Cyber threats to industrial networks can take countless forms—from deceptively simple intrusions via unsecured connectivity with IT networks to sophisticated attacks that target specific industrial processes or unintentional errors made by staff. Detecting such a diverse range of threats requires overcoming a diverse range of challenges, which we outlined, along with Claroty's approach to overcoming them, in a recent blog.
Our newest video, A Story of an Alert, builds upon that blog by demonstrating a step-by-step example of how Claroty detects an intruder that enters an industrial network using credentials that were obtained through a major data breach. Targeted cyber attacks like the one depicted in this video often utilize external connections in order to exploit an unpatched vulnerability or other security weakness. These types of weaknesses are prevalent in industrial networks—and with increased connectivity in industrial environments broadening network attack surfaces, it's crucial to maintain sufficient cybersecurity controls.
In this scenario, CTD's broad spectrum of visibility, risk analysis, and threat detection capabilities worked in concert to help empower the enterprise to thwart the intruder's attempted disruption. Some key capabilities at play in this video are:
Zone Behavior: CTD virtually segments the network into Virtual Zones. These zones consist of logically related assets by type and their learned communication patterns. Assets that communicate across zones in unusual or unobserved patterns yield cross-zone policy violations and alert the system to a potential threat.
Configuration Download: CTD initiates a process integrity alert when critical network changes like configuration downloads occur. Through Claroty's superior deep packet inspection (DPI) capabilities, CTD is able to pinpoint the exact segments and lines of code changed within the configuration file. When related to a chain of potentially risky behavior, this alert is added to an alert story's root cause analysis.
Root Cause Analysis: This feature groups all events related to the same attack or incident into a single alert story, providing a consolidated view of the chain of events. The result is a higher signal-to-noise ratio, fewer false positives, reduced alert fatigue, and thus more efficient and effective triage and mitigation.
To support—and in many cases, mitigate the need for—these threat detection capabilities, CTD provides insights into the inherent risks present within a network such as critical misconfigurations, unsecured protocols, and unreliable, unmonitored, and inefficient remote access mechanisms.