Blog

Successful Threat Hunting in ICS Networks

Damiano Bolzoni | July 15, 2019

How to proactively identify ICS cyberthreats before they impact your bottom line

Threat hunting is the practice of proactively searching through networks for indicators of abnormal behavior caused by potential cyber threats, as opposed to simply relying on detection tools to flag those threats. This discipline has quickly gained traction in the IT security domain as it became clear that 100% detection is impossible to achieve, and sometimes threats can and will evade existing security measures.

Threat Hunting vs. Incident Response

Although computer security incident response teams (CSIRTs) are common nowadays, especially in large organizations, it is important not to confuse those with threat hunting. Here are three key differences between the two practices:

  • Incident response focuses on containment and recovery in the aftermath of a cyber incident, while threat hunting aims to catch threats before they hit.
  • CSIRTs follow procedures and employ tools to detect and contain a threat. Threat hunting is centered around analysts, aided by tools, to proactively look for indicators of compromise.
  • Incident response is all about the now and seeks to mitigate a detected threat. Threat hunting may require analyzing historical information to identify early indicators of potential threats.

Therefore, despite some similarities in the techniques employed, threat hunting and incident response are complementary practices that build upon very different approaches and requirements.

Threat Hunting in ICS Networks

While threat hunting is not specific to IT, one may wonder why this discipline should be relevant for industrial environments. After all, there have been relatively few documented cyberattacks impacting ICS networks.

The truth is that, while the likelihood of a cyberattack against ICS is low, cyber incidents happen daily. Cyber incidents include small to major disruptions due to misconfiguration, erroneous commands/operations, software errors or device failures which are not intentional, but nevertheless impact the asset owner’s bottom line. Hence, hunting for anomalous behavior becomes crucial for every critical infrastructure and manufacturing organization to anticipate potentially disruptive events and minimize unexpected downtime.

Here are a few use cases that demonstrate how threat hunting can be applied to anticipate and effectively prevent cyber incidents in ICS networks:

  • WannaCry: Analysts can analyze SMB network communications to identify vulnerable device and entry points for the malware spread.
  • PLC/RTU malfunction: Looking at indicators within industrial protocol messages, analysts can identify PLCs and RTUs which are not operating as expected, due to a malfunction or misconfiguration.
  • Predictive maintenance: The behavior of field devices such as PLCs and RTUs can often suggest when the device is near end of life or needs replacement. Catching early indicators allows operators to replace the device before its failure.

 

The Key to Successful ICS Threat Hunting

In threat hunting, analysts create “assumptions” or “behavioral patterns” that are then automated to quickly search the network for threat indicators. Cyber threats could manifest in various ways, leveraging weaknesses unique to a specific environment. Thus, it is essential that analysts have a clear picture of their underlying environment and its expected operation.

ICS environments are very well suited for this. Compared to IT networks, ICS networks are less dynamic and diverse in terms of applications being used, number of end users and network assets, as well as the number of information flows. These factors make the task of determining the normal behavior of an ICS network much easier.

Baselining normal network behavior provides threat hunters with good real-time visibility into network assets and events, as well as the required knowledge about existing system vulnerabilities and suspicious network activity. Constraints imposed by vendors make the use of active asset inventory or agent-based solutions a no-go for ICS networks, but automatic passive asset inventory and real-time network monitoring tools have repeatedly proven successful in this space.

The Way Ahead

In the years to come, we expect threat hunting to become part of the cyber security strategy of every critical infrastructure and manufacturing operator. Threat hunting teams will play a crucial role in the protection of ICS networks from cyber threats and cyber incidents, bringing benefits to both security and productivity. To proactively hunt for threats, analysts must be equipped with flexible, automated tools that let them search the network for threat indicators and compare assumptions with normal network behavior. To learn more about how an OT network monitoring tool can support threat hunting efforts, watch our webinar on hunting ransomware in a production network