CEH V13 Detailed Notes Part VI
Posted inSecurity Certifications

CEH V13 Detailed Notes Part VI

1

Introduction

Module 16: Hacking Web Applications – The Digital Frontline

Web applications form the backbone of online services, but they are also prime targets for attackers.
This module introduces how vulnerabilities like SQL injection, XSS, and session hijacking are exploited.
It builds the foundation for understanding secure web development and proactive web application defense strategies.

Module 17: Hacking Mobile Platforms – Breaching the Handheld World

Mobile devices carry personal and corporate data, making them lucrative attack vectors.
This module explores mobile operating systems, app-based threats, and platform-specific vulnerabilities.
Learners gain insights into mobile security architecture, malware behavior, and hardening practices for Android and iOS environments.

Module 18: IoT and OT Hacking – The Expanding Attack Surface

The convergence of IT and OT through IoT devices has redefined network perimeters.
This module uncovers vulnerabilities in smart devices, industrial systems, and critical infrastructure.
It emphasizes secure deployment, device hardening, and continuous monitoring in the age of connected ecosystems.

Module 16: Hacking Wireless Networks

1. Why wireless matters

Wireless networks expand an organization’s attack surface by broadcasting signals beyond physical boundaries. Weak Wi-Fi security or misconfigured wireless infrastructure lets attackers eavesdrop, impersonate networks, capture credentials, pivot into internal networks, and run man-in-the-middle attacks with relative ease.

2. Wireless basics & components

  • 802.11 architecture: clients (stations), access points (APs), controllers, and distribution systems.
  • BSS/ESS: Basic Service Set (single AP + clients) and Extended Service Set (multiple APs forming an ESS).
  • Frames: management (beacon, probe, auth, assoc), control, and data frames — management frames are used in many attacks.
  • SSID vs BSSID: SSID is the network name; BSSID is the AP’s MAC.
  • Modes: open, WEP, WPA/WPA2 Personal (PSK), WPA/WPA2 Enterprise (802.1X/EAP), WPA3 (SAE / Enterprise enhancements).

3. Wireless security protocols — overview & weaknesses

WEP (Wired Equivalent Privacy)

  • Old and fundamentally broken: weak IV reuse and RC4 weaknesses lead to trivial key recovery. Not suitable for any use.

WPA / WPA2 (Wi-Fi Protected Access)

  • WPA-PSK / WPA2-PSK: shared passphrase derives PTK/GTK; vulnerable to offline dictionary attacks if handshake is captured and passphrase is weak.
  • WPA-Enterprise (802.1X): uses RADIUS/EAP for authentication — far stronger if EAP methods (PEAP, EAP-TLS) are configured correctly.
  • WPA2 weaknesses: PMKID-based extraction techniques, KRACK-style replay/nonce attacks (protocol implementation vulnerabilities), and dependency on strong passphrases for PSK.

WPA3

  • Introduces SAE (Simultaneous Authentication of Equals) for stronger password-based handshake and protections against offline dictionary attacks, and enhanced protections for open networks with OWE (Opportunistic Wireless Encryption). Adoption patchs many WPA2 gaps but depends on client/AP support.

Management frames

  • Traditionally unauthenticated; attackers exploit this (disassociation/deauth attacks) unless Management Frame Protection (802.11w / Protected Management Frames) is enabled.

4. Wireless attack categories & techniques

Reconnaissance & information gathering

  • Passive discovery of SSIDs, BSSIDs, supported protocols, channel use, client lists, hidden SSIDs from broadcast traffic, and signal mapping. Passive capture avoids creating noise.

Sniffing & traffic capture

  • Capture wireless frames to inspect cleartext traffic or capture handshakes for later offline cracking. Unencrypted management/data in open or weakly protected networks is readable.

Deauthentication & disassociation

  • Attackers can force clients to disconnect from their AP (using forged management frames) to capture re-association handshakes or to drive users to connect to rogue APs.

