KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
We've been researching NDR and DDP network detection and response and distributed deception platforms and wanted to talk about the role they can play for helping out in operational technology in the ICS world. So I'll start off talking about some of the security challenges there. Describe NDR, describe DDP, and then talk about where we think that it's going with relation to this new term. XDR. So first up, what are some of the security concerns you may have heard about some of these already?
You know, there was a recent survey by trend micro at organizations that have operational technology environments. 61% of those said that they had had a cyber incident, which includes things like malware infection or exploitation of vulnerability, or just unauthorized physical or logical access on their systems. And of those 75% had to shut down production and of those almost half reported that that outage lasted more than four days. So these are pretty significant in terms of impacting productivity and revenue.
Something to think about one of the drivers, why we need to take very seriously OT and ICS security. What are some of the other risks that are out there that OT, ICS operators need to be aware of? Of course there's interruption of production, but there's ransomware.
There have been several cases of ransomware infecting, you know, power generation plants, manufacturing facilities, and not only encrypting, you know, office networks and data, but in some cases, the OT, ICS assets as well, there's espionage that we need to be aware of and to try to prevent their sabotage and sabotage can almost be, you know, unintentional, there have been cases where malware crypto minors have been come resident on, let's say, you know, controller machines, running windows, and they eat up so much CPU that it doesn't let the manufacturing control processes run.
So you wind up with defective products. So there's a case that, you know, it may have been something unforeseen at the time, but it's definitely an argument that all those assets need to be clean and secure. ICS machines themselves can be targeted, SCADA nodes, PLCs, logic controllers, human machine interfaces. All of these are running software that could potentially be exploited. And then also on the sabotage, there's just outright destruction of equipment.
There have been a few, they were probably miscategorized as ransomware attacks that were actually destructive wipers that, you know, zeroed out all the data on, on the affected systems, meaning that companies that suffered these attacks had to pretty much rebuild from scratch, you know, and these things can happen to others outside of your organization. And it can affect you if it's upstream in the supply chain, you know, a supplier that's developing or delivering components that you need in your manufacturing process, they're shut down for a week or more.
That's going to impact your organization in, in the, just in time delivery world that we live in. So that can also contribute to downstream supply chain failures. So there's the cost of mitigation, cost of remediation, lost revenue if you're out for days or weeks, and then also potentially reputation damage that can come as a result of attacks against OT and ICS.
I mean, I think reputation damage would especially be dangerous in cases where power grids or, you know, water treatment facilities, things like that have been affected. Speaking of water treatment facilities. That's also one of the events we wanted to sort of highlight here. You may remember back in, I think it was January that was water treatment plant in Florida that was attacked.
You know, the attacker used an open team viewer application with an old username password, which probably should have just been shut off. They tried to sabotage the plant. Fortunately it didn't work, but that was, you know, using an enterprise it tool to try to sabotage an OT environment.
Then, you know, at the same time the colonial pipeline attack happened, you know, would shut down gas pipelines in the east and south us back in may, there was a Norwegian company volume, which was attacked with riot ransomware that was kind of a front end system for utilities. They, they didn't pay the ransom. They restored from backup, kinda like the Norris Cairo case from a few years ago, they were hit with locker Gaga.
It was an expensive operation, but you know, Norris Cairo worked with Microsoft and other security providers and restored from backup and made their networks much more resilient after that. You know, and I have to say that in both these cases, these companies, you know, are admirably disclosed a lot of information about what happened so that others could learn and help better protect themselves little information from the Verizon D B I R we see, you know, the sources of attacks are often organized crime, their denial of service, basic web application attacks, fishing attacks.
These are the ways that attackers are getting in. And this also applies to the OT ICS world. You know, another graph from Verizon ransomware obviously has been increasing this stops in 2020, but we know 20, 21 has been even worse in many cases for ransomware. And it does have the ability in some cases to infect and contaminate it or OT ICS environments. Another interesting point from Verizon, you know, 80% of these attacks are discovered by third parties, not the organizations that have been attacked.
You know, it's getting there by direct placement, by threat actor, a quarter at the time by email fishing and web apps, you know, looking drilling down on their data for the Amir region, fishing is the way they're obtaining the credentials, which can then be used in the web attacks and can be used for misconfigurations. So let's look at NDR NDR, network detection and response.
I like to think of as kind of NextGen IDs, intrusion detection, intrusion prevention systems, but where the big difference is there is, you know, IDs has been around for 20 plus years and, and it's effective in certain circumstances, but it's also been prone to lots of false positives, and it can be complex to administer what distinguishes NDR from IDs is an increased usage of ML based detection engines. So more automated analysis of network, metadata and connection metadata. These are deployed in line or off span or tap ports.
In some cases, you know, they're processing log Tory, it's designed to detect both things that are going across the perimeter, but also what's going on within your organization. Some of these tools understand OT and ICS protocols. So that would be something you'd wanna look for. If you're running an OT environment, which of these vendor products have coverage for the protocols that you may use. They also have included threat hunting tools and confined malicious activity in places.
If it's missed by say, endpoint detection and response tools, maybe the last place that you can find evidence of an attack is in the network communications between effective nodes. And these also allow things, you know, the, our part, the response, you know, automated forensic evidence collection, and then actions such as isolating nodes blocking traffic, that the firewall are on the router and in cases of like DDoS attacks doing DNS sink.
