different types of things 465 00:21:52,679 --> 00:21:57,059 and I basically look at this as a file 466 00:21:54,870 --> 00:21:59,489 repository for both good and bad it 467 00:21:57,059 --> 00:22:01,320 stores everything I'm expecting that a 468 00:21:59,490 --> 00:22:02,789 bunch of people submitted some stuff and 469 00:22:01,320 --> 00:22:04,408 I want to try to look in there and see 470 00:22:02,789 --> 00:22:07,379 if there's anything that relates to the 471 00:22:04,409 --> 00:22:09,600 Triton malware inside a virus total so I 472 00:22:07,380 --> 00:22:11,010 go on a retro hunt and a retro hunt has 473 00:22:09,600 --> 00:22:12,750 its limitations because it only goes 474 00:22:11,010 --> 00:22:14,879 back on files submitted within the last 475 00:22:12,750 --> 00:22:16,149 six months so I came up with a big fat 476 00:22:14,880 --> 00:22:18,039 zero 477 00:22:16,149 --> 00:22:20,020 which is an extremely disappointing 478 00:22:18,039 --> 00:22:22,149 result for me because I wanted to find 479 00:22:20,020 --> 00:22:24,639 something and to work around the 480 00:22:22,149 --> 00:22:27,820 limitations of virustotal we have a tool 481 00:22:24,640 --> 00:22:30,480 called awesome possum awesome possum is 482 00:22:27,820 --> 00:22:32,439 an internal tool we take all virustotal 483 00:22:30,480 --> 00:22:35,620 submissions and we index all the 484 00:22:32,440 --> 00:22:37,840 metadata because we can search back 485 00:22:35,620 --> 00:22:40,809 forever and we throw in a big log a big 486 00:22:37,840 --> 00:22:43,389 log and elasticsearch and all that but 487 00:22:40,809 --> 00:22:46,559 one of the interesting things an awesome 488 00:22:43,390 --> 00:22:49,390 possum is that I can search by 489 00:22:46,559 --> 00:22:52,750 submission names back for ever all time 490 00:22:49,390 --> 00:22:55,390 so anyway I got a sense in documentation 491 00:22:52,750 --> 00:22:57,700 that I would be searching for TS 1131 492 00:22:55,390 --> 00:23:00,390 exe and awesome possum 493 00:22:57,700 --> 00:23:02,380 that is awesome presented a bunch of 494 00:23:00,390 --> 00:23:04,120 results for me and we can track the 495 00:23:02,380 --> 00:23:06,100 submitters and see all that stuff so 496 00:23:04,120 --> 00:23:08,439 that was pretty cool so I went on this 497 00:23:06,100 --> 00:23:10,299 kind of hunt to look for source files 498 00:23:08,440 --> 00:23:12,309 and first thing I did is try to run it 499 00:23:10,299 --> 00:23:14,440 in a VM and I obviously see that I'm 500 00:23:12,309 --> 00:23:17,010 missing all these kind of dependencies 501 00:23:14,440 --> 00:23:19,450 and I did this for a while I just like 502 00:23:17,010 --> 00:23:20,890 kept looking an awesome possum to see 503 00:23:19,450 --> 00:23:22,659 files submitted with that name I 504 00:23:20,890 --> 00:23:25,690 download them and I try to reconstruct 505 00:23:22,659 --> 00:23:28,360 this package eventually I went to 506 00:23:25,690 --> 00:23:32,529 dependency Walker and got a huge list of 507 00:23:28,360 --> 00:23:35,020 DLLs that I thought were related to the 508 00:23:32,529 --> 00:23:37,210 legitimate try station software so all 509 00:23:35,020 --> 00:23:40,539 along we had this narrative that the 510 00:23:37,210 --> 00:23:43,120 Triton malware was built with 511 00:23:40,539 --> 00:23:47,669 understanding based on reversing 512 00:23:43,120 --> 00:23:49,799 legitimate try connects software and 513 00:23:47,669 --> 00:23:52,450 that was a narrative and nobody had any 514 00:23:49,799 --> 00:23:55,570 any proof of that and I wanted to go 515 00:23:52,450 --> 00:23:58,809 find some proof so anyway a bunch