Handshake capture & offline attack

  • Capture of the 4-way handshake (WPA/WPA2) or PMKID can allow offline dictionary/brute-force of PSKs. Strong passphrases and SAE reduce this risk.

Rogue AP / Evil Twin

  • Attacker sets up an AP that imitates a legitimate SSID to entice clients to connect, enabling credential capture, man-in-the-middle, or tracking. Often paired with DNS/HTTP spoofing and captive-portal credential collection.

Rogue clients & client impersonation

  • Malicious clients can inject traffic, attempt lateral attacks, or circumvent MAC-based filtering.

WPS attacks

  • Wi-Fi Protected Setup (WPS) design flaws allow PIN-based brute force (or Pixie Dust attack exploiting poorly randomized nonces). WPS should be disabled in secure environments.

WPA/WPA2 weaknesses exploitation

  • Offline dictionary attacks against captured handshakes or PMKID; exploitation of implementation flaws (KRACK) to replay/forge packets; downgrade attacks where possible.

SSL stripping / HTTP downgrade

  • On rogue APs or MITM positions, attackers can strip TLS or intercept unencrypted HTTP and harvest credentials.

Client-side attacks

  • Target client OS/protocol weaknesses: evil captive-portal pages, malicious updates, or files served via rogue AP.

Wireless pivoting & lateral movement

  • After gaining foothold on wireless, attackers may attempt to access internal network resources, enterprise management interfaces, or pivot to wired segments if segmentation is weak.

5. Detection signals & indicators of compromise

  • Sudden spikes in management-frame anomalies (many deauths/disassocs).
  • New/rogue SSIDs that mimic corporate names or appear on unexpected channels.
  • Client systems with unexpected association events or connecting to new BSSIDs.
  • Unusual DNS resolutions or captive-portal redirects originating from wireless clients.
  • Increased failed authentications, unexpected RADIUS logs, or abnormal EAP behavior.
  • AP telemetry: unknown MACs, multiple APs advertising the same SSID from different locations.
  • Long-lived sessions to external servers initiated from previously inactive Wi-Fi clients.

Wireless IDS/WIPS signature baselines and correlation with RADIUS and endpoint logs are key to spotting attacks.

6. Defensive measures & hardening

Authentication & encryption

  • Prefer WPA3 where available; otherwise use WPA2-Enterprise (802.1X) with strong EAP methods (EAP-TLS with client certificates is ideal).
  • Use long, random passphrases if PSK mode must be used. Avoid trivial/passphrase reuse.

Management frame protections

  • Enable Protected Management Frames (802.11w) to block forged deauthentication/disassociation.

Disable insecure features

  • Disable WEP and WPS. Avoid open networks unless OWE or secure onboarding is in place.

Network segmentation & access control

  • Isolate wireless clients from sensitive networks via VLANs and firewall policies. Use guest networks for public access with strict ACLs.
  • Implement role-based access, network access control (NAC), and device posture checks before granting internal access.

Strong authentication & endpoint security

  • Enforce 802.1X port-based authentication, certificate-based client authentication, and MFA for services accessible over Wi-Fi.
  • Enforce endpoint hardening (EDR, host firewall, up-to-date OS) to reduce impact of rogue APs or intercepted credentials.

Egress & DNS controls

  • Use DNS filtering, web proxies, and TLS inspection (where legally/ethically acceptable) to limit malicious exfiltration and phishing pages served via rogue APs.

Monitoring & wireless threat detection

  • Deploy Wireless Intrusion Prevention/Detection Systems (WIPS/WIDS) to spot rogue APs, deauth floods, suspicious probe activity, and unusual association patterns.
  • Centralize wireless logs, RADIUS logs, and correlate with SIEM and endpoint telemetry.

Physical & operational controls

  • Control AP placement to minimize signal bleed; use directional antennas where appropriate.
  • Harden management interfaces, change default passwords, apply firmware patches, and separate management VLANs.
  • Use radar/airspace scans to find unauthorized transmitters.

