Scribd
Upload
232 views14 pages

Grassmarlin

The document describes Grassmarlin, a passive network mapping tool for industrial control systems. It was created to identify IP-based devices on ICS/SCADA networks while avoiding risks to availability and safety. Grassmarlin can map logical and physical network structures from packet captures and device configurations. It correlates traffic with a knowledge base to identify devices. The tool provides visibility but cannot actively detect intrusions or remove no-longer present devices from its maps.

Uploaded by

George Carvalho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
232 views14 pages

Grassmarlin

The document describes Grassmarlin, a passive network mapping tool for industrial control systems. It was created to identify IP-based devices on ICS/SCADA networks while avoiding risks to availability and safety. Grassmarlin can map logical and physical network structures from packet captures and device configurations. It correlates traffic with a knowledge base to identify devices. The tool provides visibility but cannot actively detect intrusions or remove no-longer present devices from its maps.

Uploaded by

George Carvalho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

GRASSMARLIN

NSA, IAD, I4 – Fusion, Analysis, and Mitigations


Motivating Factors

• Blue Teams did not conduct assessments on


ICS/SCADA networks for risk of physical impact
• Minimum situational awareness of devices
connected to ICS/SCADA networks
• Lack of GOTS or COTS solutions specifically
designed for this technology space
How would you passively identify IP-based
devices on your ICS/SCADA network?

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Constraints & Limitations

• Maintaining ICS/SCADA system availability is


paramount
– Cyber/Physical system faults/failures could result in
• Loss of life
• Loss of revenue
• Loss of equipment
• Environmental damage
• Loss of service
• Primary data acquisition - PASSIVE

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Goals

• Enable Blue Team capabilities on live


ICS/SCADA IP networks while rigorously
managing risk of harm to the network, process,
or physical plant
• Ability to run stand-alone, outside a Blue Team
environment for other DoD customers
• Facilitate the development of an ICS/SCADA
Knowledge Base

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


What is GRASSMARLIN?

• Passive Network Mapping Tool


• Lightweight, Java Based graphical tool
• Can be used to do some initial analysis work but
is not an analysis engine
• Runs in Windows and some versions of Linux
• Two views: Logical and Physical

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


GRASSMARLIN

ALL IPs USED ARE FOR DEMO PURPOSES

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Current Capabilities
Logical View

ALL IPs USED ARE FOR DEMO PURPOSES

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Current Capabilities
Logical View
• Map IP networks from PCAPs
• Ability to do live capture
• Draws a logical map of connections: both one
way and two way connections
• Ability to bring up a specific packet in Wireshark
• All traffic (live or ingested) is run against the
knowledge base

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Knowledge Base

• Consists of the GeoIP database, fingerprints and


Vendor IDs
• Displays the country’s flag based on the GeoIP
• Vendor IDs identify the vendor of the Network
Interface Card (NIC)
• Currently over 100 fingerprints, but continues to
expand as we get more data
• Fingerprints are based on the contents of the
individual packet
• Ability for users to create custom fingerprints
I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)
Current Capabilities
Physical View

• Phase 1 of implementation
• Renders a visual representation of the physical
network
• The current implementation of the physical view
can only be rendered through the ingest of the
results of “show” commands.
• Requires the result of three Cisco commands
– show running-config
– show ip arp *OR* show mac address-table
– show interfaces

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Current Capabilities
Physical View

ALL IPs USED ARE FOR DEMO PURPOSES


I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)
Current Capabilities
Physical View

ALL IPs USED ARE FOR DEMO PURPOSES


I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)
Common Misconceptions

• GM is currently limited to ingest smaller size pcaps (About


half your available memory)
• Cannot ingest GB upon GB of data
• Shows when hosts appear in a network but does not
remove the host if the host leaves the network
• Is not meant to turn hosts red or do intrusion detection
• Can only see and map hosts based on where you are
capturing data from
• Not an active tool
• Cannot capture serial data

I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)


Questions?
I4 – FUSION, ANALYSIS, AND MITIGATIONS (FAM)

You might also like