The Claroty Blog

Feature Spotlight: Claroty Threat Detection Engines

| Guilad Regev

Over the next couple of months, we’re going to dig deeper into some of the features that make the Claroty Platform unique. Our Feature Spotlight blog series will include regular posts on topics ranging from common vulnerabilities and exposures (CVEs) and false positives to auditing remote network access, predictive attack-vector mapping, and many more. The inaugural post in this series begins with the core components of Claroty Continuous Threat Detection (CTD): our five Threat Detection Engines.

Threats to operational technology (OT) networks are often innovative yet deceptively simple, exploiting our compulsion toward process to introduce risk. Employing equally elegant methods of identifying these risks is central to network protection. Having total visibility into your OT network is essential to start—as well as something we’ll cover in depth later in this series. But once you obtain this visibility, there are many common challenges associated with using it to quickly and accurately identify threats.

More specifically, detecting all of the different types of threats that can impact OT networks requires multiple approaches and, often, multiple tools—many of which must be configured individually for each OT network at each of an enterprise’s sites. And particularly for enterprises with numerous sites across vast geographic areas, these conditions can hinder not just threat detection, but other OT security initiatives, too.

Recognizing these challenges, we designed Claroty CTD as a single tool that is both suitable for the broad spectrum of threats our customers face and fast and painless to deploy. Configured by default and without requiring site-by-site setup, each of CTD’s five detection engines serves a specific purpose and provides a distinct advantage against all manner of threats. These engines include:

Anomaly Detection

This engine identifies changes in communications between network assets or zones in order to pinpoint previously unknown threats such as zero-day attacks. We created it to overcome challenges posed by the fact that OT assets’ protocols are uniquely difficult to identify and understand because for decades they were not designed with connectivity in mind; many of them don’t even have an IP address. If you can’t properly translate OT protocols you run the risk of creating a high volume of false positives, or worse, being entirely unable to identify the asset.

The Anomaly Detection engine derives its capabilities from our thorough understanding of these proprietary OT protocols, as well as our deep packet inspection (DPI) technology which inventories and establishes a baseline behavior for every asset on the network. Claroty CTD also utilizes automated network segmentation to create virtual zones of assets based on their baseline behavior. These virtual zones enable CTD to immediately identify and alert you to instances of anomalous behavior between zones that could indicate previously unknown threats.

Security Behaviors

This engine is responsible for identifying any known techniques that have been used by attackers. This includes IT-security patterns such as port scanning and man-in-the-middle attacks, as well as OT-specific security patterns such as TAG/address scans.

An example of the type of known OT-specific techniques this engine looks for is the HAVEX attack. This specific attack included an OPC scanning module as part of the reconnaissance phase that was used to search for industrial assets on a network through ports often associated with SCADA devices. Once in the system, the attackers were able to map out the OT network for further exploitation.

Known Threats

Known threat alerts are a common capability among IT security software vendors, but doing so for proprietary OT protocols and artifacts poses a unique challenge, especially when it comes down to understanding the code sections of configuration files. CTD is equipped with known signatures of indicators of compromise (IoCs), as well as proprietary threat signature research from Claroty’s own Team82 research & development arm.

This engine is powered by SNORT and YARA rules and serves to equip threat hunters and incident responders with the context needed to detect and prevent targeted attacks early on in the kill chain. Claroty’s YARA and Snort rule engines can even work in code sections downloaded to the PLC, enabling our DPI technology to assemble code sections to check for threats.

Operational Behaviors

An especially challenging risk for OT environments to detect is when attackers are able to lure standard OT routines into situations that enable them to penetrate the network and execute an attack. However, because these routines are generally standard, anomaly detection engines alone will not identify such an attack.

CTD’s Operational Behavior engine monitors the context and details surrounding ongoing operations using DPI technology. It can penetrate operations down to the code-level to reveal any changes made to an asset’s configuration.

For example, the Triton malware infection added custom CRC checks to the configurations it downloaded; the Claroty Operational Behaviors engine would alert on this configuration download. Our DPI technology enables CTD to check the code-difference in configuration changes to pinpoint this type of attack and alert you so that mitigation steps can be taken. This monitoring extends insight into the periphery of operations over both proprietary and open-source protocols and detects complex operations such as configuration downloads/uploads, change mode, key state changes and firmware upgrades.

Custom Rules

CTD’s last detection engine is the most flexible and relies on specific user-defined events to send alerts. These types of events are often out-of-range values for specific operations or certain types of communications on the network that are valuable for a user.

Using preventative maintenance as an example, if your organization has observed changes in packet behavior that often precede unscheduled asset downtime, an alert can be created for this type of behavior. Next time this behavior occurs you will be able to take proactive measures to remediate the asset in question.

 

These Threat Detection Engines are just a few ways that the Claroty Platform provides a holistic approach to industrial cybersecurity. For a broader look at threat detection in industrial environments, check out the Detecting Threats in OT Environments installment in our CISO Start Series, or request a demo.

Subscribe to the Blog