Detect: Monitoring, Identifying, and Responding to Industrial Cyber Threats
By The Claroty Team | June 16, 2021
This is the third installment in a four-part series offering an in-depth breakdown of the four essential pillars of industrial cybersecurity: Reveal, Protect, Detect, and Connect. The objective of this series is to help security leaders understand the unique challenges of meeting these needs in an industrial context, as well as the time and resources Claroty has invested into cohesively addressing these challenges in an unparalleled manner.
A harsh reality of cybersecurity is that even the most state-of-the art protective controls cannot fully eliminate risk. As such, the ability to detect, investigate, and respond to potential threats quickly and effectively when they do surface is imperative.
Barriers to Industrial Cyber Threat Detection
As is the case with gaining visibility into industrial environments, threat detection is significantly more challenging when dealing with operational technology (OT) for myriad reasons:
Incompatibility with Traditional Tools
The wide range of proprietary, vendor-specific OT protocols used in industrial assets are not always compatible with traditional threat detection tools. Using IT-centric threat detection tools on OT assets can lead to downtime, and an overwhelming barrage of false positives and negatives.
Size and Complexity of OT Environments
The intricacy of large-scale, multi-site industrial networks can make it difficult to identify deviations from an accepted baseline.
As industrial networks increasingly blur the lines between IT and OT, defenders need a holistic solution that can detect threats across these increasingly interconnected environments.
Industrial Cybersecurity Expertise Gap
Many security teams are trained solely to resolve IT-centric incidents, and lack the OT-specific knowledge needed to defend industrial environments.
The complexity of these challenges greatly limits the efficacy of a one-size-fits-all approach for detecting known and unknown industrial cyber threats, automatically weeding out false positives, and giving you clear direction on how to take action. As such, Claroty Continuous Threat Detection (CTD) leverages five separate detection engines to provide our customer full, accurate, real-time coverage across their industrial environments:
It’s all too common for signs of malicious activity to go undetected until they cause significant damage to network operations, because many enterprises lack the capabilities and know-how to detect these threat signatures as they enter and traverse the network.
Claroty CTD’s Known Threats engine leverages an extensive database of signatures and indicators of compromise to identify known threats, while providing the context needed to mitigate these threats during their early stages.
When dealing with previously unknown threats, one of the most effective detection methods is to identify deviations in typical communications between assets, zones, and other components of your industrial network. But given the size and complexity of these environments, what qualifies as “normal” may vary widely on a zone-by-zone basis, and without the right capabilities in place, your SOC team may be inundated with false positives that detract from its ability to focus on the threats that matter most.
Claroty CTD’s Anomaly Detection engine identifies deviations from typical communication patterns within your network, from unusual code functions being used by human-machine interfaces (HMI) to specific tag names or values.
It’s not uncommon for network intruders to use known techniques, such as phishing or vulnerability exploitation to enter industrial networks and camp out for weeks, months, or even years. This prolonged presence enables the intruder to collect potentially valuable information from the network, without ever delivering a payload that would be recognized as a known threat signature.
Claroty CTD’s Security Behaviors engine identifies the behavior patterns behind IT and OT-specific network intrusion methods, enabling security teams to detect and eliminate the presence of covert threat actors.
In some cases, seemingly routine actions—such as configuration changes and firmware upgrades—may actually be the work of a discrete threat actor taking careful measures to avoid detection. With taking context into consideration, these operations are often routine and not a cause for alarm. But concerningly, these behaviors can have significant impacts on plant operations and the safety of personnel if abnormal behaviors carried out by a threat actor are left unchecked.
To address this challenge, Claroty CTD’s Operational Behaviors engine identifies actions taken within your industrial environment—such as configuration changes and firmware upgrades—across proprietary and open-source protocols. To support ongoing investigations, CTD is able to apply context to the details that surround ongoing operations to check for signs of malicious behavior.
No two industrial networks are alike, and detection requirements may vary on a case-by-case basis. As such, security teams need a flexible, highly customizable solution that can be tailored to the specific circumstances of the environment they’re tasked with defending.
Created for the varying needs of our customers, Claroty CTD’s Custom Rules engine detects specific, user-defined events, including out-of-range values or specific communications, allowing users to tailor threat detection to the unique needs of their network. This detection engine is arguably the most flexible in terms of application and relies on specific, user-defined events to send alerts. For example, an operation could use the Custom Rules engine to design a preventative maintenance program surrounding changes in packet behavior. A rule can be created that will observe packet traffic on the network and alert when this traffic begins to show abnormalities, an event which often precedes unscheduled downtime.
Beyond Detection: Investigation and Remediation
The purpose of detecting threats is to mitigate those which pose risk to your organization. But to determine which threats to focus on, your team needs the ability to make sense of what’s being detected within your organization’s industrial environment. This is another area where the sheer size and complexity of enterprise industrial networks comes into play; without the right capabilities in place, security personnel can be flooded with an overwhelming barrage of alerts that do little to inform risk-mitigation decisions. To overcome this challenge, security teams need sophisticated alert management, investigation, and remediation capabilities, including:
Threat-actor activities within an industrial network are not carried out in the form of singular events, but rather as chains of events that occur as an adversary enters and moves about the network to fulfill their objectives. If SOC personnel are notified of each individual action taken by threat actors during this process as a separate alert, they are ill-equipped to assess and remediate the situation at hand in a timely manner.
Created to address the need for SOC personnel to quickly understand the big-picture story behind a series of alerts, The Claroty Platform’s Root Cause Analysis groups alerts for interrelated events to provide a consolidated, contextualized view of events across the cyber kill chain. For alerts concerning remote sessions, Claroty Secure Remote Access (SRA) offers the ability to review a video recording of a session or watch the session live if it is still ongoing. By leveraging these capabilities, your team can spend less time trying to connect the dots to determine what’s happening, assess potential threats with greater accuracy, and respond faster and more effectively.
Contextualized Risk Scoring
Even with strong capabilities in place to weed out false positives, security teams inevitably face more alerts than they are capable of addressing in a given day, especially when dealing with industrial environments or critical infrastructure, which have a notoriously low tolerance for downtime. As such, alert prioritization is crucial.
Not all industrial assets are of equal criticality, and as such, the extent to which an anomaly could indicate potential risk to your business can vary based on which portions of your network are affected. Another major variable that should be taken into consideration is whether the alert appears to be part of a chain of events indicative of malicious activity, as described in the previous section.
The Claroty Platform takes all of these factors into consideration with its contextualized alert scoring, which provides a single metric that quantifies risk criticality based on the unique circumstances which triggered the alert.
Expert Guidance and Support
In response to digital transformation increasing industrial assets’ exposure to cyber risk, many enterprises are expanding the scope of their traditionally IT-centric SOCs to cover OT cyber threats as well. However, this is a relatively new phenomenon, and as such, even highly experienced security personnel may have limited experience dealing with OT. The Claroty Platform is backed by the renowned expertise of The Claroty Research Team, which provides customers with the latest remediation guidance and signatures.
To learn more about how Claroty can enable your business by empowering your team to more effectively monitor, identify, and respond to industrial cyber threats, request a demo.