Breakdown: CISA Alert (AA20-205A)

6th October 2020


CISA Alert (AA20-205A) NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems

The past few months have been an adjustment for organizations across the world, particularly those in the Critical Infrastructure (CI). To accommodate a remote workforce and facilitate safety standards, organizations providing CI capabilities have enabled remote access to Operational Technology (OT) devices. Previously, these critical systems had only been accessible internally but now as a direct result of enabling remote access, they are a new attack vector.

As many security professionals already know, disclosed or identified vulnerabilities are typically addressed through patching so as long as your team has a good patch management and implementation process, what is the problem? OT systems tend to have extended periods between the release of a patch by a vendor and the implementation of the patch in the required environment. TrendMicro studied the meantime to patch for vulnerabilities in OT systems over four years and identified the duration as 140 days(source) which provides attackers a substantial window to enter your network and compromise such systems. 

The Cybersecurity and Infrastructure Security Agency (CISA) issued several recommendations in their recent release, CISA Alert (AA20-205A). The Agency urges CI organizations leveraging OT in their environment to develop a robust continuous monitoring program. CISA states, “A vigilant monitoring program enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques with OT systems.”(source) A good continuous monitoring program should include monitoring for known and unknown threats alike. Many known threats have signatures antivirus programs (AV) are designed to detect, but savvy attackers can modify malware signatures to evade detection from these programs. AV is also unfortunately unable to alert trained personnel to unknown threats in the environment. An inability to monitor for anomalous behavior including unknown threats and modified existing malware left your organization vulnerable to attack. So now what?

CyGlass used cutting edge AI/ML algorithms to give businesses key insights into network activity, alerting customers to abnormalities that may indicate network compromises. CyGlass is a hands-off solution always monitoring your network so you can focus on what you do best-providing the critical services that thousands of families and businesses rely upon. 

Let’s take a look at how CyGlass monitors networks and alerts your network teams to unusual behavior. When Cyglass spots such behavior it sends an email to your team about the Smart Alert, which is based on the information the AI/ML algorithm spots. This example will refer to a Smart Alert based on suspicious activity CyGlass identified on a key network asset. When an analyst first selects a CyGlass alert for closer investigation, he or she will arrive on the “Investigate” page within the platform explaining the identified behavior in plain language. The information at the top of the page provides a summary of the behavior in plain language showing the major actor and key indicators involved in the behavior so customers immediately understand a high-level overview of what is occurring.

Continuing further down the investigation page, analysts are presented with a network map providing a visual representation of the subject behavior. These maps are instrumental in supporting the analyst’s evaluation of the identified activity in addition to facilitating the development of subsequent reporting. 

Now that the customer has an understanding of the behavior in question, he or she can take a closer look at the Smart Alert data by viewing the Smart Alert traffic. The traffic report can be customized based on date range and filters including ICMP activity, TCP scanning, UDP one way traffic, and many other types of NetFlow and traffic data. 

Once the desired behavior is selected, the behavior will be graphically displayed as shown below. This feature enables the analyst to get a rapid but fine-grained understanding of behavior specifics including the fields shown above in addition to the information shown below which illustrates the timing and packet size of the traffic. 

Visualizing these connections, which can be a hallmark of malicious activity, helps to provide context to the communication, adding more information to help your team pinpoint the activity to be investigated and determine whether a closer examination or vendor engagement should be performed. CyGlass was able to quickly detect the unusual behavior, alerting your organization automatically so you can immediately identify critical information to plan the next steps. 

As attackers become more skilled, it is critical to improving your organization’s security posture beyond just relying on known malware signatures. CyGlass provides its customers with cyber safety against threats without known signatures or zero-days which have been a frequent source of CISA alerts. Contact the CyGlass team today to see how your organization can bring better value to shareholders by avoiding costly breaches and time-consuming post-incident remediation.