Onboarding & user behavior

  • Use secure onboarding (certificate provisioning, MDM) instead of sharing PSKs; educate users about connecting only to verified SSIDs and using VPNs on untrusted networks.

7. Legal & ethical considerations

  • Unauthorized wireless interception, deauthentication, or AP impersonation is illegal in many jurisdictions. Wireless testing must be explicitly authorized and scoped.
  • Consider privacy and legal constraints when capturing frames; avoid exposing user data, and follow organizational IR/legal guidance when responding to wireless incidents.

8. Key exam focus areas & memory hooks

  • Understand WEP weakness (IV reuse) and why it’s insecure.
  • Know the difference between WPA/WPA2-PSK (passphrase offline cracking risk) and WPA-Enterprise (802.1X) (stronger, server-based authentication).
  • Remember management frame attacks (deauth) and rogue APs / Evil Twin as common vector combos.
  • Prioritize defenses: WPA3 / 802.1X + PMF + disable WPS + WIPS + segmentation.
  • Memory hook: “Discover → Capture → Force → Exploit → Pivot” — typical attacker flow in wireless.

9. Quick checklist (for defenders)

  • Disable WEP and WPS; enable WPA3 or WPA2-Enterprise with strong EAP.
  • Turn on Protected Management Frames (802.11w).
  • Use NAC/802.1X and certificate-based client authentication for corporate SSIDs.
  • Segment guest and IoT networks; enforce strict ACLs.
  • Deploy WIDS/WIPS and correlate wireless events with RADIUS and SIEM.
  • Harden APs: strong admin credentials, firmware patching, limited management plane exposure.
  • Educate users to verify SSIDs, use VPNs on untrusted networks, and report suspicious captive portals.

Module 17: Hacking Mobile Platforms

1 — Module purpose & high-level view

Mobile devices (smartphones, tablets) are primary endpoints that hold sensitive personal and corporate data, provide access to enterprise systems, and act as authentication multipliers (MFA, tokens). This module examines how attackers target mobile OSes, apps, and ecosystems (app stores, device management) — and how defenders secure devices, apps, and mobile infrastructures.

2 — Mobile platform architecture (what to know)

  • Two dominant platforms: Android (open-source, many vendors) and iOS (closed, Apple-controlled). Both have sandboxing, permission models, app stores, and platform-specific APIs.
  • Sandboxing: Apps run in isolated environments with assigned storage and privileges; inter-app communication is mediated by platform mechanisms.
  • Application signing: Apps must be signed (iOS strictly via Apple; Android allows self-signed in many situations). Signing ensures integrity and provenance where enforced.
  • Permissions & APIs: Resources (camera, contacts, location) are gated via permission models; behavior and granularity differ between OS versions.
  • App lifecycle: install → runtime → inter-app intents/URL schemes → uninstall. Attackers exploit each phase.
  • Enterprise mobility components: MDM/UEM (mobile device management / unified endpoint management), VPNs, enterprise app stores, EMM policies, containerization (work profiles).

3 — Mobile attack surface (where attackers target)

  • Device hardware & firmware: baseband, bootloader, trust zones.
  • Operating system: kernel exploits, privilege escalation, vulnerabilities in OS services.
  • Applications: insecure coding, weak storage/encryption, insecure inter-process communication.
  • Webviews & embedded browsers: app-integrated web content exposes web-based vulnerabilities (XSS, injection).
  • Network: Wi-Fi, Bluetooth, mobile data — attacks include rogue APs, MITM, and NFC abuse.
  • App stores & supply chain: malicious or repackaged apps, fake apps in third-party stores, trojanized updates.
  • SMS & voice: smishing, malicious MMS payloads, voicemail exploits.
  • Physical access: device theft, direct USB or OTG attacks, hardware implants.
  • Enterprise integrations: misconfigured MDM, SSO tokens, exposed APIs.

