External Threat Detection: A Story Of An Alert

As digital transformation efforts continue to expand, once-isolated industrial networks are being connected to the outside world. While this connection is massively beneficial in terms of operational efficiency, it also means that critical infrastructure organizations are exposed to external threats. From deceptively simple intrusions via unsecured connectivity with IT networks to sophisticated attacks that target specific industrial processes, detecting such a diverse range of threats requires overcoming a diverse range of challenges. In a recent video, A Story of An Alert, Claroy outlines why these critical environments require stronger and more resilient security controls to protect against new attack vectors. Throughout this blog, we will break down the story of an alert and how Claroty detects external threats to minimize risk.

What is External Threat Detection and Analysis?

External threats refer to the potential exploitation of system vulnerabilities from outside of an organization, typically through the use of malicious software, hacking, sabotage, or social engineering. Analyzing external threats refers to the process of identifying and evaluating the aforementioned potential threats that can arise externally. In mission-critical environments, external threats can have the ability to impact more than just productivity, data, or financial loss. If the cyber-physical systems (CPS) that underpin critical infrastructure organizations are successfully attacked, the incident can have physical implications such as equipment failure, supply chain disruptions, or even safety hazards for employees and the public, among others.   

What is an Example of an External Cyber Attack?

External cyber attacks to critical infrastructure organizations are typically carried out by increasingly sophisticated cyber criminals who understand that these environments cannot withstand downtime and have a high willingness to pay ransom. In Claroty’s Story of an Alert video, we detail an external cyber attack carried out on a manufacturing plant. In this scenario, the intruder executed a credentials stuffing attack in which credentials obtained from a previous data breach were used to log into another, unrelated service. By gaining unfettered access to the environment, the hacker was able to connect to an engineering workstation remotely. Arriving in an operationally critical part of the network has allowed the hacker to commence their attack, by downloading a new configuration file to a PLC that is connected to the compromised engineering workstation. The newly downloaded configuration file then instructs the PLC to disable a critical process, which can have dire physical ramifications for the machinery that it operates — resulting in safety hazards for plant staff or equipment failures that can lead to factory downtime. If this organization conducted ongoing external threat analysis, they could have identified the chain of events surrounding the intrusion and acted to stop the intruder before they carried out an attack. In the next section, we will examine how industrial organizations can create a strong cybersecurity posture to ensure that attacks like these, which occur across the globe daily, are thwarted.    

How Does Claroty Mitigate Threats?

No matter your level of visibility, threat detection, or the vulnerability management controls you implement to manage risk, you cannot completely eliminate it. That's why Claroty works with critical infrastructure organizations to identify, prioritize, and respond to threats in the event that hackers are able to penetrate network security controls. In the scenario listed above, Claroty Continuous Threat Detection (CTD) could have been used to help mitigate any attempted disruption. CTD’s broad spectrum of visibility, risk analysis, and threat detection capabilities are orchestrated to defend against the following disruptions carried out by the cyber criminal in A Story of an Alert: 

• Zone Behavior: CTD virtually segments the network into Virtual Zones. These zones consist of logically related assets by type and their learned communication patterns. Assets that communicate across zones in unusual or unobserved patterns yield cross-zone policy violations and alert the system to a potential threat.

• Configuration Download: CTD initiates a process integrity alert when critical network changes like configuration downloads occur. Through Claroty's superior deep packet inspection (DPI) capabilities, CTD is able to pinpoint the exact segments and lines of code changed within the configuration file. When related to a chain of potentially risky behavior, this alert is added to an alert story's root cause analysis.

• Root Cause Analysis: This feature groups all events related to the same attack or incident into a single alert story, providing a consolidated view of the chain of events. The result is a higher signal-to-noise ratio, fewer false positives, reduced alert fatigue, and thus more efficient and effective triage and mitigation.

Claroty CTD is a robust solution that delivers comprehensive cybersecurity controls for all critical industrial environments. By enabling organizations to gain full-spectrum visibility across the extended internet of things (XIoT), CTD provides organizations with effective network protection, vulnerability and risk management, and threat detection capabilities. With five detection engines, CTD automatically profiles all assets, communications, and processes in your industrial environment, and generates a behavioral baseline that characterizes legitimate traffic to weed out false positives, and alert you in real-time to known and emerging threats. This level of external threat analysis can ensure critical infrastructure organizations are prepared when threats like the credential stuffing attack emerge within their environment. As digital transformation initiatives and the expansion of remote workforces continue to transform enterprises, it is now more important than ever to implement robust security controls to ensure the continuity of cyber and operational resilience.