And so here's a list of some of the protocols that the NDR and the upcoming DDP tools I'll talk about, have some understanding for, you'll see, there's kind of a mix of proprietary protocols that are used in the OT world, you know, between certain manufacturer systems. And then there are also some more standardized kinds of protocols that are a bit more modern. We also find that some of these are in use for the I IOT industrial internet of things as well. So if you are interested in NDR, where would you deploy it?
And if you're gonna buy it, you're gonna want to use it for both your enterprise, it as well as your OT environment. So here, I kind of wanted to depict, you know, here's a complex organization, so you've got employees, you know, on laptops, maybe anywhere, maybe in offices, contractors, partners, this could include not only your, you know, your H of actor, your building controls people, but you know, some cases, these OT, ICS devices, the manufacturers of those devices by contractor, the ones who provide maintenance and support for those devices.
So they may need access to these pieces of equipment, just to do ordinary maintenance. You've got a line of business applications, shop floor laptops, SCADA nodes, web services, organizations are using SAS apps.
They're using applications that are running in infrastructures, a service and, you know, wifi guest networks, wifi, and the factories wifi, you know, in, in stores for point sales systems, everywhere that you've got a network device or a separate network, whether that's an on-premise network, something that's in an operational environment or for the cloud, you need to be able to collect that telemetry. So those are the places that you would want to put the sensors for NDR. So looking at DDPs, what is deception?
Well, it's kind of an evolution of the old honey pot, but it's way more sophisticated and easier to use than that. They're fully integrated, managed and designed to realistic. The idea behind that is you want to deploy these to draw attackers into the DDP environment and away from your real assets and with the hope that it will help you discover attacks faster. And if you do discover them, you can learn the attackers, tactics, techniques, and procedures.
You can see what they do against the simulated assets, the trap servers, and the specific LUS or resources that are designed to look realistic based on what's in your environment. This is a great active defensive measure, because let's say it's very high fidelity intelligence. You can gather from the DDP, because if it's properly concealed from enterprise users or others that are, you know, would unintentionally find it almost anything that happens within the DDP is guaranteed to be an attacker.
So there's a lot you can learn from watching what happens within the DDP, and it can apply to your organization. Specifically, there are EDP customers that have learned about, you know, zero days and methods that were going to be used against them that may have not have been found elsewhere. So the need for deception, you know, there are great tools out there E P D R tools endpoint, but, you know, there are places where endpoint tools cannot be installed, you know, and IOT, I T you know, all the various components of operational technology can be included in that list.
There are places that are running windows and Lenux servers, and yes, you're able to put in agent there, but there are also places where you can't install agents because maybe the manufacturer is using or has control over it. And they don't want a third party security tool. And they invalidate the warranty.
You know, this is the case in medical device networks, especially other kinds of critical infrastructure may have those same restrictions. So really it leaves the network is the last place to find signs and malicious activities. But if you don't have an agent, you know, you may not be able to figure out what's going on. So deception is a great tool for finding out what may be going on or what an attacker might want to do in those environments. This CUI doc from mist also recommends deception is a good way for learning about potential attacks in different kinds of environments.
So a quick look at, you know, how the deployment methods differ in DDP. You've got your production network, it's in inclusive of, you know, your office application SA as well as the manufacturing production systems.
You know, some companies choose to deploy a fully parallel DDP environment, meaning it's on it's on hardware. It, it, you know, it's a separate network altogether and you direct or hope to direct the attackers to this fully parallel environment away from the, the production systems that provides you with maximum separation. Others choose to deploy in kind of a mixed mode where you've got deception assets that are intermingled on production networks with production equipment. So essentially a copy.
You know, the deception platforms can use ML to look at asset inventories and help generate realistic looking IP addresses and names, and fill them up with data that looks kind of like, you know, the production environment, but then controls access to those and it attempts to conceal it. So only an attacker would find it. And then there's a more hybrid model where there are agents that are placed on production networks. The agents then do SD and projection to the vendor, SAS, which launches instances of the deception assets.
This is probably the most cost effective and fastest way to deploy DDPs today. And the speed is pretty good, so that an attacker wouldn't necessarily even know that they were leaving the actual target victim network. So real quick here, key features, and DDPs, you'd wanna look at the different kinds of servers they can emulate. What kinds of lures lures can be? Things like files, credentials, scripts, you know, all sorts of things, SSH keys, you'd wanna look at the different enterprise.
It protocols, cuz you'd want to cover both kinds of environments, same thing with operational it, what, what protocols and device types can they emulate? Attacks always involve credentials of some kind. So DDPs do IM simulation. They can fake out regular admin service accounts. It's just deciding where do you want to deploy that?
You know, what are the facilities for analyzing the TTPs that are found and what architectural model would you want to deploy? And these are questions that, you know, you can take a look at the leadership compass on and can help you decide.
Lastly, XDR is the future. You see a whole lot of acronyms here. This started with sort of EDR, which became amalgamated with endpoint protection, next generation antivirus. We also see that, you know, NDR cloud workload DDP will become part of this user behavioral analytics are necessary unified endpoint management and identity governance. All these things are rolling together into the future for XDR. So stay tuned. We're doing research on that. I think this is the way forward for these fields in the next three to five years, there are acquisitions that are already happening.
And with that, I'd like to stop and turn it back over to Alexei side.