of 516 00:23:55,570 --> 00:24:01,889 things that I didn't have and I was able 517 00:23:58,809 --> 00:24:05,020 to finally get to a file called lag evn 518 00:24:01,890 --> 00:24:07,480 DOL that had a parent file data 1 dot 519 00:24:05,020 --> 00:24:10,750 cab that had a parent file and now I'm 520 00:24:07,480 --> 00:24:14,559 into some like juicy data right 521 00:24:10,750 --> 00:24:17,529 try log V 4.1 and if you remember the 522 00:24:14,559 --> 00:24:20,428 original Triton malware file mimicked 523 00:24:17,529 --> 00:24:24,850 trilogue it was named try log dot exe 524 00:24:20,429 --> 00:24:27,520 presumably this is related to the Tricon 525 00:24:24,850 --> 00:24:28,760 controller type of software so anyway I 526 00:24:27,520 --> 00:24:31,040 opened this up 527 00:24:28,760 --> 00:24:32,660 I start poking around in dataone cab and 528 00:24:31,040 --> 00:24:34,129 I look through all these dll's and 529 00:24:32,660 --> 00:24:36,890 there's obviously one I'm interested in 530 00:24:34,130 --> 00:24:40,640 the communications so this one really 531 00:24:36,890 --> 00:24:42,850 stood out to me calm anything calm DLL 532 00:24:40,640 --> 00:24:45,500 named very cleverly 533 00:24:42,850 --> 00:24:48,740 but you could see it's a DLL that 534 00:24:45,500 --> 00:24:55,480 supports Tricon communications interface 535 00:24:48,740 --> 00:24:58,220 this is a written in Visual C++ and 536 00:24:55,480 --> 00:24:59,570 started dumping string tables and I'm 537 00:24:58,220 --> 00:25:02,860 starting to see things that are pretty 538 00:24:59,570 --> 00:25:06,530 familiar to me you know all of these 539 00:25:02,860 --> 00:25:09,229 like okay that looks like kind of like a 540 00:25:06,530 --> 00:25:12,260 thing and then here we go is like we can 541 00:25:09,230 --> 00:25:14,240 see the inconsistencies all these same 542 00:25:12,260 --> 00:25:16,730 strings and if you looked I probably 543 00:25:14,240 --> 00:25:19,160 spent a hundred hours looking at the Tri 544 00:25:16,730 --> 00:25:21,140 station or the Tri Triton strings and 545 00:25:19,160 --> 00:25:23,420 the moment I was able to look at this I 546 00:25:21,140 --> 00:25:26,210 was like okay 100% know that all of 547 00:25:23,420 --> 00:25:31,130 these strings in this string table came 548 00:25:26,210 --> 00:25:33,550 from a legitimate try connects DLL so I 549 00:25:31,130 --> 00:25:36,800 was like pretty happy with this result 550 00:25:33,550 --> 00:25:39,889 and everything everything is in there 551 00:25:36,800 --> 00:25:41,840 and it just goes it goes backwards start 552 00:25:39,890 --> 00:25:44,390 download chain start download change all 553 00:25:41,840 --> 00:25:46,659 that all the typos are in there and so 554 00:25:44,390 --> 00:25:51,230 then I went and collected a bunch of 555 00:25:46,660 --> 00:25:56,420 DLLs and I could see that where was it 556 00:25:51,230 --> 00:25:58,970 try comm DLL they had these C++ string 557 00:25:56,420 --> 00:26:02,140 tables in there all of these dated back 558 00:25:58,970 --> 00:26:04,900 like decades right so I'm looking at 559 00:26:02,140 --> 00:26:09,440 some library it was written ages ago 560 00:26:04,900 --> 00:26:12,590 never updated never maybe not Qaid to 561 00:26:09,440 --> 00:26:15,230 well I don't know and I was trying to 562 00:26:12,590 --> 00:26:18,679 figure out exactly what software package 563 00:26:15,230 --> 00:26:20,960 was probably reverse engineered I don't 564 00:26:18,680 --> 00:26:24,170 think I had any really good results from 565 00:26:20,960 --> 00:26:26,540 this but there is an older version of a 566 00:26:24,170 --> 00:26:29,510 Tricon