4 — Common mobile vulnerabilities & exploitation techniques

Insecure Data Storage

  • Sensitive info stored in plaintext on filesystem, shared preferences, SQLite DB, or backup archives.
  • Impact: credential theft, token reuse, data leakage.
  • Why it happens: developers store secrets locally for convenience; misuse of storage APIs.

Weak/Excessive Permissions

  • Overbroad permissions requested or granted (e.g., app requests contacts/camera unnecessarily).
  • Attackers exploit granted permissions to access PII or sensors.

Insecure Communication

  • HTTP or poorly configured TLS leads to traffic interception; certificate validation bypass in code makes MITM easy.
  • Embedded credentials or API keys in code or configuration amplify risk.

Insecure Authentication & Session Management

  • Predictable tokens, lack of biometric tie-in, poor session invalidation, storing auth tokens insecurely.
  • Impact: session hijacking, account takeover.

Improper Platform Usage / Broken Cryptography

  • Using custom crypto incorrectly, reusing keys, hardcoding secrets, rolling your own encryption algorithms.
  • Impact: trivial decryption of stored data and traffic.

Reverse Engineering & Code Extraction

  • Mobile APK/IPA can be unpacked; unprotected code exposes logic, API endpoints, keys, and hardcoded secrets.
  • Attackers use static analysis tools to find sensitive code and dynamic tools to instrument apps.

App Repackaging & Trojanization

  • Legit app binary is modified to include malware and redistributed in third-party markets. It runs under legitimate app permissions after install.
  • Impact: stealthy persistence, data exfiltration, bot behavior.

Insecure Inter-Process / Inter-App Communication

  • Android Intents, iOS URL schemes, shared files, content providers — if unsecured, they allow unauthorized invocation or data access (e.g., Intent injection, activity hijacking).

Webview & Hybrid App Flaws

  • Poorly configured WebViews allow JavaScript to access native APIs or expose injection points (cross-context XSS). Hybrid apps inherit web vulnerabilities.

Jailbreaking / Rooting & Privilege Escalation

  • Device rooted/jailbroken by user or attacker removes sandbox, enabling system-level attacks, persistence, and bypass of MDM protections.

Malicious SDKs & Libraries

  • Third-party SDKs bundled into apps (analytics, ads) can exfiltrate data, inject code, or be hijacked to distribute malware.

SMS / MMS & SIM Attacks

  • Smishing (SMS phishing) lures users to malicious links; MMS multimedia exploits can target parsing flaws. SIM swapping attacks enable account takeover via telecom social engineering.

5 — Mobile malware & common objectives

  • Banking trojans: overlay attacks, credential harvesting, SMS intercepts.
  • Spyware / stalkerware: covert data collection (location, mic, camera).
  • RATs (Remote Access Trojans): persistent remote control, command execution.
  • Adware & cryptominers: monetize device resources, degrade battery/performance.
  • Botnets: leverage devices for DDoS or spam.
  • Objectives often include credential theft, data exfiltration, financial fraud, surveillance, or lateral enterprise access.

6 — Threat vectors & scenarios (attacker workflows)

  • Social engineering / phishing / smishing → trick user into installing app or entering credentials.
  • Drive-by or malicious websites → exploit WebView vulnerabilities to inject code.
  • Rogue Wi-Fi / evil twin → MITM traffic; steal tokens or push captive portals to harvest credentials.
  • Repackaged app in third-party store → user installs trojanized app with elevated permissions.
  • Supply chain compromise → malicious update to an SDK or CI pipeline pushes malicious versions to official store (higher complexity).
  • Physical access → install malware via USB/OTG, bypass lock screen if insecure.

