Jake Williams is the founder and president of the information security frm Rendition Infosec. Williams is a former U.S.
government hacker with two decades of
experience in information security. He now
works with organizations all over the globe
to evaluate security, build monitoring programs and investigate cyber intrusions.
understand that once attackers exploit
a victim through phishing emails, they
are already operating inside the firewall.
While most firewalls block network traffic inbound, they generally allow all
Even in cases where the firewall was
configured to block some outbound traffic, attackers quickly figure out how to
exfiltrate data via authorized protocols
and network destinations. Attackers have
toolkits built to facilitate this type of
activity. Attackers and researchers have
built tools to steal data and operate in
the network using authorized applications such as Gmail, Dropbox, network
ping packets, DNS (domain name to IP
address resolution) and many more commonly authorized applications.
Endpoint monitoring inside the network is required to find the attacker operating in the network. Endpoint
monitoring will aggregate event logs at a
security information and event management system (SIEM) where investigators
can easily observe attacker activity patterns that are impossible to see otherwise. In addition, a SIEM is very useful
for discovering insider threats (e.g. mass
theft of customer data).
It is worth noting that while a SIEM
can be a costly investment, many managed security service providers can lease
SIEM hardware and software and provide
monitoring at a price point that is well
within operational expenditure (OPEX)
levels. Building a security monitoring
architecture that will detect attackers
in the IT network before they can even
attempt the transition to the OT network
need not require a capital expenditure
(CAPEX) budget cycle.
This should remove barriers to adoption and give utility organizations the
tools they need to minimize the threat to
the IT network, in turn maximizing the
security of the OT network.
Defenders need only to look for this traffic to discover that networks have been
inadvertently (or maliciously) bridged.
In the case of a firewall, detection of
attackers moving to the OT side is even
easier. If attackers wish to move between
the IT and OT networks, they must cross
through the firewall. Centralized logging
of firewall connection blocks and network flows will easily reveal movement
from IT to OT. As attackers try to discover what ports and protocols are allowed
through the firewall, they will inevitably
make noise. This noise is easily discovered if the network is baselined and firewall logs are being monitored.
Finally, cross domain solutions (aka
data diodes) are the easiest form of
network bridge to detect attacker movement. Because the data diode validates
data types moving from IT to OT (and
vice versa) the attacker must create data
that appears valid to the data diode, but
also serves some malicious purpose on
the OT network. This is far from easy
(but is possible) and requires much trial
and error. Each failure will create alerts at
the cross domain solution, which should
be investigated immediately.
FINDING ATTACKERS IN THE IT
NETWORK AND KEEPING THEM
OUT OF OT
As mentioned earlier, cyber attackers
almost always enter the network from the
IT side. The most common route for this
is via phishing emails. Through good continuous security monitoring, organizations
can quickly determine when they have been
breached and have attackers operating in the
network. User awareness education, while
important, is not enough to secure the IT
network from phishing threats.
Many utility companies only have
monitoring in place at the boundary
firewall. While this is better than nothing, it is far from ideal. It is important to
• Cross Domain Solution (Data Diode)
A data diode or cross domain solution
can be thought of as a “data aware” firewall. Rather than simply allowing any
traffic across a particular port, the data
diode performs content inspection to
ensure that data is well formed and does
not violate integrity constraints. While it
is not impossible for an attacker to transfer data that could be used in an attack,
it makes the attacker’s job much harder.
MONITORING THE IT-OT GAP
Why should organizations care about the
methods used to separate IT from OT? The
security mechanism used by the organization dictates the methods the attacker must
use to try to compromise the OT network.
In the case of an airgap, the attacker must locate workstations where systems administrators move data using USB
drives or burn CDs or DVDs to move data
across the airgap. An attacker can query
registry values enterprise wide from a
domain admin account to locate those
machines and user accounts that are most
likely involved with moving data.
Of course, an attacker can also use
physical hardware to bridge the airgap
if he or she can obtain physical access.
Both in the case of a physical hardware
bridge and scanning remote registries to
locate those who transfer data, continuous network monitoring discovers these
events with ease. Registry queries create
event logs in the event logs on Windows
endpoints and will also create event logs
at the domain controller. In most cases,
NetBIOS and LLMNR queries from the
airgapped OT network will be present
in the network traffic of the IT network.