Lead Image © kreminska, 123RF.com
Open source forensics for adaptive detection of threats on CRITIS networks
Dinos in the Matrix
Cyberspace is a highly dynamic place: New attack vectors are constantly coming to light, such as the infiltration of supply chains that back up software products (e.g., the SolarWinds incident) or the theft of a master key for Microsoft cloud services. Critical infrastructures (CRITIS) also need to face up to these threats. Almost inevitably an IT failure will be attributed sooner or later to a cyberattack. For example, the district of Anhalt-Bitterfeld (Germany) was unable to pay out social benefits to 157,000 citizens in 2021 after a cyberattack and had to stop most of its work for two and a half weeks. This incident prompted regulators to intervene and prescribe certifications (e.g., ISO 27001 [1]) and IT baseline protection methods.
Adapting to Risk
In this article, we look at an adaptive approach that dynamically aligns CRITIS defense with the threat situation by combining information from cyber threat intelligence (CTI) with methods from adaptive live forensics. In this way, attacks can be detected quickly and security measures initiated at short notice.
For the examples in this article, we use the MITRE ATT&CK knowledge base [2] for CTI and the open source Velociraptor digital forensics and incident response (DFIR) platform [3] in a lab environment. Velociraptor provides a more detailed and improved view of the status of the system's monitored endpoints. The framework comes with a list of artifacts pre-installed that are configured centrally and executed on the endpoints. Individual queries can also be created with the native Velociraptor Query Language (VQL).
Various areas of today's networks have critical infrastructures. Operational technologies (OTs) are used in production, for example, where sensors and
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Attack and defense techniques
The MITRE ATT&CK and D3FEND knowledge databases provide useful techniques for securing your IT infrastructure. -
Detecting malware with Yara
Use Yara to search your files and applications for hints of a cyberattack. -
Incident response with Velociraptor
The software incarnation of the feared predator in the Jurassic Park movies has been on the hunt for clues to cyberattacks and indicators of compromise. We show you how to tame the beast and use it for your own purposes. -
Improved defense through pen testing
Discover indicators of compromise with open source pen testing tools. -
Making Kerberoasting uneconomical
A method known as Kerberoasting is an exploitation technique of the Kerberos authentication protocol. We take a closer look at the available safeguards and detection measures against this attack.