7 — Testing methodology (ethical, authorized)

  1. Recon & mapping: identify OS versions, installed apps, MDM profiles, device posture, and exposed services/APIs.
  2. Static analysis: inspect app package (manifest/plist), embedded resources, certificates, embedded keys, and libraries — look for hardcoded secrets and insecure configs.
  3. Dynamic analysis: run app in instrumented environment to observe runtime behavior, IPC calls, network activity, storage patterns.
  4. Behavioral & network monitoring: capture traffic to detect unencrypted comms, token reuse, and suspicious outbound endpoints.
  5. Inter-app communication testing: probe intents, URL schemes, content providers for unauthorized access.
  6. Persistence & privilege escalation checks: test whether app can maintain persistence after reboot, or whether device can be rooted/jailbroken via known exploits (lab only).
  7. API/backend testing: test app endpoints for injection, authentication weakness, improper authorization and excessive data exposure.
  8. Supply chain & store review: check for repackaging indicators, code signing anomalies, or suspicious updates (lab / research only).

Only test with explicit authorization and isolate user data in labs.

8 — Defenses, secure development, and platform hardening

Secure app development best practices

  • Least privilege: request minimal permissions; explain why permissions are needed.
  • Secure storage: use platform-provided secure storage (Keychain/Keystore) and avoid storing sensitive data in plain files or backups.
  • Strong cryptography & key management: use vetted APIs, never hardcode keys; prefer hardware-backed keystores when available.
  • Proper certificate validation: enforce TLS, validate certificates properly, use certificate pinning judiciously (balanced with update practicality).
  • Input validation & output encoding: for WebView content and inter-app data; sanitize incoming data.
  • Code protection: obfuscate binaries, minimize exposed debugging information, remove test hooks, and use tamper detection where appropriate.
  • Minimize attack surface: disable unnecessary components, remove unused SDKs, and avoid embedding risky libraries.
  • Secure IPC: enforce permissions on content providers, validate intents and URL schemes; use ephemeral tokens for inter-app operations.
  • Protect updates & signing: ensure update channels and signing keys are secure; use app stores with vetting.

Device & ecosystem defenses

  • Enterprise controls: MDM/UEM to enforce device posture, encryption, remote wipe, app allowlists, and segmented containers for work data.
  • Policy & configuration: enforce full-disk encryption, strong screen locks, disable developer options/USB debugging in production devices.
  • Network protections: use enterprise VPNs, TLS everywhere, DNS filtering, and detect anomalous network behaviors.
  • App store hygiene: use official app stores where possible; vet apps before deployment and use allowlists/blacklists for enterprise devices.

Runtime protections and detection

  • Runtime app self-checks: detect tampering, debug sessions, emulators, root/jailbreak indicators; reduce functionality or alert when detected.
  • EPM/EDR for mobile: endpoint protection for mobile to detect suspicious behaviors and block known malware.
  • Logging & monitoring: centralize logs for mobile apps and MDM to detect anomalies (unexpected installs, policy violations, unusual devices).
  • User awareness: educate users about smishing, sideload risks, and app permission hygiene.

9 — Detection & incident response for mobile incidents

  • Indicators: unusual battery drain, data usage spikes, unexpected outbound connections, unexplained SMS/MMS activity, unexpected app installs, unknown MDM profiles, or unauthorized configuration changes.
  • Forensics: preserve device image, application data, logs, MDM reports, and network captures. Establish chain-of-custody for legal investigations.
  • Containment: revoke tokens, disable accounts, remote wipe or quarantine device through MDM, block malicious endpoints at network level.
  • Eradication & recovery: remove malicious apps, re-provision device (factory reset as needed), rotate credentials, and patch app/server code.
  • Post-incident: review telemetry, update security controls, run app update pushing fixes, and perform user outreach if data exposed.

10 — Regulatory, privacy & ethical considerations

  • Mobile testing often involves PII; respect privacy laws (GDPR, HIPAA) and organizational data handling policies.
  • Get explicit, written authorization and scope for any testing. Preserve minimal PII during tests and maintain secure evidence handling.
  • Be mindful of carrier and telecom rules: SIM, SMS, and telephony-related testing can implicate third parties.

