As we see the close of October, that means the ending of another insightful Cyber Security Awareness Month. It excites me to see the interest in the topic of cyber security explode these past few weeks.
The threat I’d like to discuss in this blog is a common cyber security threat, persistent network access. Attackers could be on your network without your knowledge, and it is essential to be vigilant. To combat this, I want to look at another critical component of cybersecurity awareness, continuous network monitoring.
Continuous network monitoring is the only way to know what is happening on any given network. Not only is there a sense of what is happening on the network, but it can also monitor network endpoint health. For example, early detection of network bandwidth issues or PC memory issues can be determined and corrected as a preventive measure versus reactive. Ongoing monitoring is essential because logging this information keeps your network’s digital footprint and can catch signs of a potential breach more efficiently, minimizing your risk. Once a continuous monitoring program has been implemented, you can log your network activity daily to ensure safe systems. Still, additionally, it enables you to trace the path of information through your network. Also noticed are any changes that have been made to PCs, such as new services running, new programs loaded, or other actions that could be potentially malicious. This is helpful as it can provide a roadmap to the source of the threat and allow your team to perform threat hunting and digital forensics. Digital forensics can determine the source of the potential attack and can trace the events leading to the attack.
One question to think about is, “were they trying to exfiltrate data or interrupt a process?” The topic of threat hunting and digital forensics is vast in scope. The possibility of an attacker spoofing another location or even using PCs at your site to stage an attack is also prevalent. The only way to piece the attack together is by evaluating the history of what happened, which would be contained in the network monitoring logs.
The most significant benefit of continuous monitoring is the ability to capture network traffic. There is plenty of information to be evaluated contained in each network packet.
The monitoring process allows an analyst to filter the data to view only the relevant information to the search being performed. The best way to get all the information you can use would be to capture and analyze a full packet. Full capture and analysis must also be passive to the network, which means it is “listen-only” on the industrial network and will not affect production or communications. Of course, this will not prevent a bad actor from attempting to navigate the network, but alerts can be sent automatically when unfamiliar network traffic has occurred.
Monitoring and logging is also the way to test and audit firewall rules regularly. “Fake” malicious traffic can be sent to the network to see if firewall rules filter and block that traffic and that the alerting system sends an alert when that malicious traffic is detected. This would be an automated system from not physically looking at the traffic to be notified of anomalies. Once the designated responsible individual(s) receive the notification, threat hunting and forensic analysis can be performed on the historical data as mentioned earlier.
Preventing bad actors from getting into the network in the first place is essential from an awareness perspective, and be aware of what is happening on your physical network if someone DOES gain access. Start looking at cybersecurity awareness as something to be looked at holistically to ensure that the ultimate goal of protecting your network and assets is achieved. That goal is to make sure production stays up and deliver information to the stakeholders that need it.
To learn about what Plus Group can offer under our Secure365 service, reach out to Dave Jennings today at DJENNINGS@PLUSGROUPS.COM
Author: Dave Jennings
Co-Author: Torie Powers
