Claroty unveils EtherNet/IP stack detection tool to simplify protocol identification
Claroty’s Team82 unit announced on Wednesday its custom, generic EtherNet/IP stack detection tool, which can be used by cybersecurity researchers, OT engineers, and asset owners. The tool performs behavioral profiling by breaking down the EtherNet/IP and CIP protocols to specific properties and attributes, which later creates a unique signature for the ENIP stack in use based on all the collected parameters.
Supersetting all the unique implementation hints reveals the identity of the ENIP stack being used, Sharon Brizinov, a Claroty researcher, wrote in a company blog post. “A parameter can be any delicate attribute of the protocol and the implementation, for example, an attribute that determines whether a certain feature of the ENIP protocol is currently supported. Scanning two different devices that use the same core ENIP stack (e.g. an SDK purchased from the same vendor) will result in the same unique signature,” he added.
The EtherNet/IP tool can be used by cybersecurity researchers, operational technology (OT) engineers, and asset owners by helping them to identify and classify commercial and homegrown products using the same third-party ENIP stack code. The tool will be free and publicly available through the GitHub repository.
The tool enables Claroty’s Team82 researchers to identify various classes of ENIP stacks and group similar stack implementations, Brizinov said. “For example, Team82’s researchers identified the unique signature generated by devices running RTA’s ENIP stack. With that, Team82 started to scan many ENIP-compatible devices in order to detect all potentially affected devices,” he added.
Eventually, through this tool, researchers were able to scan 290 unique ENIP-compatible devices, which revealed 32 unique ENIP stacks, according to Brizinov. “Of the 290 unique devices scanned, 11 devices were found to be running RTA’s ENIP stack in products from six unique vendors and appropriate actions were taken accordingly (disclosure process),” he added.
By identifying the ENIP stack, users inside the enterprise and vendors will be able to better understand their exposure to newly disclosed vulnerabilities, and subsequently prioritize updates, Brizinov said.
Researchers may deploy the EtherNet/IP tool to identify connected industrial devices and the ENIP stacks implemented on those devices for network communication and data transfer between devices and workstations, according to Brizinov. The tool would allow researchers to classify groups of devices running the same ENIP stack, and understand the scale of vulnerabilities and affected devices.
Brizinov also said that asset owners could run the tool to identify devices running an ENIP stack affected by a newly identified vulnerability. “Too often, users are blind to the components running in commercial products and may be unaware of their exposure to critical bugs that have been disclosed. This complicates patch management decisions and could leave them vulnerable to publicly disclosed exploits,” he added.
The EtherNet/IP tool can significantly aid ICS (industrial control system) honeypot creators to improve the stealthiness of their work in order to keep attackers from easily identifying a honeypot. “Honeypots are lures used by researchers and blue teams to ensnare attackers’ traffic to study their tactics and techniques in order to fortify network defenses,” Brizinov wrote. ICS honeypots mimic devices such as internet-connected programmable logic controllers (PLCs), and Team82’s tool can parse the protocol in use and help researchers separate legitimate traffic from honeypot traffic, he added.
Serial numbers are unique to each PLC, meaning that normally multiple PLCs should not have the same serial number, Brizinov said. “Yet, a Shodan search for this particular serial number, below, reveals that more than 340 connected PLCs have the same one. One can easily deduce that this is a ICS honeypot,” he added.
The availability of the EtherNet/IP and CIP Stack Detector is the second open-source contribution that Team82 has made to improve the security of ENIP stack detection, Brizinov pointed out.
Last April, Team82 revealed the disclosure of five vulnerabilities in the ENIP stack, featuring the public availability of the necessary infrastructure and documentation to integrate the AFL (American Fuzzy Lop) fuzzer into the OpENer ENIP stack, which implements the familiar ENIP and CIP protocols across the industrial domain. Vendors and researchers may now invoke a fuzzer and test their implementation. The onboarding process is simple enough for anyone, even users without a cybersecurity background, to use the fuzzer, he added.
Related