11 — Real-world threat examples & trends

  • Banking trojans using overlay attacks or SMS interception to capture 2FA codes.
  • Supply-chain attacks where popular apps incorporate malicious SDK updates that exfiltrate data.
  • SIM swapping enabling account takeover by social engineering telecom support.
  • IoT-mobile intersection: mobile apps that control IoT devices expose new attack paths if insecure.

13 — Key takeaways & exam memory hooks

  • Mobile risk pillars: device, app, network, and backend/API — all must be protected.
  • Primary dev defenses: secure storage (Keychain/Keystore), proper TLS validation, least privilege permissions, no hardcoded secrets.
  • Primary enterprise defenses: MDM/UEM, app allowlists, containerization, endpoint/mobile EDR, and network controls.
  • Attacker flow memory hook: Phish → Install / Capture → Exploit IPC → Persist → Exfiltrate.
  • Quick mnemonic for app security:S.P.E.A.R.
    • S = Secure storage & secrets management
    • P = Principle of least Privilege for permissions
    • E = Enforce TLS & endpoint verification
    • A = Avoid hardcoded keys & use Keystore/Keychain
    • R = Runtime protections (anti-tamper, root/jailbreak detection)

Module 18: IoT & OT Hacking

1. Module purpose & high-level view

IoT (Internet of Things) and OT (Operational Technology) devices bridge the physical and digital worlds — they control sensors, actuators, industrial processes, and consumer items. This module examines how these devices and the systems that manage them can be discovered, compromised, coerced into malicious behavior, and defended. The stakes are high: attacks can cause data loss, service disruption, safety incidents, or physical damage.

2. Key definitions & differences

  • IoT (Internet of Things): Broad category of internet-connected devices (consumer, enterprise, industrial edge) such as cameras, thermostats, medical devices, smart actuators, gateways, and sensors. Often built on embedded OS, constrained resources, and varied vendors.
  • OT (Operational Technology): Systems and devices used to monitor and control physical processes — PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) systems, DCS (Distributed Control Systems), RTUs (Remote Terminal Units). OT emphasizes availability, safety, and real-time control.
  • Distinguishing characteristics: OT environments prioritize availability and deterministic timing; security updates and patch cycles are conservative. IoT often prioritizes cost and time-to-market, sometimes at the expense of security.

3. IoT/OT architecture & attack surface

  • Device layer: sensors, actuators, smart endpoints with embedded firmware and local interfaces (serial, JTAG, USB).
  • Edge / Gateway layer: protocol translators, local compute, protocol brokers (MQTT, CoAP, Modbus TCP/RTU), often run Linux-based firmware.
  • Control layer: SCADA servers, HMIs (Human Machine Interfaces), PLCs, RTUs.
  • Enterprise IT integration: centralized logging, asset management, enterprise apps, cloud services and remote management portals.
  • Network layer: fieldbus, industrial protocols, management networks, and sometimes direct internet connectivity.
  • Supply chain: firmware, third-party libraries, cloud APIs, vendor management portals.

Every layer contributes attack vectors: local physical access, exposed management interfaces, insecure cloud APIs, weak credentials, unencrypted telemetry, vulnerable protocols, and insecure supply chain practices.

4. Common IoT/OT vulnerabilities & why they exist

  • Default, weak, or hard-coded credentials — devices shipped with universal admin accounts or undocumented backdoors.
  • Lack of (or delayed) patching — long device lifecycles, certification/regulatory constraints, and fear of downtime prevent timely fixes.
  • Insecure protocols — plain-text protocols (Modbus, DNP3, older OPC) or insecure implementations lack authentication or encryption.
  • Insufficient network segmentation — flat networks allow attackers to move from IT networks to OT islands.
  • Insecure firmware update mechanisms — unsigned or unverified firmware permits tampering or supply-chain implants.
  • Insecure web/cloud interfaces & APIs — flawed authentication, insecure tokens, excessive privileges, or improper authorization.
  • Poor physical security — exposed serial ports, JTAG, or removable storage permit local compromise.
  • Lack of monitoring & logging — limited telemetry for field devices makes detection difficult.

