Active cyber defense cycle: Asset identification and network security monitoring
Understanding and monitoring networked infrastructure is the key to identifying cyber attacks. This is the reason that the second phase of the Active Cyber Defense Cycle (ACDC) is asset identification and network security monitoring. The first portion of this phase, asset identification, serves multiple purposes inside an industrial control system (ICS). Knowing network infrastructure, where assets are, and what the network flows and topologies look like, ensures that operations personnel know not only what must be secured but also what normal operations look like–useful for troubleshooting and network configuration. Identifying peak usage, detecting failing devices, and validating the authenticity or integrity of device reporting from the field aids in the availability and performance of oil and gas operations. Oil and gas networks are relatively static, especially compared to enterprise IT environments. There should not be thousands of users surfing the Internet and changes to infrastructure are more tedious and done over much longer product life cycles. This gives defenders an opportunity to truly understand the network and its assets. There are four basic ways to identify assets and their communications.
Rule one in security: Know thyself
The four basic approaches to performing asset identification are:
- Physical inspection
- Configuration file analysis
- Passive scanning
- Active scanning
Physical inspection of assets can be tedious, especially in a distributed SCADA environment, but is useful and the least impactful to operations. While the other methods of detecting assets can be helpful, there is always a risk that some will be missed. As an example, some legacy systems simply do not communicate via the network or communicate often. Laying eyes on these devices and noting where they are can be the only way to positively identify them. However, physical inspection should be used to identify networked devices that have configuration files, such as network switches that can be reviewed. Additionally, physical inspection should be performed periodically when possible to validate findings.
Analyzing the configuration files on devices such as network switches can reveal registered devices. Every time a device connects to an Ethernet based network it registers itself to the network, usually through an address resolution protocol request. This registration is stored in configuration files to map the Ethernet address to the Internet Protocol (IP) address. Reviewing configuration files can show what is, or has been, on the network. When devices such as network switches are managed infrastructure, there is often an option to capture network traffic required for passive scanning. Mirror ports on network switches, taps at key points, or hubs on smaller networks are important ways to capture network traffic without impacting operations. Reviewing these data is possible in free and open source network tools such as TCPdump or Wireshark. Many tools in programs such as Wireshark, including the “endpoints” and “conversations” features, can precisely identify assets and their normal communication patterns, which can be recorded and reviewed over time. Passive scanning, or traffic analysis, often has the best return on investment for quickly and efficiently performing asset identification.
Active scanning on ICS networks should almost always be avoided. It is difficult to say that active scanning, or sending communications to devices and waiting for responses, should never be employed but the acceptable situations are few and far between. Interacting with sensitive devices in unexpected ways can often impact operations or crash the assets. Additionally, network devices such as proxies and firewalls often understandably block forced communications, thus returning incomplete network architecture maps by active scanning. Lastly, sending communications across the network often distorts the communication topologies on the network making them difficult to accurately identify and baseline. This baseline of communications is vital for network security monitoring.
Network security monitoring
Defenders can monitor the network to identify indications of malicious activity such as anomalies or deviations from the normal operation of the network. Network security monitoring builds on a good understanding of the network and its assets to identify changes that occur over time. If there are spikes in bandwidth usage, new devices appearing on the network, assets communicating to unusual IP addresses, or an increase in security alerts from firewalls or intrusion detection systems, this can all be cause for concern that must be investigated. Network security monitoring emphasizes three steps to perform the type of monitoring required to detect threats. The three steps are:
Defenders should use their knowledge of the network to collect important data. These data include different types such as full content data, statistical data, alert data, and more. As an example, full content data such as network packet captures reveal the activity on a network and its true usage. Anything an adversary does over a network is captured and can be investigated there. In an ICS environment learning how to get the data the first time can be the most difficult challenge, but after initial collection, it is a sustainable process. For example, logs in field devices are often available in the form of syslog on logic controllers but is often disabled by default. Enabling it can be a long process but once the data is there and sent to a central location for collection it is a manageable process. In enterprise IT environments data can be cumbersome by how much data is present and therefore difficult to store. In oil and gas networks, however, a relatively small amount of storage can be used to maintain vital data over long periods of time. The small and static networks, compared to traditional IT networks, are one of the defender’s best advantages.
Defenders can detect threats with the right collected data. Changes to the network, or breaks from the baseline, are the best method to detect threats. Traditional systems often provide valuable alert data that when collected and correlated, can reveal an adversary’s presence. For example, detecting failed logins on a human machine interface and then finding that there were intrusion detection system alerts a few hours previous to that event on another segment of the network might reveal and adversary moving throughout the environment. However, it is important to defeat false positives. False positives are when threats are detected but turn out to not be a true threat. The activity may have looked malicious, such as new communications reaching off of the network, but may have been something mundane such as a previously authorized diagnostics action. Analyzing the detected threats to guarantee they are real threats is important to ensure that defenders do not exhaust themselves or their management. Analysis by personnel ensures that false positives are disregarded while true positives, or accurately identifying a threat, are shown proper attention. When true positives are found by the network security monitoring personnel it is often reason for incident response. This leads to the next phase of ACDC which will be discussed in part three of this series.
Part 3 coming August: Incident response
– Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC, which developed a passive asset discovery and visualization software tool. Lee is a PhD candidate at Kings College London researching control system cyber security. He is the course author of SANS ICS 515: Active Defense and Incident Response, the author of the book SCADA and Me, and a U.S. Air Force Cyber Warfare Operations Officer.
Active cyber defense cycle: Part 1
Control Engineering 2014 Cyber Security Study cyber security experiment reveals threats