We see more and more IT-OT converged networks, as manufacturing and critical infrastructure organizations try to achieve their digital transformation goals. These converged networks increase the attack surface by exposing the OT environment to always connected internet accessible networks against the traditional well controlled (sometimes separated by an air gap) OT network boundaries. Over the last few years we have seen some targeted attacks intentionally using the IT environment as a pivot point to enter OT networks to achieve their objective but most of the time incidents are generated by threats built to target IT environments, unintentionally impacting OT networks. There are fundamental differences between handling an IT security alert vs OT security alert, where IT world focuses on confidentiality/Integrity while OT world’s main focus being availability. Although there are lot of differences between IT & OT worlds in many ways such as CIA priority and protocols used, more and more fusion SOCs are being built to monitor these converged networks for threats and compliance.
What it does
Primary challenge is to correlate the alerts generated by both IT and OT point security products, identify the malwares that could have moved across IT-OT boundary impacting the critical OT assets and contain them preventing further damage to the organization in a structured manner. Secondary challenge being optimizing the analyst efforts spent on manually gathering, enriching indicators and evidence.
How I built it
We built a virtual lab to replicate the IT OT environment completed with
Firewalls : Palo Alto Firewall, Fortigate Firewall
IPS/IDS : Firepower (IT), Nozumi (OT)
Servers : Active Directory, MS Exchange
Log Server : Splunk
SOAR : XSOAR
Targets : IT PC, Human Machine Interface PC, simulated PLC
After studying the clients existing threat detection process, we reengineered the process to include additional log/alert sources that could add value. We managed to streamline and automate the enrichment, event driven threat hunting, containment and notification.
Challenges I ran into
This was our first attempt to build a playbook using a SOAR technology, let alone XSOAR. We learnt new things everytime when we run into a problem whether its an integration issue, playbook input output issue, transforming splunk raw logs or mapping them to XSOAR as jason value pairs. However at the end of the process we are highly satisfied knowing we have grasped lot of knowledge, tips and tricks and thought process required to design and build future automation & orchestration projects.
Accomplishments that I'm proud of
Complete IT-OT lab setup, Having a solution to over achieve client's MTTD & MTTR expectations. Most of all completing the 1st XSOAR playbook and it's ALIVE!!!
What I learned
Thought process was the most important one, is there a better way, have someone already found a way to do this more efficiently, how much of a unique solution is required to solve my problem, can I use existing automations and playbooks to optimize my playbook. other than XSOAR engineering tasks, I've also learnt great deal about Nozumi, splunk, JSON
What's next for Threat Detection Automation in IT OT converged Networks