controller called a trident and 567 00:26:26,540 --> 00:26:32,270 these both have you know different 568 00:26:29,510 --> 00:26:35,030 branches of software that we're 569 00:26:32,270 --> 00:26:38,090 supporting the communications for these 570 00:26:35,030 --> 00:26:39,350 controllers in any case there's a couple 571 00:26:38,090 --> 00:26:41,370 of things that are still interesting 572 00:26:39,350 --> 00:26:44,429 about this is that 573 00:26:41,370 --> 00:26:48,959 this is from the Triton malware code 574 00:26:44,430 --> 00:26:52,800 there were some annotations in the in 575 00:26:48,960 --> 00:26:55,290 the Triton Python scripts that were 576 00:26:52,800 --> 00:27:01,169 above what they had reverse engineered 577 00:26:55,290 --> 00:27:03,120 from the Tricon libraries and you can 578 00:27:01,170 --> 00:27:05,130 see that like these unknown values in 579 00:27:03,120 --> 00:27:07,919 this string here in particular are 580 00:27:05,130 --> 00:27:10,500 pretty different from you know the angle 581 00:27:07,920 --> 00:27:14,850 brackets kind of characterization for 582 00:27:10,500 --> 00:27:17,550 maybe unused integers in particular 583 00:27:14,850 --> 00:27:21,689 places so it became apparent to me that 584 00:27:17,550 --> 00:27:23,100 the Triton malware developers although 585 00:27:21,690 --> 00:27:24,840 they reverse engineered some of the 586 00:27:23,100 --> 00:27:28,469 legitimate software they still had to do 587 00:27:24,840 --> 00:27:30,720 a lot of experimentation to figure out 588 00:27:28,470 --> 00:27:32,760 the network protocol and we know that 589 00:27:30,720 --> 00:27:36,570 because not only did their malware 590 00:27:32,760 --> 00:27:38,400 framework take so long to develop they 591 00:27:36,570 --> 00:27:40,409 had a really hard time using it in the 592 00:27:38,400 --> 00:27:42,690 wild and they ultimately got caught 593 00:27:40,410 --> 00:27:45,330 before they were able to do too much 594 00:27:42,690 --> 00:27:48,240 damage so you know again six months ago 595 00:27:45,330 --> 00:27:51,720 or a year ago we only had like the 596 00:27:48,240 --> 00:27:54,059 suspicion that they reverse engineered 597 00:27:51,720 --> 00:27:55,920 something we're able to finally provide 598 00:27:54,059 --> 00:27:58,230 some kind of conclusive evidence to 599 00:27:55,920 --> 00:28:00,570 support that um so that was kind of a 600 00:27:58,230 --> 00:28:03,480 win for me and then a year ago we had no 601 00:28:00,570 --> 00:28:05,040 the world had no visibility into the Tri 602 00:28:03,480 --> 00:28:07,140 Station protocol was a black box 603 00:28:05,040 --> 00:28:08,820 protocol undocumented we have some 604 00:28:07,140 --> 00:28:10,980 documentation of it 605 00:28:08,820 --> 00:28:15,389 the nozomi guys probably know more than 606 00:28:10,980 --> 00:28:16,470 anybody about this protocol we know that 607 00:28:15,390 --> 00:28:19,440 they had a hard time using it in the 608 00:28:16,470 --> 00:28:21,630 wild because when we went to the 609 00:28:19,440 --> 00:28:25,530 engineering workstations that was 610 00:28:21,630 --> 00:28:28,290 launching the Triton malware we could 611 00:28:25,530 --> 00:28:30,570 see from the user Journal which is also 612 00:28:28,290 --> 00:28:33,750 our USM Journal also called the change 613 00:28:30,570 --> 00:28:37,100 journal I think Universal sequence 614 00:28:33,750 --> 00:28:40,620 number this is an NTFS feature that logs 615 00:28:37,100 --> 00:28:42,449 file names and change time but we could 616 00:28:40,620 --> 00:28:44,010 see they uploaded like a hundred 617 00:28:42,450 --> 00:28:45,960 different versions of