Industrial control systems (ICS) have the unfortunate distinction of being difficult to secure, and also being juicy targets for nation state hackers. Their combination of aging hardware and software and justified extreme risk aversion makes it difficult to update, difficult to monitor, and difficult to protect ICS against sophisticated hackers.
The vulnerability of ICS became all the more salient on March 15 when US-CERT issued a significant alert about Russian government cyber activity targeting energy and other critical infrastructure sectors that rely heavily on ICS.
ExtraHop Reveal(x) allows Industrial Control Systems (ICS) customers to achieve the level of awareness needed to detect malicious behavior via agentless, real-time traffic analysis, asset/service discovery, and native Modbus TCP/IP fluency. Regardless of the type of ICS platform, if it communicates on an IP network, its traffic and connectivity can be monitored and anomalous behavior automatically surfaced.
Out of the box, Reveal(x) is able to reveal the specific actions on objectives described in this alert. Some examples:
-
Identifying and browsing file servers within the victim's network. Identifying file servers can be achieved in numerous ways, including port scans and DNS reverse lookups, both of which are detectable with real-time network traffic analysis. Thanks to native CIFS/NFS/iSCSI fluency, Reveal(x) can also detect the threat actors' anomalous browsing of files.
-
Privileged credentials used to access domain controllers via RDP. This type of lateral movement is inherently surfaced by monitoring the network behavior of critical assets like domain controllers. Native Kerberos, LDAP, and RDP protocol support readily reveals the use of privileged account use and anomalous RDP connections.
-
Usage of the PsExec tool to execute commands across the network Reveal(x) can readily detect PsExec and surface the precise commands being executed via the PsExec Detection Bundle.

Figure 1: Real-time activity map of all assets performing CIFS transactions within three independent network segments. Any unauthorized cross-boundary traffic would be immediately apparent and generate alerts.
Figure 2: Clicking on any of the "edges" between assets above reveals the actual CIFS transactions occurring, including the filename, user, and many more details. These transactions are displayed in real time and are extracted directly from live network traffic.

Ingress/egress traffic to prohibited geolocations
Figure 3: Dashboard revealing ingress/egress traffic to prohibited geolocations. While threat actors are very creative at obfuscating their tracks, mistakes can be made, real IP addresses can inadvertently hard-coded into attack tools, and thus real-time geolocation of traffic can reveal an otherwise well-crafted attack.
Figure 4: Positive security monitoring policy for critical asset network segment. All the protocols and services in the pie graph and list are unapproved for this segment.
Figure 5: Dashboard showing all newly discovered assets, real-time service catalog of every asset transacting on the monitored network, and links to live activity maps to visualize various asset relationships.