Uncovering covert network behaviors within critical infrastructure environments
2021-08-06, 15:30–16:30, Main Track

We’ll explore vulnerabilities we’ve discovered in our IoT, IIoT, and ICS research to reveal the systemic problems that exist as a result of the fragmented supply chain, inconsistent configurations, and overall poor security standards found across the critical networks and devices. We'll then show how we have applied discoveries of these aberrant behaviors to ML algorithms to uncover the risky and potentially very damaging covert channels communicating with the outside world and the types of data being harvested along with the new attack surfaces that they offer.


Through the evolution of IoT, IIoT, and ICS networks we’ve been uncovering new risks and vulnerabilities. Most of these risks and vulnerabilities are so unpredictable when considering the fragmented supply chain of hardware, operating systems, and software; making signature-based and operating system-centric security solutions inadequate.

Leveraging the Active Cyber Defense framework and combining that with our homegrown ML, we’ve created our own approach to detecting aberrant network behavior through passive network monitoring to discover covert communications, rogue devices, emerging threats, and more. The analysis of protocols, device behavior, and network activity within these environments is critical and can aid investigators when responding to incidents that have national impacts. (For example, the recent Colonial Pipeline Ransomware Attack, and the Oldsmar Florida water poisoning attempt).

We’ll explore many vulnerabilities we’ve discovered in our IoT, IIoT, and ICS research to reveal the systemic problems that exist as a result of the fragmented supply chain, inconsistent configurations, and overall poor security standards found across the critical networks and devices. We will build upon our previous real-world examples and current threat research within this presentation and show how we have applied the discoveries of these aberrant behaviors to machine learning algorithms to uncover the risky and potentially very damaging covert channels communicating with the outside world and the types of data that is being harvested along with the new attack surfaces that they offer.

The combined lecture and demonstration will take a deep dive into the early identification of network activities that map to each stage of the cyber kill chain. We’ll also demo our open source and free Modbus TCP pcap analysis tool to identify malicious behaviors within ICS environments.

Michael T. Raggo has over 20 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. Michael is the author of Mobile Data Loss: Threats & Countermeasures and Data Hiding for Syngress Books co-authored with Chet Hosmer. His Data Hiding book is also included at the NSA’s National Cryptologic Museum at Ft. Meade. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon Norway, and SANS. He was also awarded the Pentagon’s Certificate of Appreciation.