The festive season presents a unique set of challenges for organisations in terms of cyber security, and threat actors will seek to exploit the seasonal wind-down followed by periods of minimal staffing, that come at this time of year. That is why we at Arcanum, along with our Partners at Dragos, Inc. are addressing the importance of Objective C: Detecting cyber security events just before most organisations move into the festive period.
Timely detection is critical; without it, organisations risk letting threats potentially develop into serious incidents that could severely disrupt essential functions. Continuous monitoring of networks and systems allows for the early identification of anomalies, baseline deviations and potential security issues, in turn facilitating a rapid response.
As we discussed in our first blog of this CAF-focused series, Arcanum champions a people and process approach when using technological solutions. This ensures that protective measures remain effective and safeguards the organisation’s vital operations. In the next two sections, we shall explore the two Principles of Objective C: C1 Security Monitoring and C2 Proactive Security Event Discovery.
Principle C1: Security Monitoring
Principle C1 Security Monitoring involves monitoring the networks and systems that support essential functions to detect potential security issues and track the ongoing effectiveness of security measures. The outcomes of Principle C1 are ‘C1.a Monitoring Coverage’, ‘C1.b Securing Logs’, ‘C1.c Generating Alerts’, ‘C1.d Identifying Security Incidents’ and ‘C1.e Monitoring Tools and Skills’. A holistic approach to security monitoring is essential, integrating people, processes, and technology to ensure robust cyber resilience.
Organisations need to understand their networks; both Operational Technology (OT) and IT; and the potential attack methods that could affect them. To detect security events in a timely manner, organisations need to monitor the data sources that are relevant to their essential functions. To identify security incidents reliably, they need to collect sufficient data from both host and network-based sources, while monitoring tools need to make use of all this data to pinpoint activity within an incident. Every monitoring and detection system needs to be kept up to date with the latest indicators of compromise (IoCs) and threat signatures. At the same time alert systems need to be tested to ensure their reliability and to reduce the number of false positives. The resolution of alerts needs to be performed in almost real-time.
Logging is an important element of security monitoring. Organisations must safeguard the confidentiality, integrity and availability of log data and the logging architecture to protect them from potential threats. It is imperative that access to logs is restructured to authorised personnel only, adhering to the principle of least privilege. Activities involving logs, such as copying, deleting, modifying or reviewing them, must be tracked and attributed to individual users. Logs need to be precisely timestamped to allow for accurate correlation. To protect the integrity of the original data, duplicates of the logs must be generated for analysis and normalisation. Continuous real-time review of logs is essential, and when investigating suspicious activities and alerts, logging data needs to be enriched with other information.
Threat intelligence constitutes another important component of security monitoring. Organisations need to have threat intelligence feeds based on their business needs and sector and need to track the usefulness and effectiveness of them over time. Organisations need to actively share their threat intelligence feedback with the wider community.
The roles of monitoring staff, responsible for analysis, investigation and reporting of monitoring alerts must be clearly delineated. Established processes and procedures should cater to both internal and external governance reporting requirements. However, monitoring staff should be empowered to look beyond the fixed process and investigate and understand non-standard threats and develop their own investigative techniques, utilising new data where appropriate. It is vital for the monitoring staff to have a thorough understanding of the organisation’s essential functions, so that they can prioritise alerts and investigations accordingly.
Principle C2: Proactive Security Event Discovery
Principle C2 Proactive Security Event Discovery expands on Principle C1 and explores an organisation’s ability to detect threats which evade standard signature-based security solutions, by looking more closely at the behaviours of threats. The outcomes of Principle C2 are ‘C2.a System Abnormalities for Attack Detection and ‘C2.b Proactive Attack Discovery.
For organisations to effectively identify anomalies, they must first establish a baseline of their systems’ normal behaviour and inter-system communication. Without a clear understanding of what normal looks like, spotting anomalies becomes challenging. To detect malicious activity, organisations need to analyse the behavioural patterns of previous attacks, leverage threat intelligence, and consider the nature of the possible attacks that could impact their critical systems. A proactive approach is essential for detecting sophisticated attack methods, which involves consistently and actively seeking out system abnormalities that may be indicative of malicious activity. Moreover, it is crucial to regularly update the definitions of system abnormalities to align with changes in networks, systems, and threat intelligence, ensuring the sustained efficacy of behaviour-based threat detection methods.
What tools and resources can help an organisation achieve Objective C?
A useful resource for helping organisations become aware of the threats that could affect their system is the MITRE ATT&CK Matrix for ICS, more commonly known as the MITRE ATT&CK for ICS Framework, which is a knowledge base of tactics and techniques used by cyber adversaries across a range of technologies in both IT and OT. By considering the systems and networks which support the organisations essential functions, the organisation can use the ATT&CK Matrix to identify what the tactics and techniques that might be used against them.
For organisations utilising OT infrastructure, the Dragos Platform offers many features which support achieving Objective C. It offers in-depth asset visibility, enabling a clear understanding of both IT and OT systems within a network and the communication paths between them. Additionally, the Platform offers threat detection and alerting using both signature-based and behaviour-based methods. Data collection from networks and systems is conducted passively and by active acquisition through host-based agents. The Platform’s analysis and reporting tools can aggregate and correlate various data sources, such as logs and network captures, to offer detailed perspective on identified events. The Dragos Threat Intelligence team consistently updates the Dragos Platform with new threat signatures, IoCs and behavioural, while also providing threat intelligence reports through the Dragos WorldView OT threat intelligence portal. The team also supplies investigative playbooks, assisting organisations in promptly addressing and responding to alerts.
There are numerous other tools to those described above which can assist organisations in achieving Objective C. Organisations should research and choose the tool(s) that best fits their business needs, risk tolerance, and legal and regulatory requirements. Arcanum is a vendor agnostic consultancy and will always strive to find the most relevant, suitable, and cost-effective solution for your organisation. To allow us to deliver services to clients, we have developed relationships and established partnerships with cyber security solution providers.
Upcoming Webinar: What is ISA / IEC 62443?
If you’re interested in knowing more about ISA/IEC 62443 and how it contributes to Industrial Cyber Security by helping to secure OT, register your place on our upcoming webinar!
On January 16th 2024, Arcanum are running a FREE webinar that will demystify ISA/IEC 62443, the international standard for industrial control system (ICS) security.