the Tri and 618 00:28:44,010 --> 00:28:47,640 malware and they also uploaded like a 619 00:28:45,960 --> 00:28:49,200 hundred different other scripts and a 620 00:28:47,640 --> 00:28:52,230 hundred different other utilities they 621 00:28:49,200 --> 00:28:54,840 had a hard ass time getting there and 622 00:28:52,230 --> 00:28:55,260 then making this work and I think the 623 00:28:54,840 --> 00:28:57,230 expiry 624 00:28:55,260 --> 00:28:59,520 imitation that they were doing 625 00:28:57,230 --> 00:29:02,700 ultimately led to the outcome which is 626 00:28:59,520 --> 00:29:05,910 they caused one of the Tricon 627 00:29:02,700 --> 00:29:09,210 controllers to enter a failed state that 628 00:29:05,910 --> 00:29:11,220 fails state which is monitored by the 629 00:29:09,210 --> 00:29:14,220 industrial control systems monitoring 630 00:29:11,220 --> 00:29:17,520 software induced a shutdown of this 631 00:29:14,220 --> 00:29:18,960 entire industrial process and as you can 632 00:29:17,520 --> 00:29:21,030 imagine if you run a big industrial 633 00:29:18,960 --> 00:29:22,170 plant you're like losing a million 634 00:29:21,030 --> 00:29:24,240 dollars a minute 635 00:29:22,170 --> 00:29:27,140 every time your industrial processes go 636 00:29:24,240 --> 00:29:29,160 down so that's what got them caught and 637 00:29:27,140 --> 00:29:31,650 last but not least it's really important 638 00:29:29,160 --> 00:29:33,150 to acknowledge all of the public 639 00:29:31,650 --> 00:29:35,040 research that was done on this I think I 640 00:29:33,150 --> 00:29:37,380 read everything for the most part 641 00:29:35,040 --> 00:29:40,649 there's a couple of good fireEye blogs 642 00:29:37,380 --> 00:29:42,720 on this the zombie networks guys did a 643 00:29:40,650 --> 00:29:45,750 lot of research they purchased the 644 00:29:42,720 --> 00:29:47,790 controller on eBay and reverse 645 00:29:45,750 --> 00:29:50,790 engineered some of the try station 646 00:29:47,790 --> 00:29:52,920 software as well I think doing may be 647 00:29:50,790 --> 00:29:55,470 exactly what the Triton malware 648 00:29:52,920 --> 00:29:57,600 developers did dragos guys have a lot of 649 00:29:55,470 --> 00:29:59,970 good stuff Accenture has an awesome 650 00:29:57,600 --> 00:30:03,689 white paper on this the guy behind 651 00:29:59,970 --> 00:30:05,370 midnight blue labs ics-cert CSL at 652 00:30:03,690 --> 00:30:08,490 University of Illinois there's a github 653 00:30:05,370 --> 00:30:11,010 repo with all of the malware and all the 654 00:30:08,490 --> 00:30:13,410 decompiled scripts and then all of the 655 00:30:11,010 --> 00:30:15,390 resources and all of this is important 656 00:30:13,410 --> 00:30:18,390 because ICS if you think everything is 657 00:30:15,390 --> 00:30:21,180 broken IT you got to you got to check 658 00:30:18,390 --> 00:30:24,870 out ICS it's it's a different world 659 00:30:21,180 --> 00:30:26,910 everything's like 20 years old and so a 660 00:30:24,870 --> 00:30:29,250 lot of that's just hanging out there and 661 00:30:26,910 --> 00:30:31,260 if you're interested in ICS there's no 662 00:30:29,250 --> 00:30:35,010 better time than right now to get into 663 00:30:31,260 --> 00:30:36,240 ICS security and with that I will take 664 00:30:35,010 --> 00:30:38,660 any questions I think we got like a 665 00:30:36,240 --> 00:30:38,660 minute left 666 00:30:43,040 --> 00:30:48,000 yeah thank you like you said you have 667 00:30:45,060 --> 00:30:51,389 one minute left so there's at least one 668 00:30:48,000 --> 00:30:54,440 question right don't ask me who it was 669 00:30:51,390 --> 00:30:54,440 because I can't say