One of the true benefits of the recently released Portaledge Enumeration module is that it allows administrators to really see and understand what is communicating on their control systems. In talking with one of our early adopters, they noted that they had many more machines talking than what they previously thought. They used the alerts generated by various of the Enumeration modules to track down and verify the communications sessions. This verification and vetting process ensures that what is communicating on the network is approved, and necessary. A process facilitated by the Enumeration Module.
One of the powerful but simple tools in the Enumeration Package is the Traffic Monitor. It allows a administrator to specify what systems communicate with what other system, specifying ports and protocols. This module acts as a simple IDS to watch for unapproved or unknown communications between systems. When the Traffic Monitor is first deployed and not “tuned” for the necessary communications it will generate a number of alerts. From this initial set of alerts, each session can be researched to determine if it is necessary for the control system to function. From this verification work a set of “allowed” session can be added to the Traffic Monitor module’s properties.
When common hacking enumeration tools or techniques are then deployed on the network, such as a port sweep of various machines on the subnet, the Traffic Monitor will note the unapproved sessions and generate alerts. Login attempts, exploits, pings, port sweeps and a variety of other techniques will all create alerts as long as they fall outside of the range of what has been added to the approved list.
In “tuning” the list, I was initially a bit reticent to add wildcards into the approved sessions lists, as the improper use of wildcards will turn the Traffic Monitor blind, but after conversing with a few sources, there are some cases for which the use of wildcards just makes sense. In some applications the source machine chooses a random port when a service is started, making it impossible to tune this session without wildcards. The use of wildcards will be part of a forthcoming release.
A properly tuned Traffic Monitor with a very minimal set of approved sessions becomes a powerful tool in detecting and logging unknow, unauthorized and malicious traffic on your control systems.