This afternoon the DHS ICS-CERT updated their alert on Black
Energy that was originally
published in October and most
recently updated on February 1st. As with most of the updates
that have been published, today’s modifies the way that the Yara rules for
detecting Black Energy are listed.
Today’s update provides a link to the latest version of the Yara
tool on GitHub, a separate
text file for the Black Energy signature and the Yara documentation site.
It certainly seems like ICS-CERT is going to be using the
Yara tool for helping folks detect systemic attacks like Black Energy. While
this looks like a very valuable tool for Windows® based systems (and a lot of
ICS components are Windows based) ICS-CERT notes that there may be problems in
using this tool on other ‘high-end’ ICS components and it almost certainly
cannot be used on ‘the majority of field devices’.
It would be extremely helpful is ICS-CERT could do (or have
someone else do) some additional research on the use of the Yara tool on some
common control system components. This would allow them to provide more
information than just the two sentences provided in the Alert:
“Test the use of the signature in
the test/quality assurance/development ICS environment if one exists. If not,
deploy the signature against backup or alternate systems in the top end of the
ICS environment; this signature will not be usable on the majority of field
devices.”
The use of tools like Yara will be very valuable as the ICS
threat environment continues to get more complex. ICS-CERT should be a leader
in developing the use of such tools and helping get them into use in the field.
Lacking their leadership, we are going to have to rely on vendors to develop
these types of tools for specific use on their systems, and I don’t see any
beyond maybe the top three or so having the resources to do that.
Posts
No comments:
Post a Comment