Detecting Foreign Attacks in Real Time | ExtraHop


On March 15th, a significant alert was issued by the US-CERT regarding Russian state-sponsored threat activity against critical infrastructure sectors, including energy, aviation, and critical manufacturing. The attacks were not random; these were deliberate, multi-stage, focused attacks designed to gain a foothold within high impact assets which can be used for any number of nefarious actions.

These sorts of attacks are not new, but there seems to be an acceleration of efforts and sophistication. The most recent attacks employ multiple Tactics, Techniques, and Procedures (TTPs) with a clear progression of activities culminating in persistent residence within critical infrastructure systems. The precise TTPs are well documented in the US-CERT alert and will require a vast array of protective measures to address them all, including personnel training, endpoint protection, and most critically, real-time network monitoring of both north-south and east-west traffic.

There is a saying amongst law enforcement and other operational personnel, that when facing an aggressor, "watch his/her hands, because eyes lie; hands are what hurt you." Likewise, with cyber threats, endpoints and logs can lie by being manipulated into hiding threats, thus watching the network is key, because it is data in motion that ultimately hurts an organization.

The TTPs in this alert are rife with obfuscated attacks against endpoints, attacks which can be implemented and hidden in countless different ways, but regardless of what they are, once they take action on their objectives, they place anomalous traffic on the network. Note the "cleanup and cover tasks" section of the CERT alert:

"In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced."

This classic behavior by the threat actors highlights the inherent weaknesses of relying on self-reported data like logs. Even if these organizations were using log aggregators, logging can be disabled or altered on compromised assets, and applications not configured to send logs to the aggregator are simply not visible. In the hands of a skilled actor, almost anything being reported by a compromised asset can be trusted.

Yet, data in motion is data which is no longer controlled by the threat actor. Once it leaves the asset, whether it contains malicious payload delivery, C2 traffic, lateral movement, or data exfiltration, it is out of the hands of the threat actor and is definitively detected directly from the network.

ExtraHop's agentless, real-time traffic analysis, asset/service discovery, and native Modbus TCP/IP fluency allow Industrial Control Systems (ICS) customers to achieve the level of awareness needed to detect malicious behavior. Regardless of the type of ICS platform, if it communicates on an IP network, its traffic and connectivity can be monitored by the ExtraHop platform, and anomalous behavior automatically surfaced.

Out of the box, ExtraHop is able to reveal the specific actions on objectives described in this alert. Some examples:

  1. Identifying and browsing file servers within the victim's network. Identifying file servers can be achieved in numerous ways, including port scans and DNS reverse lookups, both of which are detectable from ExtraHop's real-time network traffic analysis. The threat actors' anomalous browsing of files is also readily detectable due to ExtraHop's native CIFS/NFS/iSCSI fluency.

  2. Privileged credentials used to access domain controllers via RDP. This type of lateral movement is inherently surfaced by monitoring the network behavior of critical assets like domain controllers. Native Kerberos, LDAP, and RDP protocol support readily reveals the use of privileged account use and anomalous RDP connections.

  3. Usage of the PsExec tool to execute commands across the network ExtraHop can readily detect PsExec and surface the precise commands being executed via the PsExec Detection Bundle.

Figure 1: Real-time activity map of all assets performing CIFS transactions within three independent network segments. Any unauthorized cross-boundary traffic would be immediately apparent and generate alerts.

Click image to zoom Figure 2: Clicking on any of the "edges" between assets above reveals the actual CIFS transactions occurring, including the filename, user, and many more details. These transactions are displayed in real time and are extracted directly from live network traffic.

Figure 3: Dashboard revealing ingress/egress traffic to prohibited geolocations. While threat actors are very creative at obfuscating their tracks, mistakes can be made, real IP addresses can inadvertently hard-coded into attack tools, and thus real-time geolocation of traffic can reveal an otherwise well-crafted attack.

Industrial Control Systems (ICS) have always presented notoriously difficult security challenges since their microcode is often embedded within proprietary hardware or aging computer platforms which are difficult or impossible to monitor and secure. Even when vulnerabilities are fixed in firmware updates, the up-time requirements for some of these systems and understandable risk aversion preclude them from being patched in a timely manner. An entire industry has sprung up to try to address this problem, involving network segmentation and secure overlay networks which require no instrumentation on the ICS assets themselves.

However, in order to implement such mitigations, one must have definitive visibility into the complex landscape and interdependencies that define the modern ICS enterprise, since one simply cannot secure or segment that which is not understood. Monitoring network traffic in flight with ExtraHop provides a conclusive audit of what services are running, what they are doing, and what their dependencies are.

For example, if a new ICS asset is deployed and inadvertently (or intentionally) exposed to the Internet, this behavior will be revealed from the first packet sent to/from this system. Likewise, if a network segment should only offer a specific set of services, any unauthorized services or new assets are surfaced and classified in real time. These services are not merely identified by port, they are parsed to the layer 7 transaction level for every major datacenter protocol including Modbus TCP/IP, DNS, CIFS, and more.

Click image to zoom Figure 4: Positive security monitoring policy for critical asset network segment. All the protocols and services in the pie graph and list are unapproved for this segment.

Click image to zoom Figure 5: Dashboard showing all newly discovered assets, real-time service catalog of every asset transacting on the monitored network, and links to live activity maps to visualize various asset relationships.

This US-CERT alert describes a serious, ongoing threat to our national security. Compromises of our energy grid, manufacturing, air traffic control, and even roadway traffic control can be used to impact our way of life and make us vulnerable.

Real-time situational awareness of these critical ICS networks is key to ensuring that they are well understood, and that appropriate security controls have been implemented and continue to function properly.

This is a companion discussion topic for the original entry at