These weaknesses often reflect trade-offs between cost, usability, legacy requirements, and operational availability.

5. Attacker motivations & likely impacts

  • Motivations: espionage, sabotage, financial gain (ransom), political objectives, or experimentation.
  • Potential impacts: process disruption (downtime), data exfiltration, altered control commands causing physical damage or safety incidents, loss of sensor integrity (false data injection), and lateral movement into corporate networks.

High-impact examples include disruptions to utilities, manufacturing shutdowns, or medical device manipulation.

6. Attack techniques & workflows

Reconnaissance & asset discovery

  • Passive discovery via network scans, broadcast protocol analysis, fingerprinting of device banners, cloud endpoint enumeration, and OSINT on vendor portals and firmware images.
  • Mapping fieldbus topologies, broker/MQTT topics, and HMI endpoints.

Credential & account attacks

  • Brute force or credential stuffing against management consoles or SSH/Telnet where present.
  • Exploitation of default credentials and discovery of hard-coded service accounts.

Protocol abuse & fuzzing

  • Malformed or unexpected payloads sent to industrial protocols (Modbus coils/registers, DNP3 requests) to cause unexpected processes or reveal behavior.
  • Abuse of protocol semantics to force unsafe states (e.g., toggling actuator states).

Firmware & supply chain attacks

  • Analysis of firmware images for secret keys, backdoors, or vulnerable third-party libraries.
  • Repackaging firmware to include malicious payloads or implant persistence.

Remote code execution & lateral pivot

  • Exploiting vulnerabilities in edge gateways, web consoles, or cloud APIs to execute code, then pivot to PLCs, HMIs, or other OT assets.

Manipulating control logic

  • Uploading altered PLC logic or configuration that changes setpoints, interlocks, or safety limits.
  • Injecting false telemetry or replaying recorded sensor data to mask malicious actions.

Denial and disruption

  • Saturation of control networks, sending invalid commands, or corrupting historical data to degrade operator situational awareness.

Stealth & persistence

  • Use of scheduled tasks, firmware implants, hidden user accounts, or covert channels (DNS tunneling, protocol channels) to persist and exfiltrate.

7. Protocols & components frequently targeted

  • Field & industrial protocols: Modbus (TCP/RTU), DNP3, IEC 60870-5-104, OPC Classic (no security), BACnet, PROFIBUS/PROFINET.
  • IoT protocols: MQTT, CoAP, UPnP, TR-069 (remote management), proprietary vendor protocols.
  • Management interfaces: Web GUIs, Telnet, SSH, SNMP, serial console.
  • Cloud & mobile control planes: vendor management portals, firmware distribution systems, remote telemetry and command APIs.

Many industrial protocols were designed for trusted environments and lack modern authentication/encryption.

8. Detection signals & monitoring guidance

  • Anomalous command sequences to PLCs or repeated unusual register writes.
  • Unexpected setpoint changes or control parameter modifications when operators did not authorize them.
  • Telemetry inconsistencies between redundant sensors or correlation mismatches (e.g., temperature drops in sensor while process logs show heating).
  • New or unknown devices on OT segments, unauthorized SSH/Telnet sessions, or device reboots outside maintenance windows.
  • Unexpected outbound connections from OT gateways to unknown internet hosts (possible C2 or exfiltration).
  • Unusual timing patterns or interleaved packets inconsistent with expected fieldbus behavior.

Effective detection relies on specialized OT-aware monitoring that understands protocol semantics and normal control flows, and on correlation with operator logs and maintenance activities.

