Open source forensics for adaptive detection of threats on CRITIS networks
Dinos in the Matrix
Cyberspace is a highly dynamic place: New attack vectors are constantly coming to light, such as the infiltration of supply chains that back up software products (e.g., the SolarWinds incident) or the theft of a master key for Microsoft cloud services. Critical infrastructures (CRITIS) also need to face up to these threats. Almost inevitably an IT failure will be attributed sooner or later to a cyberattack. For example, the district of Anhalt-Bitterfeld (Germany) was unable to pay out social benefits to 157,000 citizens in 2021 after a cyberattack and had to stop most of its work for two and a half weeks. This incident prompted regulators to intervene and prescribe certifications (e.g., ISO 27001 [1]) and IT baseline protection methods.
Adapting to Risk
In this article, we look at an adaptive approach that dynamically aligns CRITIS defense with the threat situation by combining information from cyber threat intelligence (CTI) with methods from adaptive live forensics. In this way, attacks can be detected quickly and security measures initiated at short notice.
For the examples in this article, we use the MITRE ATT&CK knowledge base [2] for CTI and the open source Velociraptor digital forensics and incident response (DFIR) platform [3] in a lab environment. Velociraptor provides a more detailed and improved view of the status of the system's monitored endpoints. The framework comes with a list of artifacts pre-installed that are configured centrally and executed on the endpoints. Individual queries can also be created with the native Velociraptor Query Language (VQL).
Various areas of today's networks have critical infrastructures. Operational technologies (OTs) are used in production, for example, where sensors and
...Buy this article as PDF
(incl. VAT)