9. Defensive controls & hardening

  • Network segmentation and air gaps: separate OT networks from IT, use one-way data diodes where appropriate, and implement strict access control between zones.
  • Least privilege & account hygiene: eliminate default credentials, enforce strong authentication, rotate device and service credentials, and use centralized credential vaults.
  • Patch & configuration management: maintain an inventory of devices, plan safe patch windows, use vendor advisories, and validate firmware integrity (signed updates).
  • Secure protocols & gateways: migrate to secure variants where feasible or employ protocol proxies that add authentication and encryption to legacy protocols.
  • Device hardening: disable unused services (Telnet, FTP), secure management ports, protect serial/JTAG with physical controls, and enable logging.
  • Supply chain controls: vet vendors, require signed firmware, verify build systems, and monitor third-party library vulnerabilities.
  • Deception & segmentation: use honeypots or decoy PLCs to detect probing and slow reconnaissance. Micro-segmentation limits lateral movement.
  • OT-aware monitoring & SIEM integration: instrument HMIs, PLCs, and gateways with telemetry; correlate with IT logs and alerts; adopt anomaly detection tuned to control semantics.
  • Incident playbooks & safety coordination: ensure IR processes include industrial safety teams and plant engineers; plan for safe shutdown/recovery phases that protect humans and equipment.
  • Backup and recovery: maintain verified backups of PLC logic/config, documented recovery steps, and air-gapped copies of critical control logic.

10. Secure architecture patterns

  • Use a zone and conduit model: demilitarized zones for bridging IT/OT, security gateways enforcing protocol translation and inspection, and strict ACLs for allowed flows.
  • Apply defense-in-depth: edge protection, gateway filtering, application allow-lists in controllers, and monitoring at multiple points.
  • Adopt strong authentication and mutual TLS for cloud/remote telemetry where possible; avoid exposing management interfaces directly to the internet.

11. Incident response considerations for OT

  • Prioritize safety: human safety and physical process stability override forensic goals. Preserve life and equipment first.
  • Rapid situational assessment: determine whether commands are malicious or process anomalies due to physical faults.
  • Controlled containment: isolate impacted segments without causing process upsets; use segmented backups to restore known-good PLC logic.
  • Evidence preservation: capture volatile logs, packet captures, and PLC program snapshots, but coordinate with operations to avoid unsafe states.
  • Cross-disciplinary IR: involve process control engineers, safety officers, vendor support, legal/regulatory staff, and communications teams.
  • Post-incident hardening: remediate root causes, validate control logic integrity, update patch/monitoring plans, and conduct tabletop exercises.

12. Real-world incidents & lessons

  • Attacks on energy grids, water treatment facilities, and industrial plants have demonstrated the real-world consequences of OT compromise. Common lessons: legacy protocol insecurity, insufficient segmentation, weak remote access controls, and supply-chain risks.
  • Notable themes: attackers often gain initial access via vendor/third-party credentials, pivot through remote management systems, and manipulate control logic to achieve objectives while masking activity.

13. Regulatory, safety & compliance considerations

  • OT environments are regulated in many sectors (energy, healthcare, transportation). Incident handling, reporting obligations, and remediation plans must consider compliance regimes and safety standards.
  • Changes to control systems can affect certifications; coordinate with regulators and third-party assessors when making major changes to production systems.

14. Exam focus & likely question areas

  • Understand the architecture differences between IT and OT and why OT security priorities differ (availability, safety, integrity).
  • Be able to explain common OT/IoT vulnerabilities (default creds, unsecured protocols, insecure firmware) and practical mitigations (segmentation, signed updates, least privilege).
  • Know detection signals that are OT-specific (unexpected register writes, setpoint changes, unusual telemetry patterns).
  • Emphasize the role of supply-chain security for firmware and vendor management.
  • Remember IR priorities for OT: safety first, then containment and forensics.

15. Quick memory hooks

  • “PHYSICAL” — Practical Hardening Is Systemically Important:
    • P = Patch & provenance (firmware integrity)
    • H = Hardening & disable unused services
    • Y = “You segment” (network segmentation)
    • S = Strong credentials & secrets management
    • I = Instrumentation & monitoring (OT-aware)
    • C = Containment & IR playbooks (safety-first)
    • A = Access control & least privilege
    • L = Logging & backups of control logic
Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.